关闭

Fully Qualified Domain Names (FQDN)

438人阅读 评论(0) 收藏 举报
分类:

In Web Dynpro ABAP it is imperative that a client browser with a fully qualified domain name (FQDN) has access to the AS-ABAP. For this reason the full URL must be assigned to a Web Dynpro ABAP application when it is called. The URL must not be shortened (for instance, no domain specification).

The domain used must also satisfy the requirements of the cookie specification (see http://wp.netscape.com/newsref/std/cookie_spec.html).

To check the FQDN/FQHN, in the Web Dynpro explorer in the ABAP development environment (SE80), choose the relevant Web Dynpro application from the navigation tree for your Web Dynpro component/interface, and check the URL in the administration data. Check whether the path details in field URL also contain the full domain and host name.

Note

Note that neither IP addresses nor underscore characters are allowed in host names (see below).

Purpose

FQDN is necessary for the following reasons:

●  One domain is required with which cookies can be set domain-wide, for instance, SSO2 cookies.

Domain relaxation code is required for cross-frame JavaScript.
This is particularly important for Structure linkPortal Integration (see below).

●  In an HTTPS environment, client and server names must correspond with each other for certificates and for the SSL protocol.

Note that the domain in which the AS-ABAP is run is not necessarily the FQDN used to access the AS-ABAP from the browser. A typical example is an AS-ABAP which runs both in the Intranet and in the Internet. In a case like this the FQDN is determined by the position of the browser relative to the AS-ABAP and not by the AS-ABAP itself.

Configuration of Fully Qualified Domain Names

If the host name simply specifies the host and port but not the domain (including the extension), the shortened URL of a Web application looks like:

This graphic is explained in the accompanying text

<schema>://<host name>:<port>/sap/...

Example:

http://pwdf0487:1080/sap/bc/webdynpro/sap/wdr_test_events

Whereas the full URL should look like:

This graphic is explained in the accompanying text

<schema>://<host name>.<domain> <extension>:<port>/sap/...

Example:

http://pwdf0487.wdf.sap-ag.de:1080/sap/bc/webdynpro/sap/wdr_test_events

IP Addresses Not Supported

URLs that contain IP addresses are not supported.

This graphic is explained in the accompanying text

<schema>://<IP address>:<port>/sap/...

Example:

http://10.21.81.0:1080/sap/bc/webdynpro/sap/xyz

The following notation is required:

This graphic is explained in the accompanying text

<schema>://<host name>.<domain> <extension>:<port>/sap/...

Example:

http://hs0059i.wdf.sap.corp:1080/sap/bc/webdynpro/sap/xyz

To map IP addresses correctly, the following is required:

●  A minimal form of DNS at the customer location with the name of the AS-ABAP and a mapping to an IP address.

●  Alternatively, a pseudo AS-ABAP name can be used, and the HTTP proxy configured at the firewall in such a way that this URL is sent to the correct IP address.

●  For smaller installations you can use the following quick solution:

Update the hosts file on each workstation. Insert the line 10.17.73.210 hostname.domain.ext  into file\WINNT\system32\drivers\etc\hosts.

No Support for “_” in Host Names

The browser does not accept cookies if a host name contains the underscore character “_”.

Since Microsoft Internet Explorer 6.0 and MS Internet Explorer 5.5 including security patch MS01-055 cannot accept any domain names with underscore characters, session cookies cannot be saved. This will result in terminations when navigating within a Web application.

Example

Example:

The development system is called dev_sys, and the quality security system, qsys. This means the fully qualified domain name is:

qsys.company.co.xx

In comparison, the following notations are not accepted:
dev_sys.company.co.xx
qsys.my_company.co.xx

For this reason, host and domain names must never contain the underscore character, “_”.

See also:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112

Domain Restrictions in Accordance with the Cookie Specification

The portal must be started with a domain that complies with the domain specification of the Internet standard cookie specification. Otherwise the portal cannot create the MYSAPSSO2 cookie.

