ACLGatewaySAP PDF

6/29/2019
Security Settings for Gateway

Generated on: 2019-06-29
SAP NetWeaver 7.5 | 7.5.6
PUBLIC
Warning
This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.
For more information, please visit the SAP Help Portal.
This is custom documentation. For more information, please visit the SAP Help Portal 1
6/29/2019
Security Settings in the Gateway

Use
Gateway is an interface between the application server and other SAP systems or programs. Usually application servers and
database hosts are located in the same network segment. This network is secured from external access through a demilitarized
zone (DMZ).
Communication that leads the Gateway as part of the application server to external systems beyond the DMZ is in principle
insecure. System administrators have several options available to con gure external communication of the Gateway securely.
Features
Con guring Network-Based Access Control Lists (ACL):
In this ACL le ( A ccess C ontrol L ist = security le) you can specify from which hosts the gateway is to accept
connections at TCP/IP level.
Con guring Support of SNC Components:
With two pro le parameters you can specify whether the Gateway is to support SNC, and whether connections to non-
SNC programs are to be allowed. By setting up SNC or using SAP routers, you can make communication between SAP
gateways of different SAP systems secure.
Con guring Connections between Gateway and External Programs Securely:
With two ACL les (Access Control List = security le) you can specify which external programs are allowed to connect to
the Gateway (security le reginfo), and which programs are allowed to be started from the Gateway (security le
secinfo).
Setting Up Gateway Logging:
You can con gure the Gateway so that actions executed by it, and requests it receives from external systems, are
written to a log le. You can use this log le for analyzing security settings.
Further Security Parameters:
In addition to the measures described above, further parameters are provided for you to con gure the Gateway securely.
More Information
Con guring Network-Based Access Control Lists (ACL)
Con guring Support of SNC Components
Setting Up Gateway Logging.
Evaluating the Gateway Log File
Con guring Connections between Gateway and External Programs Securely
Logging-Based Con guration of Gateway
Gateway Security Files secinfo and reginfo
Security Parameters of the Gateway
6/29/2019
Checking the Security Con guration of Gateway.
Con guring Network-Based Access Control

Lists (ACL)
Use
You can set up an access control list (ACL) and use it to control which connections the Gateway accepts and which it does not.
They are based on the IP addresses of the clients. The same ACL le is used for the “standard” port and for the “SNC” port of
the SAP gateway.
Procedure
1. Create an ACL le using the syntax described below.
2. In the instance pro le of the SAP gateway instance you set parameter gw/acl_file to the le path of the ACL le.
Caution
If this parameter is not set, the Gateway accepts all connection requests.
Syntax of the ACL File
Lines in the ACL must have the following syntax:
<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]
Where,
permit = permits a connection, and deny = denies a connection.
<ip address>: The IP address must be an IPv4 or IPv6 address in the following form:
IPv4: 4 byte, decimal, '.' separated: e.g. 10.11.12.13
IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported
<mask>: If a mask is speci ed, it must be a subnetwork pre x mask:
IPv4: 0-32
IPv6: 0-128
<trace level>: Trace level, with which ACL hits (matches of addresses based on the subnetwork mask) are written to
the relevant trace le (default value 2).
<# comment>: Comment lines begin with a hash sign ( #).
The le can contain blank lines.
The rules are checked sequentially from the “top down”. The rst relevant rule determines the result ( “ rst match”). If no rule
applies, the connection is rejected. To make it obvious, an explicit deny (deny 0.0.0.0/0) should be entered anyway as the last
rule.
6/29/2019
 Example
permit 10.1.2.0/24 # permit client network
permit 192.168.7.0/24 # permit server network
permit 10.0.0.0/8 1 # screening rule
# (learning mode, trace-level 1)
permit 2001:db8::1428:57ab # permit IPv6 host
deny 0.0.0.0/0 # deny the rest
Related Information
Con guring Support of SNC Components

Use
The parameter snc/enable speci es whether the gateway is to support SNC (see Gateway and SNC Interface). If this
parameter is deactivated ( snc/enable = 0, default value), no SNC connections are accepted.
If this parameter is activated ( snc/enable = 1), only SNC connections are accepted.
The gateway checks whether connections to non-SNC programs are permitted. If the parameter
snc/permit_insecure_start = 1, connections to non-SNC programs are permitted.
Prerequisites
The gateway speci es its own path name for the SNC library in the command line parameter. If the program you want to start is
running on the same host, the environment variable SNC_LIB does not need to be set. If it isn't, the environment variable
SNC_LIB does need to be set in the relevant login shell or in the user environment. This variable speci es the respective shared
library of the security product that is being used.
Procedure
De ne the relevant parameters and environment variables.
The SNC parameters are described in Parameterization of the SAPGateway under SNC Parameters.
Using SAProuter to Secure the Connection Between Two Gateways
As an alternative to SNC support, you can also secure communication between SAP gateways of different SAP systems by using
SAP routers (gateway 1 SAProuter1 - SAProuter2 - gateway2). The SAP routers take on the SNC encryption and SNC encoding
tasks. An additional system security with SNC (as described above) is then not necessary.
More Information
SAProuter
6/29/2019
Setting Up Gateway Logging

