Si alguna vez has configurado NWA notaras que recién instalado no es posible hacer cambios o siquiera acceder al NWA en la URL http://<server>:<port>/nwa para solucionar esto es necesario primero dar los permisos correspondientes mencionados en la nota 1451753 o se obtendrá la siguiente notificación en el navegador:
La nota en cuestión menciona lo siguiente:
Symptom
You want to prevent access to administration URLs of the NetWeaver Administrator in the Internet Communication Manager (ICM).
Other Terms
URL, Uniform Resource Locator, ICM, NWA, SAP NetWeaver Administrator
Reason and Prerequisites
You use AS Java 7.x.
Solution
The URLs for NWA have a unique prefix and can be filtered out in the ICM on a rule basis.
In the profile file (we recommend the default profile DEFAULT.PFL), configure the following modification handler:
icm/HTTP/mod_0 = PREFIX=/,FILE=$(DIR_GLOBAL)/security/data/icm_filter_rules.txt
You must then create the rule file in the specified directory and specify the filter rules.
- If you want to prevent access to administration requests completely, you should define the following rule:
RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]
- If you want to prevent access to administration requests for external administration, you should define the following rule:
if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
if %{REMOTE_ADDR} !stricmp ::1
RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]
- If you want to allow access to administration requests for certain network segments (for example, 10.18.*), you should define the following rule:
if %{REMOTE_ADDR} !regimatch ^10\.18\..*
RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]
- If you do not want to restrict access to the administration requests to certain clients, remove the lines from the file or turn the lines into a comment:
#if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
#if %{REMOTE_ADDR} !stricmp ::1
#RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]
-
The syntax for IPv6 addresses is as follows:
- Local host is the string «::1»
- An example for an IPv6 address is «fe80::21c:c4ff:fedc».
- Local host is the string «::1»
The IP address of the client can be determined with the following (temporary) rule:
RegIRedirectUrl ^/ipaddr_echo /echo?clientip=%{REMOTE_ADDR}
Now use the browser/client to call the following URL on the server: http://<host>:<http_port>/ipaddr_echo.
In the client/browser, the system now displays the IP address of the client in the URL line (for example, http://server.sap.com/echo?clientip=10.18.55.11).
It is important that you remember to remove the temporary rule again.
Siguiendo sus indicaciones aquí una guía practica y simple de implementar esta nota y tener el acceso necesario en NWA:
-
Abrir Archivo DEFAULT ubicado en la siguiente ruta ‘usr/sap/SAPSID/SYS/profile/»
-
Agregar la siguiente línea al final de todo el archivo
-
icm/HTTP/mod_0 = PREFIX=/,FILE=$(DIR_GLOBAL)/security/data/icm_filter_rules.txt
-
Guardar Archivo
-
Abrir archivo icm_filter_rules.txt el cual está ubicado en la siguiente ruta ‘usr/sap/SAPSID/SYS/global/security/data/’
-
Comentar todas las líneas activas como es mostrado en los siguientes puntos
-
#if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
-
#if %{REMOTE_ADDR} !stricmp ::1
-
#RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]
-
Guardar Archivo
-
Reiniciar Java AS
-
Probar nuevamente http://<host>:<port>/nwa
-
Con esto ya no debes obtener el error de acceso remote.
Exelente post, una consulta, el sap abap edition cuenta con NWA?