Fully Qualified Domain Names (FQDN)

翻译 2016年08月30日 13:46:04

In Web Dynpro ABAP it is imperative that a client browser with a fully qualified domain name (FQDN) has access to the AS-ABAP. For this reason the full URL must be assigned to a Web Dynpro ABAP application when it is called. The URL must not be shortened (for instance, no domain specification).

The domain used must also satisfy the requirements of the cookie specification (see http://wp.netscape.com/newsref/std/cookie_spec.html).

To check the FQDN/FQHN, in the Web Dynpro explorer in the ABAP development environment (SE80), choose the relevant Web Dynpro application from the navigation tree for your Web Dynpro component/interface, and check the URL in the administration data. Check whether the path details in field URL also contain the full domain and host name.

Note

Note that neither IP addresses nor underscore characters are allowed in host names (see below).

Purpose

FQDN is necessary for the following reasons:

●  One domain is required with which cookies can be set domain-wide, for instance, SSO2 cookies.

Domain relaxation code is required for cross-frame JavaScript.
This is particularly important for Structure linkPortal Integration (see below).

●  In an HTTPS environment, client and server names must correspond with each other for certificates and for the SSL protocol.

Note that the domain in which the AS-ABAP is run is not necessarily the FQDN used to access the AS-ABAP from the browser. A typical example is an AS-ABAP which runs both in the Intranet and in the Internet. In a case like this the FQDN is determined by the position of the browser relative to the AS-ABAP and not by the AS-ABAP itself.

Configuration of Fully Qualified Domain Names

If the host name simply specifies the host and port but not the domain (including the extension), the shortened URL of a Web application looks like:

This graphic is explained in the accompanying text

<schema>://<host name>:<port>/sap/...

Example:

http://pwdf0487:1080/sap/bc/webdynpro/sap/wdr_test_events

Whereas the full URL should look like:

This graphic is explained in the accompanying text

<schema>://<host name>.<domain> <extension>:<port>/sap/...

Example:

http://pwdf0487.wdf.sap-ag.de:1080/sap/bc/webdynpro/sap/wdr_test_events

IP Addresses Not Supported

URLs that contain IP addresses are not supported.

This graphic is explained in the accompanying text

<schema>://<IP address>:<port>/sap/...

Example:

http://10.21.81.0:1080/sap/bc/webdynpro/sap/xyz

The following notation is required:

This graphic is explained in the accompanying text

<schema>://<host name>.<domain> <extension>:<port>/sap/...

Example:

http://hs0059i.wdf.sap.corp:1080/sap/bc/webdynpro/sap/xyz

To map IP addresses correctly, the following is required:

●  A minimal form of DNS at the customer location with the name of the AS-ABAP and a mapping to an IP address.

●  Alternatively, a pseudo AS-ABAP name can be used, and the HTTP proxy configured at the firewall in such a way that this URL is sent to the correct IP address.

●  For smaller installations you can use the following quick solution:

Update the hosts file on each workstation. Insert the line 10.17.73.210 hostname.domain.ext  into file\WINNT\system32\drivers\etc\hosts.

No Support for “_” in Host Names

The browser does not accept cookies if a host name contains the underscore character “_”.

Since Microsoft Internet Explorer 6.0 and MS Internet Explorer 5.5 including security patch MS01-055 cannot accept any domain names with underscore characters, session cookies cannot be saved. This will result in terminations when navigating within a Web application.

Example

Example:

The development system is called dev_sys, and the quality security system, qsys. This means the fully qualified domain name is:

qsys.company.co.xx

In comparison, the following notations are not accepted:
dev_sys.company.co.xx
qsys.my_company.co.xx

For this reason, host and domain names must never contain the underscore character, “_”.

See also:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112

Domain Restrictions in Accordance with the Cookie Specification

The portal must be started with a domain that complies with the domain specification of the Internet standard cookie specification. Otherwise the portal cannot create the MYSAPSSO2 cookie.

So that the browser can decide which servers a cookie can be sent to, the URL must contain the domain specification, since the decision is based on this information. In accordance with the Netscape cookie specification (available under http://wp.netscape.com/newsref/std/cookie_spec.html), cookies can be set for one domain only, and a domain must contain two or three dots (.) due to security restrictions. Each of the seven top level domains (.COM,.EDU,.NET,.ORG,.GOV,.MIL,.INT) must contain at least one further domain component (usually the name of the company or organization), amounting to two dots. Each domain with a different ending (this includes the top level domains for countries, such as UK, DE, FR, and so on) must consist of two further domain components, that is, these domains must contain at least three dots. For more information see the cookie specification.

Example

Examples of valid domains:

●  <host>.sap.com 
Top level domain -> two domain components

●  <host>.portal.sap.de 
No top level domain -> three domain components

 

Some browsers (for instance, Microsoft Internet Explorer) are less strict and permit domains that violate the cookie specification rules listed above.

The Internet Explorer would allow the following domain:

This graphic is explained in the accompanying text

<host>.sap.de

This is not a top level domain, yet it only has two domain components.

Domains appear to be accepted whose penultimate component consists of at least three characters, because otherwise there would be problems, for instance with all British domains, due to there being insufficient restrictions on how cookies are sent.