Use
Gateway logging is used to monitor the activities of the Gateway. You can con gure which Gateway actions are to be logged.
They are then written to a log le. The log le is named after its creation time stamp, but you can con gure its exact format.
Procedure
You can set up the logging in pro le parameter gw/logging or in the gateway monitor (transaction SMGW). We recommend
the following con guration for the gateway monitor.
Note
The gateway monitor is not available, if you are using a standalone gateway or a Java-only installation. You then have to
con gure the gateway monitor in parameter gw/logging.
More information: Con guration Parameters
1. Call the gateway monitor (from the menu or in transaction SMGW)
2. Choose Goto Expert Functions Logging .
3. De ne a name for the log. To do this enter a name in the File Name eld where you can set the speci ed time stamp
variables. The default setting is gw_log-%y-%m-%d. The le will then be called gw_log-2007-06-19.
4. Choose the gateway actions that you wan to log in the log le. You can select the following types of gateway actions:
Gateway Action Description (actions logged) Indicator in the Log

File
Network Network actions, opening and closing network connections T
Start/stop/signals Receipt of start and stop commands or other (operating system) signals X
Security Security setttings and their changes (reloading les). S
More information: Security Settings in the Gateway
Rejected accesses only Only rejected actions are logged in the log le. This keeps the log le s
small. This can make administration tasks easier, for example, analysing
data.
Rejected accesses without Rejected accesses that are not listed in the reginfo le nor in the secinfo Z
rules le are logged in the log le.
Monitor commands Administration command that the gateway receives from the gateway M
monitor ( SMGW or externally gwmon)
Dynamic parameter changes Changes pro le parameters in productive operation P
More information: Parameterization of the Gateway
Open RFC connection Creates new RFC connections O
RFC actions RFC actions: Opens and closes connections, sends and receives data C
(open/close/send/receive)
6/29/2019
Gateway Action Description (actions logged) Indicator in the Log

File
External Programs Launching of external programs. E
More information: Making Security Settings for External Programs
Registered programs Registration and deregistration of servers. R
More information: Making Security Settings for External Programs
Create/delete Conversation Creates new conversation IDs, deletes conversation IDs V

IDs
5. Choose the Toggle Criteria (in the lower section of the screen). You can con gure the following:
Time-Controlled Toggle: You can specify a time period after which a new le is opened. Possible values are no
toggle, and toggle after one hour, one day, or one year.
Maximum File Size (kByte): You can set the maximum size of the le (speci ed in kilobytes). If the log le exceeds
this size, the le is closed and a new one opened. A new le name is assigned provided you use the timestamp
variables when you name the le (see above).
Specify Old File: You select this checkbox to prevent a new le being created. The old le is then overwritten when
the time-controlled toggle condition is applied or when the maximum le size is exceeded.
6. Choose whether all programs are to be allowed by default or not (simulation mode = On).
In the default (security mode = Off) all rules in the security les are processed, and all connections not explicitly listed
are rejected.
In the simulation mode all the rules in the security les are processed too, and furthermore, all connections not explicitly
included in the security les are allowed. This function can support you with Logging-Based Con guration of Gateway.
7. Select to accept your settings.
Caution
The settings you make here are saved in the shared memory of the instance. They are retained when the gateway is
restarted. However, if the whole instance is closed down, the settings are lost. If you want to make general logging settings,
you have to set parameter gw/logging in the pro le le.
More information: Con guration Parameters
Recommendation
You can set the pro le parameter as follows:
gw/logging=ACTION=SPX LOGFILE=gw_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)-%y&m%d SWITCHTF=day
Then signals, pro le parameter changes, and security actions will always be logged, and if required, you can also extend the
logging as described above.
Result
The log le is created, and further les are written depending on the settings. The les can be found in the work directory of the
instance.
6/29/2019
You can see existing log les at the top next to the name of the log le. To look at the le, choose .
Example
If you select gateway actions Start/Stop/Signals, Security and Dynamic Parameter Changes for logging, and you use the
standard setting for the le name, you will get, for example, le gw_log-2007-10-10 with the following content:
P Wed Oct 10 2007 11:07:19:891 trace file opened
P Wed Oct 10 2007 11:07:19:891 change gw/logging from ACTION= LOGFILE=gw_log-%y-%m-%d SWITCHTF=day
MAXSIZEKB=100 => ACTION=SPX LOGFILE=gw_log-%y-%m-%d SWITCHTF=day MAXSIZEKB=100
S Wed Oct 10 2007 11:07:38:196 reginfo accepted server: TP=cpict2, HOST=ld8060.wdf.sap.corp

