ICM / Web Dispatcher

Admin UI Backend Authentication

Introduction and Step-By-Step Instructions
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

TABLE OF CONTENTS
1 INTRODUCTION ............................................................................................................................... 3
2 INSTALLATION / IMPLEMENTATION ............................................................................................. 4
2.1 ICM .................................................................................................................................................... 4
2.2 SAP Web Dispatcher (in front of ABAP Systems) ........................................................................ 4
2.3 Installing Authentication App ......................................................................................................... 4
2.3.1 ABAP OO Class ................................................................................................................................. 4
2.3.2 ICF Service ........................................................................................................................................ 7
3 CONFIGURATION .......................................................................................................................... 13
3.1 Activating the Backend Authentication Application .................................................................. 13
3.2 Configuring ICM to use Backend Authentication ....................................................................... 15
3.3 Configuring ICM / SAP Web Dispatcher to use Backend Authentication ................................ 15
4 ROLES AND AUTHORIZATIONS .................................................................................................. 16
5 REFERENCE SAP NOTES ............................................................................................................. 17

2
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

1 INTRODUCTION
The Admin UI of the ICM / Web Dispatcher can be used to monitor and administrate the ICM / Web
Dispatcher from the browser. Up to now, usernames and passwords used by the Web Admin Interface are
stored in a file. If ICM / Web Dispatcher is running in front of an SAP NetWeaver Application Server ABAP or
SAP HANA, it is now possible to use their native authentication mechanisms.

If users try to access the admin UI, they are prompted for username and password of their users in the
backend system. If advanced authentication mechanisms (like Single-Sign-On) are available, they can be
used, too (this has to be configured in the backend system).

Backend authentication can be used with ICM and Web Dispatcher release 742 or higher. The backend
system can be on any release, but for SAP_BASIS releases < 740 SP08 additional implementation work is
required (see chapter 2). See chapter 3 for details about how to enable backend authentication.

Additionally backend authentication is available in the HANA Web Dispatcher. There it is enabled by default.

Remark
The following screenshots were taken on a 7.40 system. Although they may look different in older releases,
the basic functionality is identical.

3
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

2 INSTALLATION / IMPLEMENTATION
This chapter contains a step by step example of how to create an ICF service handler which can be used for
backend authentication.

2.1 ICM
Apply the Support Package referenced in SAP Note 2011786 (SAP_BASIS release 740 SP08) (or higher).

2.2 SAP Web Dispatcher (in front of ABAP Systems)

Apply the SAP Web Dispatcher release referenced in SAP Note 2011786 (Kernel 742) (or higher).

If the ABAP system, that is intended to authenticate the Admin UI users, is on SAP_BASIS release 740
SP08 or higher, no further installation steps are required.
If its release is lower, follow the additional steps described in chapter 2.3.

2.3 Installing Authentication App

Two steps are required to install the application which handles the user authentication: A small ABAP class
has to be implemented and an ICF service has to be created.
These steps have to be performed in the system which is intended to handle the authentication.

2.3.1 ABAP OO Class

Two implement the ABAP class either import the correction instructions in SAP Note 2011786 or implement
the class manually by executing the following steps:

Go to transaction SE80 and create a new class. Name this class for example
“ZCL_ADMIN_UI_REQUEST_HANDLER”.

4
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

In the tab “Interfaces” enter “IF_HTTP_EXTENSION” and click on Save.

5
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

Open SAP Note 2011786 and open the attachment

“SourceCode_CL_ADMIN_UI_REQUEST_HANDLER__HANDLE_REQUEST”.

After that go to tab “Methods” and double click on the method HANDLE_REQUEST.
Copy the content of the previously opened file and paste it here.

Lastly click on the Activate Button.

6
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

2.3.2 ICF Service

Open transaction SICF, enter the Service Path “/sap/bc/” and click on Execute (or press F8).

7
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

Now right-click on the node “bc” and choose “New Sub-Element”.

8
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

On the next screen enter “wdisp”, choose “Independent Service” and click on the Okay button.

9
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

Enter a description (e.g. “SAP Web Dispatcher”).

