654982 - URL Requirements Due to Internet Standards

8/10/2019 654982 - URL Requirements Due to Internet Standards

http://slidepdf.com/reader/full/654982-url-requirements-due-to-internet-standards 1/4

10/30/2014 654982 - URL requirements due to Internet standards

https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwM Q==)/bc/bsp/sno/ui/main.do?param= 69765F6D6F64653D3030332669765F7361706E6F7465735F6B65793D…

SAP Note

654982 - URL requirements due to Internet standards

Version 10 Validity:08.12.2011 - active

Language English

Header Data

Released On 09.12.2011 15:10:23

Release Status Released for Customer

Component BC Basis Components

Other Components BC-BSP Business Server Pages

BC-JAS Java Application Server - Please use sub-components

BC-MID-ICF Internet Communication Framework

BC-NET Network Infrastructure

BC-WD Web Dynpro

EP-PIN SAP NetWeaver Portal

Priority Recommendations / Additional Info

Category Installation information

Symptom

1. Cookies (particularly: MYSAPSSO2) are not set(even though the server issues these and the browser accepts cookies. Filtering reverse proxieshave also been ruled out as the source of the error.).

2. https does not work.The browser reports the following error or warning (or similar): "Certificate name is invalid andis unsuitable for the server", or the ICM trace contains the following message, or similar:

MatchTargetName("<hostA.domain. tld>", "CN=<hostB.domain.tld>, OU=<...>, O=<...>, C=<...>")

Other Terms

Cookie, URL, URI, FQDN, SSL, X.509, Single Sign-On (SSO), icm/host_name_full

Reason and Prerequisites

These problems occur either because only the host name, but not the domain (=> FQDN, fully qualifieddomain name), is specified in the URL, or because the domain that you use does not satisfy therequirements of the cookie specification (for more information, see:http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html).

Point 1:

To enable the browser to decide to which server a cookie may be sent, the URL must include the domainspecification since this information is used as a basis for the decision.The cookie specification intensifies this requirement by determining that

domains with the extension "com", "edu", "net", "org", "gov", "mil" or "int" must include at leastone additional domain component (usually the name of the company or organization), while





any domain with a different extension (including the national top-level domains in particular, forexample, "de", "uk", "fr", and so on) must consist of at least two additional domain parts.

For example:

http://www.sap.com/... - this is acceptable

http://www.sap.de/... - this is not acceptable

http://www.public.sap.de/... - this is acceptable

Comment:Some browsers (for example, Microsoft Internet Explorer) are less strict and also permit domains thatviolate the cookie specification rules listed above. To the best of our knowledge (for which we cannot beheld responsible), all domains whose penultimate domain components consists of at least three charactersseem to be generally accepted (because otherwise there would be problems, for example with all Britishdomains, due to insufficient restrictions on how cookies are sent):

http://www.sap.de - for MS IE: acceptable

http://www.xy.co.uk - acceptable (conforms to specifications)

http://www.xy.co.uk - acceptable (conforms to specifications)

http://www.co.uk - not acceptable (in accordance with the specifications)

Point 2:Along with encrypted data transfer, the use of SSL (=> https) is designed to ensure that the specifiedserver (for example, an enterprise or an organization) is authentic. SSL server certificates are used forthis purpose. The browser checks each https URL to see whether the complete host name contained in theURL corresponds to the relevant specification (=> Common Name, CN) of the checked SSL server certificateIf the browser detects a variance, it triggers a warning (or an error).

For example:The SSL server certificate was issued to "CN=tcs.mysap.com, OU=SAP Trust Community, O=SAP AG, L=Walldorf,C=DE". Then the following URLs are considered:

http://tcs.mysap.com/... - no SSL/https

https://tcs.mysap.com/... - this is acceptable

https://tcs01.mysap.com/... - Warning/error

In the case of an SSL server certificate that was issued to "CN=mysap.com, and so on", all of the URLsthat are mentioned above return an error.On the other hand, in the case of an SSL server certificate that was issued to "CN=*.mysap.com, ...", thetwo https URLs would work without errors. However, a Certification Authority (CA) usually sets up its ownrules for the parts of the certificates that it issues (and therefore authenticates). The use ofwildcards (*) in the common name is not usually permitted.

Comment:When you use SSL scheduling reverse proxies (before the Web server/SAP Web Application Server/SAP J2EEserver), you must make sure that the SSL server certificate of the reverse proxies corresponds to thehost name of the reverse proxies that is visible to the browser.General information about SSL and the SAP Web Application Server is available athttp://service.sap.com/security > Security in Detail > Infrastructure Security: "Network and TransportLayer Security" and http://service.sap.com/security > Security in Detail > Archive (Old Documents): "SAPWeb Application Server Security".

Solution

Use fully-specified host names (including the domain specification) in URLs and make sure that you onlyuse domains that conform to the rules defined in the cookie specification.

Validity





This document is not restricted to a software component or software component version

References

This document refers to:

SAP Notes1257108 Collective Note: Analyzing issues with Single Sign On (SSO)

1009930 (Display) problems in View Designer when loading view

945516 Web Dynpro ABAP in a portal environment

888362 Helpful technical hints for installing and maintaining MIC

830830 Inf. broadcasting: Typical problems with folder selection

817529 Checking the SSO configuration

805344 How URLs are generated automatically in BW

763427 Error message for domain name with underscore

701205 Single Sign-On using SAP Logon Tickets

677118 SP31-> Fully Qualified Domain Names Check

632440 Domain barrier in the browser of the SAP Enterprise Portal

612670 SSO for local BSP calls using SAP GUI HTML Control

611361 Hostnames of SAP servers

585042 Reduction of the data transfer Web middleware/browser

517860 Logging on to BSP applications

356691 Problem analysis: SAP logon ticket with Workplace SSO

This document is referenced by:

SAP Notes (17)

677118 SP31-> Fully Qualified Domain Names Check

1009930 (Display) problems in View Designer when loading view

632440 Domain barrier in the browser of the SAP Enterprise Portal

612670 SSO for local BSP calls using SAP GUI HTML Control

611361 Hostnames of SAP servers

517860 Logging on to BSP applications

585042 Reduction of the data transfer Web middleware/browser

830830 Inf. broadcasting: Typical problems with folder selection1257108 Collective Note: Analyzing issues with Single Sign On (SSO)

888362 Helpful technical hints for installing and maintaining MIC

805344 How URLs are generated automatically in BW

356691 Problem analysis: SAP logon ticket with Workplace SSO

701205 Single Sign-On using SAP Logon Tickets

654326 Domain restrictions in a portal environment

817529 Checking the SSO configuration

945516 Web Dynpro ABAP in a portal environment

763427 Error message for domain name with underscore

https://websmp130.sap-ag.de/sap/support/notes/356691





































Attachments

File Name File Size (KB) Mime Type

Netscape_Cookie_Specification.pdf 19 application/pdf

https://websmp130.sap-ag.de/sap/support/sapnotes/public/services/attachment.htm?iv_key=012003146900000101662003&iv_version=0010&alt=2BCE4CB10DF674B172F4F3F7B32A284F4933B530348EF70F378C3730B4F2F34CF52F4A0A4CF3AD8AB44CF50B4FCFCBB12C2B73498F2F35C9714BB774F54FF2F00E2F8837CFD0750C09514BCECFCFCE4C8DCF4BCC4DB5F575F4F4F3F57771F571F6F70B01B25D83D4120B0A722092A599504EB16D715E3E00&iv_guid=06A307F01F2F4C478274AE5B84A90970

654982 - URL Requirements Due to Internet Standards

Documents

Transcript of 654982 - URL Requirements Due to Internet Standards