Friday 20 October 2023

SAP SAP HANA XSA (mainly FSPRO) applications Access via external web dispatcher


Under this blog, I have outlined how to configure an SAP Web Dispatcher (WD) so that it acts as the reverse-proxy server for an XSA instance where SSL is terminated at the XSA server. The WD will simply route requests to the XSA instance. This setup allows the XSA host to be hidden from the end user.

Mainly if you have port-based XSA installed due to application limitations.

SAP SAP HANA XSA (mainly FSPRO) applications Access via external web dispatcher


The content of this blog post is provided “AS IS”. This information could contain technical inaccuracies, typographical errors, and out-of-date information. This document may be updated or changed without notice at any time. Use of the information is therefore at your own risk. In no event shall SAP be liable for special, indirect, incidental, or consequential damages resulting from or related to the use of this document.


I have carefully prepared a document that outlines all the necessary steps for configuring the external SAP web dispatcher for SAP HANA XSA application URLs. By following these instructions, you can ensure that your Hana DB is kept secure and is not directly exposed to end users. It is important to take these steps to protect your data and ensure that your applications are running as smoothly as possible.


Your XSA, cockpit, and web dispatcher minimum above then below version

  • SAP HANA XS Advanced – version 1.0.117 or later
  • SAP HANA XS Advanced Cockpit – version 1.1.15 or later
  • Web Dispatcher – version 7.77 or later

Open the below ports from the DB server to Webd and the same ports from Webd to the end user machine

if your HANA NN is 00 use below ports, please replace 00 with your port number.


Standard ports


External Web Dispatcher setup for HANA XSA application (mainly FSPRO) Steps: –

  • Take all system configuration backup
  • Configure WD
  • Configure SAP HANA XSA
  • Test URLs

Take all system configuration backup :-

As per preventive measures take full HANA VM backup, We are only adding new configuration it will not impact core functionality.

Take all xs ini files backup along with Hana internal webD profile parameter backup

Configure WD:-

The following needs to be added to your WD profile file (e.g. /usr/sap/<SID>/SYS/profile/<SID>_<Instance>_<WD_hostname>):

wdisp/system_conflict_resolution = 1

# size of requests to an SAP HANA XS advanced system should be unrestricted


icm/host_name_full_compatibility_mode = true

# SAP HANA XS advanced ports

icm/server_port_1=PROT=TCP, PORT=30030, TIMEOUT=60, PROCTIMEOUT=600

icm/server_port_2=PROT=TCP, PORT=30032, TIMEOUT=60, PROCTIMEOUT=600

icm/server_port_3=PROT=TCP, PORT=29002, TIMEOUT=60, PROCTIMEOUT=600

icm/server_port_4=PROT=TCP, PORT=51038, TIMEOUT=60, PROCTIMEOUT=600

# SAP HANA XS advanced endpoints

wdisp/system_0=NAME=XSAUAA, SID=HDB, SRCTCPSRV=*:30032, EXTSRV=tcp://<hana hostname>:30032

wdisp/system_1=NAME=XSA, SID=HDB, SRCTCPSRV=*:30030, EXTSRV=tcp:// <hana hostname>:30030

wdisp/system_2=NAME=APP1, SID=HDB, SRCTCPSRV=*:29002, EXTSRV=tcp://<hana hostname>:29002

wdisp/system_4 = NAME=XSA1, SID=HDB, SRCTCPSRV=*:51038, EXTSRV=tcp:// <hana hostname>:51038

NOTE: – SID, Ports, and Hanahostname need to be changed, based on your environment.


PORT = a port on the XSA server

NAME = any name that helps you identify the entry. It can be anything. But no special characters are allowed and there’s a max limit of 12 characters.

SRCTCPSRV = same value as PORT.

EXTSRV = It should be the FQDN of the HANA server where XSA is installed, prefixed with tcp:// and qualified with the PORT.


NOTE:– you can include all other XSA applications if you want like a cockpit.

For every SAP HANA XS advanced port entry, there must be a corresponding SAP HANA XS advanced endpoints entry. AND the port numbers must be the same for the entries. You can not do network address translation (NAT) here.

Since the domain of the XSA instance has changed, all XSA requests must be routed through the WD. Therefore, you must list all the externally accessible XSA ports in the WD profile. This includes the XSA Cockpit and XSA Controller page. For the PQM apps, you only need to list the approuter port. You do not need to include the web app port number. The approuter will route requests to the web app internally on the HANA server.

If you are getting the below warning on sapwebdisp check, please ignore it.

SAP SAP HANA XSA (mainly FSPRO) applications Access via external web dispatcher

Configure SAP HANA XSA

Update XSA Domain Name

The XSA “default domain” needs to change to the web dispatcher’s FQDN hostname. WARNING – once done, all XSA web apps will not be reachable until the WD has been properly configured.

To change the XSA default domain,

  • Login into SAP Hana Studio
  • Go to Administration Condole à Configuration
  • Open xscontroller.ini -> communication
  • ini -> communication
  • double-click on default_domain. Edit the System’s new value and set it to the WD fully-qualified domain name:

SAP SAP HANA XSA (mainly FSPRO) applications Access via external web dispatcher

Restart the XSA services so that the change will take effect – “XSA restart” while logged in on the HANA server as the OS tenant DB user <SID>adm.

Update OS host file to allow for internal routing

To allow the newly changed XSA server to route internal requests without going through the WD, you need to add an entry into the /etc/hosts file that maps to the XSA default domain.

EX:- localhost Webdispacher hostname (used physical or virtual name configured into webd)

Generate new private and public key for renamed XSA server

Since “domain” of the XSA instance has changed, a new SSL private and public key will need to be imported into XSA. If you have it, you can re-use the same ones that were used for your WD. Otherwise, generate a new set and upload them into XSA using the command

“xs set-certificate <domain> -c <signed_public_cert>.cer -k <private_key>.key”.

Domain = Webdispacher hostname

IMPORTANT – the first endpoint entry must be the UAA security endpoint (aka authorization endpoint). The next one should be the XSA controller endpoint. Both can be determined by the command “xs system-info”.

Test URLs

Tested the SAP HANA cockpit URL routed via an external web dispatcher.

SAP SAP HANA XSA (mainly FSPRO) applications Access via external web dispatcher

No comments:

Post a Comment