icm/HTTP/auth_<xx>

Use

With this parameter you can set up access restrictions in the ICM and SAP Web Dispatcher.

To protect the ICM and the back end system (ABAP or J2EE Engine) there is an HTTP subhandler (filter), which can block requests using various criteria. When the filter is activated, it filters each HTTP(S) request to the ICM or Web Dispatcher, before the request is sent to another HTTP handler (file access, cache, administration, redirect), or to the backend system (ABAP or J2EE Engine).

See:

SAP Web Dispatcher as a URL Filter

You can filter requests according to the following criteria:

?      URL

?      Client IP address

?      Server IP address

?      User name/user group and password

?      String search in the URL

Integration

The authentication subhandler extends the functions of the SAP Web Dispatcher URL filter and of the authentication of the Web-based administration interface.

When this access filter is used the two other procedures can be deactivated:

?      SAP Web Dispatcher URL filter:

wdisp/permission_table =

?      Web administration interface:

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=./admin,AUTHFILE=none

Properties

Work area

Internet Communication Manager, SAP Web Dispatcher

Unit

Character string

Standard value

icm/HTTP/auth_0= PREFIX=/, FILTER=1

Dynamically changeable

No

Value Range and Syntax

To set up the access restrictions use the parameter with the following syntax:

icm/HTTP/auth_<xx> = PREFIX=<URL prefix>[,PERMFILE=<permission file> [,AUTHFILE=<authentication file>, FILTER=1]

<xx> must be specified in ascending order from "0".

This is explained below.

?      PREFIX

URL prefix for which the HTTP subhandler is to be called.

?      PERMFILE

Optional specification:

Name of the permission file in the file system

?      AUTHFILE

Optional specification:

Name of the user file or system for authentication of an operating system user

?      FILTER

Optional specification:

Activate string search (default value: on) If you switch it to 0, the filter is deactivated. For more information see Muster.

PERMFILE

In the permission file you determine the type of access protection. The permission file has the following structure:

?      Comment lines start with a # and are ignored.

?      Other lines have the form:

P/D/S <URI-pattern> <USER> <GROUP> <CLIENT-IP> <SERVER-IP>

where the letter at the start of the line has the following meaning:

0       P (Permit)lets the request through.

0       D (Deny)refuses the request and sends a message to the client.

0       S (Secure)only allows secure connections (HTTPS) for the URL prefix.

0       <URI pattern> is the section of the URL that is labeled in the cache key section as translated path.

?      You can use the wildcard character * for the URI pattern, but only at the start or the end of the <URI pattern> string.

The default value of empty entries is *, which permits everything.

For a request to be allowed through with P (Permit), all the conditions must be fulfilled.

With D (Deny) only one condition has to be fulfilled for the request to be rejected.

The conditions are checked from top to bottom.

If one of the condition for D or P is true, the check ends, and the request is permitted or denied by the subhandler.

Note that the URI permission table is case sensitive.

Example

URI Pattern

User

Group

Client IP address

Server IP address

D

/pub

someone

*

D

/pub

*

*

*

10.18.55.50

P

/sap/admin

*

admin

*

10.18.55.40

D

/

*

*

*

*

Use positive lists

Since the URL permission table is case sensitive, it is important to create the table as a positive list.

Execute all the URLs that are to be permitted and at the end of the table set row D / * * * *  

AUTHFILE (optional)

The AUTHFILE determines the permitted users and passwords, and is required if entries for USER or GROUP are made in the permission file.

Possible values for AUTHFILE are:

?      System

The user is authenticated against an operating system user.

?      <File name>

File with user name, group name, and protected passwords.

The authorization file can be generated and maintained using the programs wdispmon and icmon (option -a). It has the following structure:

?      Comment lines start with a # and are ignored.

?      Other lines have the form:

<user>:<password hash>:<user group>:<DN client certificate>

Example

Authentication for the ICM and SAP Web Dispatcher:

test:$apr1$/iTOQ$EOABCDFDDj55EqL0:user

sidadm:$apr1$/iTOQ$EOcAYBCD55EqL0:admin

More Information

Note the following documentation:

icm/HTTP/admin_<xx>

Using Web Admin Interface with X.509 Certificate

Creating Administration Users

Using the Command Line Programs icmon and wdispmon