(10.66.66.90)
S Wed Oct 10 2007 11:08:14:974 reginfo accepted server: TP=IGS.WDFD00146227A,

HOST=wdfd00146227a.dhcp.wdf.sap.corp (10.18.94.4)
S Wed Oct 10 2007 11:08:20:103 secinfo accepted: USER=rehm, USER-HOST=ld8060.wdf.sap.corp

(10.66.66.90), HOST=ld8061.wdf.sap.corp (10.66.66.91), TP=/usr/sap/BIN/SYS/exe/run/tp
S Wed Oct 10 2007 11:09:00:497 secinfo accepted: USER=rehm, USER-HOST=ld8060.wdf.sap.corp

(10.66.66.90), HOST=ld8061.wdf.sap.corp (10.66.66.91), TP=/usr/sap/BIN/SYS/exe/run/tp


S Wed Oct 10 2007 11:11:04:780 secinfo accepted: USER=REHM, USER-HOST=ld8061.wdf.sap.corp

(10.66.66.91), HOST=ld8061.wdf.sap.corp (ld8061) (10.66.66.91), TP=/usr/sap/BIN/SYS/exe/run/tp


(10.66.66.91), HOST=ld8061.wdf.sap.corp (%%SAPGUI%%) (10.66.66.91), TP=gnetx.exe

(10.66.66.91), HOST=ld8061.wdf.sap.corp (ld8061) (10.66.66.91), TP=sapxpg

(10.66.66.91), HOST=ld8061.wdf.sap.corp (ld8061) (10.66.66.91), TP=sapxpg

P Wed Oct 10 2007 11:13:21:871 change gw/cpic_timeout from 120 => 121

X Wed Oct 10 2007 11:14:15:900 received signal SIGUSR1 (decrement trace, level=0)
S Wed Oct 10 2007 11:13:40:177 secinfo denied: USER=rehm, USER-HOST=ld8400.wdf.sap.corp

(10.21.80.16), HOST=ld8400.wdf.sap.corp (10.21.80.16), TP=/priv/rehm/p4/bas/CGK/workU/_out/cpict2
S Wed Oct 10 2007 11:13:40:277 reginfo denied server: TP=cpict2, HOST= ld8400.wdf.sap.corp
(10.21.80.16)
X Wed Oct 10 2007 11:14:24:033 received signal SIGUSR2 (increment trace, level=1)
P Wed Oct 10 2007 11:14:34:523 trace file closed
6/29/2019
More Information

Prerequisites
The registration authorization applies to all programs, which means that the reginfo le comprises line TP=*.
Context
The evaluation of the log le provides you with an overview of the communication running through the gateway. You can see
which external programs have been started and which have been rejected (with reasons). This enables you to manage your
con guration.
If you are using the Logging-Based Setting, after you have evaluated the log le you can adjust the con guration of security les
secinfo and reginfo to meet your requirements.
Recommendation
We recommend you start with a restrictive con guration, and then allow further programs as required. The procedure is
described in section Making Security Settings for External Programs.
Procedure
1. Display the contents of the le. You can display the le contents, and save them to your local computer in transaction
SMGW. Choose Goto Expert Functions Logging .
Since everything is permitted in secinfo and reginfo, you will only see entries with reginfo accepted and
secinfo accepted.
Entries in secinfo accepted are checked against entries in secinfo.
Entries in reginfo accepted are checked against entries in reginfo.
S Wed Aug 01 2007 10:36:52:181 reginfo accepted server: TP=IGS.WDFD00146227A,

HOST=WDFD00146227A

HOST=WDFD00146227A

HOST=WDFD00146227A
S Wed Aug 01 2007 10:39:05:740 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp,

HOST=ld8061.wdf.sap.corp, TP=gnetx.exe
S Wed Aug 01 2007 10:39:48:577 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp,