So that the browser can decide which servers a cookie can be sent to, the URL must contain the domain specification, since the decision is based on this information. In accordance with the Netscape cookie specification (available under http://wp.netscape.com/newsref/std/cookie_spec.html), cookies can be set for one domain only, and a domain must contain two or three dots (.) due to security restrictions. Each of the seven top level domains (.COM,.EDU,.NET,.ORG,.GOV,.MIL,.INT) must contain at least one further domain component (usually the name of the company or organization), amounting to two dots. Each domain with a different ending (this includes the top level domains for countries, such as UK, DE, FR, and so on) must consist of two further domain components, that is, these domains must contain at least three dots. For more information see the cookie specification.

Example

Examples of valid domains:

●  <host>.sap.com 
Top level domain -> two domain components

●  <host>.portal.sap.de 
No top level domain -> three domain components

 

Some browsers (for instance, Microsoft Internet Explorer) are less strict and permit domains that violate the cookie specification rules listed above.

The Internet Explorer would allow the following domain:

This graphic is explained in the accompanying text

<host>.sap.de

This is not a top level domain, yet it only has two domain components.

Domains appear to be accepted whose penultimate component consists of at least three characters, because otherwise there would be problems, for instance with all British domains, due to there being insufficient restrictions on how cookies are sent.

Examples

URL

Description

http://www.xy.com

Compliant with specification

http://www.xy.co.uk

Compliant with specification

 

http://<host>.epd.de

For MS IE ok

http://www.sap.de

For MS IE ok

 

http://<host>.ep.de

For MS IE not ok

http://www.co.uk

Not ok (compliant with specification)

 

Useful links to Microsoft knowledge base:

<http://support.microsoft.com/default.aspx?scid=kb; en-us;310676>

<http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112>

This graphic is explained in the accompanying text

SAP generally recommends that you always comply with the definitions of the cookie specifications.

HTTPS

The use of SSL (with HTTPS), as well as ensuring encrypted data transfer, should also ensure that the server being contacted (for example, a company or organization) is authentic. This is done using SSL server certificates. For each HTTPS URL the browser checks whether the full host name contained in the URL corresponds to the relevant specification (such as common name, CN) in the checked SSL server certificate. If the browser ascertains a difference, it triggers an error warning.

Examples

The SSL server certificate was issued on "CN=tcs.mysap.com, OU=SAP Trust Community, O=SAP AG, L=Walldorf, C=DE". The following URLs are checked:

URL

Description/Behavior

http://tcs.mysap.com/...

No SSL/HTTPS

https://tcs.mysap.com/...

Compliant with specification

https://tcs01.mysap.com/...

Warning/error

With an SSL server certificate issued on "CN=mysap.com, ..." all the URLs listed above return an error.

With an SSL server certificate issued on "CN=*.mysap.com, ..." all the URLs listed above return an error. A certification authority (CA), however, usually establishes its own rules for components that it issues and for verified certificates. The use of wildcards (*) in the common name is generally not permitted.

Note

When you use SSL terminating reverse proxies (in front of the Web Server/AS-ABAP), make sure that the SSL server certificate of the reverse proxy corresponds to the host name of the reverse proxy that is visible for the browser.

For more information about security see Security in AS-ABAP.

Setting the FQDN

The following variables and parameters are used to set the host and domain names:

●  SAPLOCALHOST

●  SAPLOCALHOSTFULL

●  icm/host_name_full

The ICM sets the FQHN in accordance with the hierarchy below:

  1.  Parameter SAPLOCALHOSTFULL in the SAP profile (recommended for high availability configurations) has top priority. If it is set in the profile file, the ICM takes this as the FQHN value.

Note

Note that the system default value of SAPLOCALHOSTFULL contains the host name without the domain, which is why the system default is ignored by the ICM .

