克米亚sap论坛,最好的sap论坛,sap系统,sap培训,kemiya,克米亚,sap账号,sap ides,sap mm,sap hana,sap fico,sap pp

 找回密码
 注册
查看: 3383|回复: 25

[BC] Note 654982 - URL requirements due to Internet standards

[复制链接]
zsun1314 发表于 2012-2-26 22:18:36 | 显示全部楼层 |阅读模式
Summary

Symptom

1. Cookies (particularly: MYSAPSSO2) are not set
(even though the server issues these and the browser accepts cookies. Filtering reverse proxies have also been ruled out as the source of the error.).
2. https does not work.
The browser reports the following error or warning (or similar): "Certificate name is invalid and is unsuitable for the server", or the ICM trace contains the following message, or similar:
              MatchTargetName("<hostA.domain. tld>", "CN=<hostB.domain.tld>, OU=<...>, O=<...>, C=<...>")


Other terms

Cookie, URL, URI, FQDN, SSL, X.509, Single Sign-On (SSO), icm/host_name_full


Reason and Prerequisites

These problems occur either because only the host name, but not the domain (=> FQDN, fully qualified domain name), is specified in the URL, or because the domain that you use does not satisfy the requirements of the cookie specification (for more information, see: http://web.archive.org/web/20070 ... td/cookie_spec.html).

Point 1:
To enable the browser to decide to which server a cookie may be sent, the URL must include the domain specification since this information is used as a basis for the decision.
The cookie specification intensifies this requirement by determining that

domains with the extension "com", "edu", "net", "org", "gov", "mil" or "int" must include at least one additional domain component (usually the name of the company or organization), while
any domain with a different extension (including the national top-level domains in particular, for example, "de", "uk", "fr", and so on) must consist of at least two additional domain parts.

For example:

http://www.sap.com/...        - this is acceptable
http://www.sap.de/...         - this is not acceptable
http://www.public.sap.de/...  - this is acceptable

Comment:
Some browsers (for example, Microsoft Internet Explorer) are less strict and also permit domains that violate the cookie specification rules listed above. To the best of our knowledge (for which we cannot be held responsible), all domains whose penultimate domain components consists of at least three characters seem to be generally accepted (because otherwise there would be problems, for example with all British domains, due to insufficient restrictions on how cookies are sent):

http://www.sap.de      - for MS IE:  acceptable
http://www.xy.co.uk    - acceptable (conforms to specifications)
http://www.xy.co.uk    - acceptable (conforms to specifications)
http://www.co.uk      - not acceptable (in accordance with the specifications)

Point 2:
Along with encrypted data transfer, the use of SSL (=> https) is designed to ensure that the specified server (for example, an enterprise or an organization) is authentic. SSL server certificates are used for this purpose. The browser checks each https URL to see whether the complete host name contained in the URL corresponds to the relevant specification (=> Common Name, CN) of the checked SSL server certificate. If the browser detects a variance, it triggers a warning (or an error).

For example:
The SSL server certificate was issued to "CN=tcs.mysap.com, OU=SAP Trust Community, O=SAP AG, L=Walldorf, C=DE". Then the following URLs are considered:

http://tcs.mysap.com/...     - no SSL/https
https://tcs.mysap.com/...    - this is acceptable
https://tcs01.mysap.com/...  - Warning/error

In the case of an SSL server certificate that was issued to "CN=mysap.com, and so on", all of the URLs that are mentioned above return an error.
On the other hand, in the case of an SSL server certificate that was issued to "CN=*.mysap.com, ...", the two https URLs would work without errors. However, a Certification Authority (CA) usually sets up its own rules for the parts of the certificates that it issues (and therefore authenticates). The use of wildcards (*) in the common name is not usually permitted.

Comment:
When you use SSL scheduling reverse proxies (before the Web server/SAP Web Application Server/SAP J2EE server), you must make sure that the SSL server certificate of the reverse proxies corresponds to the host name of the reverse proxies that is visible to the browser.
General information about SSL and the SAP Web Application Server is available at http://service.sap.com/security > Security in Detail > Infrastructure Security: "Network and Transport Layer Security" and http://service.sap.com/security > Security in Detail > Archive (Old Documents): "SAP Web Application Server Security".


Solution

Use fully-specified host names (including the domain specification) in URLs and make sure that you only use domains that conform to the rules defined in the cookie specification.


gl4018 发表于 2017-7-13 16:30:36 | 显示全部楼层
克米亚
xlmario 发表于 2017-7-13 16:58:02 | 显示全部楼层
sap hana
lingdl009 发表于 2017-7-13 22:18:03 | 显示全部楼层
顶尖SAP顾问授课,是国内最大SAP培训实战中心,学员就业率稳居行业第一。
iouagain 发表于 2017-7-14 05:37:27 | 显示全部楼层
sap hana
kmjinbiao 发表于 2017-7-14 06:06:53 | 显示全部楼层
SAP中英文电子书下载
ssray 发表于 2017-7-14 08:24:56 | 显示全部楼层
SAP公司面试
xlmario 发表于 2017-7-14 10:30:47 | 显示全部楼层
sap hana
flysky 发表于 2017-7-14 10:36:46 | 显示全部楼层
SAP培训
KOBE 发表于 2017-7-14 13:52:15 | 显示全部楼层
SAP解决方案
flysky 发表于 2017-7-14 16:15:56 | 显示全部楼层
SAP招聘
yaozhiqiang 发表于 2017-7-31 13:04:04 | 显示全部楼层
中国SAP培训零风险高薪就业开创者,就业学员遍布全球SAP系统,世界500强企业定向委培
qiu7890 发表于 2017-7-31 14:11:03 | 显示全部楼层
sap fico
sword_111 发表于 2017-7-31 16:00:08 | 显示全部楼层
sap mm
fjg588 发表于 2017-7-31 16:51:11 | 显示全部楼层
sap pp
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|克米亚sap论坛,sap账号,sap系统,sap ides,sap学习机,sap练习环境 ( 重庆瑞瑞宝科技有限公司 渝ICP备18002525号-10 )

GMT+8, 2021-4-19 17:58

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表