Examples

URL

Description

http://www.xy.com

Compliant with specification

http://www.xy.co.uk

Compliant with specification

 

http://<host>.epd.de

For MS IE ok

http://www.sap.de

For MS IE ok

 

http://<host>.ep.de

For MS IE not ok

http://www.co.uk

Not ok (compliant with specification)

 

Useful links to Microsoft knowledge base:

<http://support.microsoft.com/default.aspx?scid=kb; en-us;310676>

<http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112>

This graphic is explained in the accompanying text

SAP generally recommends that you always comply with the definitions of the cookie specifications.

HTTPS

The use of SSL (with HTTPS), as well as ensuring encrypted data transfer, should also ensure that the server being contacted (for example, a company or organization) is authentic. This is done using SSL server certificates. For each HTTPS URL the browser checks whether the full host name contained in the URL corresponds to the relevant specification (such as common name, CN) in the checked SSL server certificate. If the browser ascertains a difference, it triggers an error warning.

Examples

The SSL server certificate was issued on "CN=tcs.mysap.com, OU=SAP Trust Community, O=SAP AG, L=Walldorf, C=DE". The following URLs are checked:

URL

Description/Behavior

http://tcs.mysap.com/...

No SSL/HTTPS

https://tcs.mysap.com/...

Compliant with specification

https://tcs01.mysap.com/...

Warning/error

With an SSL server certificate issued on "CN=mysap.com, ..." all the URLs listed above return an error.

With an SSL server certificate issued on "CN=*.mysap.com, ..." all the URLs listed above return an error. A certification authority (CA), however, usually establishes its own rules for components that it issues and for verified certificates. The use of wildcards (*) in the common name is generally not permitted.

Note

When you use SSL terminating reverse proxies (in front of the Web Server/AS-ABAP), make sure that the SSL server certificate of the reverse proxy corresponds to the host name of the reverse proxy that is visible for the browser.

For more information about security see Security in AS-ABAP.

Setting the FQDN

The following variables and parameters are used to set the host and domain names:

●  SAPLOCALHOST

●  SAPLOCALHOSTFULL

●  icm/host_name_full

The ICM sets the FQHN in accordance with the hierarchy below:

  1.  Parameter SAPLOCALHOSTFULL in the SAP profile (recommended for high availability configurations) has top priority. If it is set in the profile file, the ICM takes this as the FQHN value.

Note

Note that the system default value of SAPLOCALHOSTFULL contains the host name without the domain, which is why the system default is ignored by the ICM .

If the parameter is not set, the value in iStructure linkicm/host_name_fullsapurl_li is used.

  1.  If this parameter is also not set, the ICM takes the FQHN of the operating system.

Parameter SAPLOCALHOST is not fully qualified and is not used by the ICM for services.

SAP recommend you set either SAPLOCALHOSTFULL (for high availability configurations), or icm/host_name_full.

 

举报

相关文章推荐

DBID,SID,DB_NAME,DB_DOMAIN,INSTANCE_NAME,DB_UNIQUE_NAME,SERVICE_NAMES 及监听参数的说明

这篇文章中要讲的几个参数:        DB 相关的: DBID, SID        PFILE中的参数:DB_NAME,DB_D...

DBID,SID,DB_NAME,DB_DOMAIN,INSTANCE_NAME,DB_UNIQUE_NAME,SERVICE_NAMES 及监听参数的说明

这篇文章中要讲的几个参数:        DB 相关的:        PFILE中的参数:DB_NAME,DB_DOMAIN, ...

精选:深入理解 Docker 内部原理及网络配置

网络绝对是任何系统的核心,对于容器而言也是如此。Docker 作为目前最火的轻量级容器技术,有很多令人称道的功能,如 Docker 的镜像管理。然而,Docker的网络一直以来都比较薄弱,所以我们有必要深入了解Docker的网络知识,以满足更高的网络需求。

db_name,instance_name,service_names,db_domain,dbid,oracle_sid等区别与联系

db_name,instance_name,service_names,db_domain,dbid,oracle_sid等区别与联系 最近整理了一篇文章:oracle listener...

How to be a qualified interviewer?

首先声明一点,我没怎么面试过别人,只是参加过几场面试,经历的面试官只有小20个吧,所以根本没有资格去评判一个面试官是不是合格的面试官。但经过我最近的一些经历,以及朋友做面试官的体会,再加上自己对面试的...

Schema中elementFormDefault="qualified"所起的作用

from : http://blog.csai.cn/user1/15907/archives/2007/16440.html 有的xsd文件的开头是这样写的: http://www.w3.o...
  • dingxy
  • dingxy
  • 2012-04-05 15:04
  • 4084

Google code jam2015 Qualified Round

Problem A. Standing Ovation It's opening night at the opera, and your friend is the prima donna...

sendBroadcastAsUser——Calling a method in the system process without a qualified user

4.2中Android加入了多用户  改换这几种调用方式  public void startActivityAsUser(Intent intent, UserHandle user);...

How to become a qualified dev&ops

How to become a good webmaster? Is there any free tools that can be used for monitoring the status o...
  • wzyyc
  • wzyyc
  • 2017-03-26 10:40
  • 87
返回顶部
收藏助手
不良信息举报
您举报文章:深度学习:神经网络中的前向传播和反向传播算法推导
举报原因:
原因补充:

(最多只允许输入30个字)