Click on Save.
Click on Back.

10
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

Repeat the previous steps to create a new sub-element “admin” for the newly created service “wdisp”.
Enter a description (e.g. “SAP Web Dispatcher Admin UI Backend Authentication”).

11
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

Go to tab “Handler List” and enter the previously implemented ABAP class to the list (in case the correction
instruction has been imported: CL_ADMIN_UI_REQUEST_HANDLER).

Click on Save.

12
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

3 CONFIGURATION
After the implementation for backend authentication has been installed, further steps are necessary to
activate it. Firstly the backend application which is responsible for the authentication has to be activated and
secondly the Web Dispatcher has to be configured to use backend authentication.

3.1 Activating the Backend Authentication Application

Open transaction SICF, enter the Service Path “/sap/bc/icman/admin” (for the ICM) or “/sap/bc/wdisp/admin”
(for the Web Dispatcher) and click on Execute (or press F8).

13
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

Right-click on the node “admin” and choose “Activate Service”.

Click on “Yes”.

Now the service has been activated.

14
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

3.2 Configuring ICM to use Backend Authentication

To enable backend authentication for the Admin UI a new icm/HTTP/admin_xx profile parameter has to be
added or an existing profile parameter has to be changed.

The subparameter AUTHFILE has to be set to “backend” and PREFIX has to be set to
“/sap/bc/icman/admin”.

Example:
icm/HTTP/admin_0 = PREFIX=/sap/bc/icman/admin,DOCROOT=$(DIR_ROOT)/admin,AUTHFILE=backend

3.3 Configuring ICM / SAP Web Dispatcher to use Backend Authentication

To enable backend authentication for the Admin UI a new icm/HTTP/admin_xx profile parameter has to be
added or an existing profile parameter has to be changed.

The subparameter AUTHFILE has to be set to “backend” and PREFIX has to be set to
“/sap/bc/wdisp/admin”.

Example:
icm/HTTP/admin_0 = PREFIX=/sap/bc/wdisp/admin,DOCROOT=$(DIR_ROOT)/admin,AUTHFILE=backend

If the Web Dispatcher dispatches requests for multiple systems, the wdisp/system_xx parameters have to be
configured to route requests for /sap/bc/wdisp/admin to the system that should be responsible for the
authentication.

15
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

4 ROLES AND AUTHORIZATIONS

If the backend is an ABAP system users who want to use the Admin UI need for the authorization object
S_ADMI_FCD the activity PADM. This is the authorization that is also used in transaction SMICM.
Hence users who are able to use transaction SMICM, are able to use the Admin UI.

Users of the Admin UI of the HANA Web Dispatcher need the role
sap.hana.xs.wdisp.admin::WebDispatcherAdmin (for full administration) or
sap.hana.xs.wdisp.admin::WebDispatcherMonitor (monitoring only).

16
ICM / WEB DISPATCHER ADMIN UI BACKEND AUTHENTICATION – STEP-BY-STEP INSTRUCTIONS

5 REFERENCE SAP NOTES

2011786 ICM / Web Dispatcher Admin UI Authentication via Backend

17
www.sap.com

© 2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP
affiliate company.
SAP and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP SE (or an
SAP affiliate company) in Germany and other countries. Please see
http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for
additional trademark information and notices. Some software products
marketed by SAP SE and its distributors contain proprietary software
components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in
the express warranty statements accompanying such products and services,
if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue
any course of business outlined in this document or any related presentation,
or to develop or release any functionality mentioned therein. This document,
or any related presentation, and SAP SE’s or its affiliated companies’
strategy and possible future developments, products, and/or platform
directions and functionality are all subject to change and may be changed by
SAP SE or its affiliated companies at any time for any reason without notice.
The information in this document is not a commitment, promise, or legal
obligation to deliver any material, code, or functionality. All forward-looking
statements are subject to various risks and uncertainties that could cause
actual results to differ materially from expectations. Readers are cautioned
not to place undue reliance on these forward-looking statements, which
speak only as of their dates, and they should not be relied upon in making
purchasing decisions.