To guarantee maximum security when the Web dispatcher is used, SAP recommends the following measures while it is in operation.
Always use the latest version of the Web dispatcher. How you get and import the latest Web dispatcher is described in Operation of the SAP Web Dispatcher® Importing the SAP Web Dispatcher.
? Configure your own error pages to ensure the technical reason for the error is not shown to the end user. Make the following setting:
icm/HTTP/error_templ_path = /usr/sap/B6M/D13/data/icmerror
Alternatively you can set parameter is/HTTP/show_detailed_errors to FALSE. Then no information about the error is passed to the client.
For more information, see Error Handling.
? Use the Web dispatcher as a URL filter with positive lists. Definitely filter the following URLs as these provide details of the infrastructure and the configuration:
Block access to the internal information page by making the following entry in your URI permission table: D /sap/wdisp/info
Fore more information see SAP Web Dispatcher as a URL Filter.
? Make the following settings to increase security for the Web Admin interface.
Use HTTPS to prevent the password being spied on. To do this, in the URL use an HTTPS port that you set up with parameter icm/server_port_<xx>.
Allow the administration of the Web dispatcher to be done only on ports with a secure protocol (HTTPS), by setting the PORToption of parameter icm/HTTP/admin_<xx>to an HTTPS port.
As the admin port configure a port that can only be accessed from the internal network. To do this use the PORT option of parameter icm/HTTP/admin_<xx>.
Only allow administration tasks to be done under a specific host name/IP address that can only be accessed from the internal network. To do this use the HOST option of parameter icm/HTTP/admin_<xx>.
Restrict the administration to clients in the internal network. To do this use the CLIENTHOST option of parameter icm/HTTP/admin_<xx>sa.
For more information see Using the Web Administration Interface.
For up to date information about security settings for the Web dispatcher see SAP note 870127.