If the parameter is not set, the value in iStructure linkicm/host_name_fullsapurl_li is used.

  1.  If this parameter is also not set, the ICM takes the FQHN of the operating system.

Parameter SAPLOCALHOST is not fully qualified and is not used by the ICM for services.

SAP recommend you set either SAPLOCALHOSTFULL (for high availability configurations), or icm/host_name_full.

 

1
0
查看评论
发表评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场

Docker-端口映射实现访问容器

外部网络访问容器 在启动容器时,如果不指定对应参数,在容器外部是无法通过网络来访问容器内的网络应用和服务的。 当容器中运行一些网络应用,要让外部访问这些应用时,可以通过-P或-p参数来指定端口映射...
  • Noob_f
  • Noob_f
  • 2016-10-20 18:36
  • 5739

Dom4J常用方法

你所应该知道的Dom4J 创建解析器: SAXReader reader = new SAXReader(); 利用解析器读入xml文档: Document   document = re...
  • qq_29720657
  • qq_29720657
  • 2018-01-03 16:59
  • 56

OpenERP7.0 Domain条件表达式写法小结

OpenERP7.0和之前其他版本的差异好大,在domain条件表达式这里就有体现,通过不断的尝试,掌握了一些基本用法,希望大家不要在受6.0文档的影响
  • littlebo01
  • littlebo01
  • 2013-12-23 18:52
  • 3842

域名解析仿真 Pares Domain Name

一,总体设计        当我们在访问某个网站时,诸如206.17.191.12之类的地址是很难被人们记住的,但如果换成www.baidu.com之类的域名(Domain name)就会很容易...
  • JemmaWang
  • JemmaWang
  • 2016-10-21 14:33
  • 134

免费HTTPS证书不是梦!在Ubuntu(Linux)的VPS上使用Let's Encrypt为一堆域名申请并安装HTTPS证书

免费HTTPS证书不是梦!在Ubuntu(Linux)的VPS上使用Let's Encrypt为一堆域名申请并安装HTTPS证书 情景: 你拥有一个VPS,能使用命令行ssh登陆到服务...
  • qq285744011
  • qq285744011
  • 2017-12-14 16:46
  • 61

验证 HTTPS 请求的证书(五)

验证 HTTPS 请求的证书(五) 自 iOS9 发布之后,由于新特性 App Transport Security 的引入,在默认行为下是不能发送 HTTP 请求的。很多网站都在转用 HTTP...
  • apple7758991
  • apple7758991
  • 2017-06-24 15:14
  • 166

java 简单邮件发送 & 常遇问题总结

昨天开始写java邮件发送,先是在网上找了极端da
  • zhangzhuo6663196
  • zhangzhuo6663196
  • 2014-05-25 11:51
  • 2388

Apple Pay的学习

学习地址: https://developer.apple.com/library/ios/ApplePay_Guide/Configuration.html#//apple_ref/doc/uid/...
  • raoshihong
  • raoshihong
  • 2016-03-06 17:51
  • 758

centos7修改主机名

http://www.itzgeek.com/how-tos/linux/centos-how-tos/change-hostname-in-centos-7-rhel-7.html#axzz3M8S...
  • gongys
  • gongys
  • 2014-12-17 14:57
  • 4264

交换机domain 概念详解

交换机是基于域(domain)对用户管理 交换机时基于域对用户进行管理, 在目前AAA的实现中,所有用户都属于某个域。用户属于哪个域是由用户名中带的“@”后的字符串来决定的,比如“user@hua...
  • yiluyangguang1234
  • yiluyangguang1234
  • 2015-12-24 11:25
  • 1662
    个人资料
    • 访问:4382171次
    • 积分:62258
    • 等级:
    • 排名:第46名
    • 原创:1739篇
    • 转载:2520篇
    • 译文:101篇
    • 评论:329条
    博客专栏
    最新评论
    微信公众号
      为你推荐最新的博文~更有惊喜等着你