HOST=ld8061.wdf.sap.corp, TP=/usr/sap/BIN/SYS/exe/run/tp
6/29/2019
2. Find the entries for the secinfo le.
Entries for secinfo always contain the following components
USER=<name>: User who wants to start the external program
USER-HOST=<user host>: Host name from where the Gateway was requested to start the program (when the
program is started from the system, the host name is always the name of the application server).
HOST=<host>: Host on which the program was started.
Special values of <host> are “local” and “internal”.
Local stands for synonymous for all IP addresses of your own host.
Internal stands for synonymous for all IP addresses of all hosts displayed in transaction SM51, as well as all IP
addresses of variable SAPDBHOST.
The list is refreshed at each new logon of an instance, as well as every ve minutes.
TP=<program name>: Program name
You could now simply lter out all duplicate entries from the log le and write the remaining entries to the secinfo le.
This allows all programs that are running in the environment.
If this means there are a large number of programs, group together entries using appropriate wild cards to make the
secinfo le more manageable.
 Example
Example of entries in secinfo le
TP=/usr/sap/BIN/SYS/exe/run/* allows all programs in the executable directory of the server to be started
HOST=* Allows programs to be started on any host. This could be restricted to a subnetwork mask or domain name,
for example, 10.66.66.* or *.sap.corp
USER=* Allows all users to use the external program.
Caution
With programs started from SAPGUI, the Gateway cannot check whether this SAPGUI is allowed. The IP address of
the application server is used to make the check (see next line).
S Wed Aug 01 2007 10:39:05:740 secinfo accepted: USER=MUSTER, USER-

HOST=host1.wdf.sap.corp, HOST=host1.wdf.sap.corp, TP=gnetx.exe
.
3. Find the entries for the reginfo le.
Entries for reginfo always contain the following components
TP=<regi id>: Registration ID of the server program that is being registered
HOST=<host>: Host from where the server is permitted to log on.
ACCESS=<host>: Host from which the RFC client is permitted to use a registered program.
CANCEL=<host>: Host from which the RFC client is permitted to stop a registered program.
6/29/2019
You could now simply lter out all duplicate entries from the log le and write the remaining entries to the reginfo le.
This allows all programs as they are running in the environment to register.
If there are a large number of programs to register, group together entries using appropriate wild cards to make the
reginfo le more manageable.
 Example
Example of Entries in reginfo File
TP= IGS.WDFD00146227A HOST=* allows registration of IGS.WDFD00146227A from every host.
TP=Bex* HOST=*sap.corp allows programs with registration ID Bex* to register provided they come from hosts
in the SAP network.
Note
If you want to allow access to the registered server, for example, from the local application server only, you have to
add ACCESS=local to the entry. To stop the server in transaction SMGW, you need to add CANCEL=local.
Next Steps
Setting Up Gateway Logging.
Con guring Connections betweenGateway

and External Programs Securely
Use
To ensure the SAP gateway operates securely, you have to be especially aware of interaction with external programs. You can
con gure the Gateway to ensure that undesirable external programs cannot be run.
There are two ways to do this:
Logging-based con guration
To ensure SAP programs required for system operation are not blocked by a con guration that is too restrictive, you
should con gure the security les to enable all connections, and monitor the Gateway using gateway logging. This way
you get an overview of which programs are to be allowed, and then you can edit the secinfo and reginfo
con guration les accordingly.
For more information about the procedure, see Setting Up Logging-Based Con guration.
Restrictive con guration (secure con guration)
You con gure the Gateway so that initially only system-internal programs can be started and registered.
After that you can add programs you want to allow to the secinfo and reginfo con guration les.
6/29/2019
Recommendation
This procedure is recommended by SAP, and is described below.
Prerequisites
The parameters have the following value (default setting):
gw/sec_info = $(DIR_DATA)/secinfo
gw/reg_info = $(DIR_DATA)/reginfo
If they have a different value, change them to the value above. If you want to con gure other le paths for the les, set the
parameters accordingly.
Parameter gw/acl_mode has the following value (default setting):
gw/acl_mode = 1
Recommendation
secinfo and reginfo are created and administrated for each application server. For reasons of maintainability SAP
recommends that one reginfo le and one secinfo le is created in a shared working directory for each SAP system. For
example:
gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo
gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo
If you are using Windows as the operating system, the les should have the ending .DAT.
Procedure
To set up the recommended secure SAP Gateway con guration, proceed as follows:
1. Check the secinfo and reginfo les. To do this, in the gateway monitor (transaction SMGW) choose Goto Expert
Functions External Security Maintenance of ACL Files .
This opensb the Gateway ACL Editor, where you can display the relevant les.
To enable system-internal communication, the les must contain the following entries.
secinfo
P TP=* USER=* USER-HOST=local HOST=local
P TP=* USER=* USER-HOST=internal HOST=internal
This means that programs on the gateway host can be started by the gateway host, and that programs within the
system can be started from the system.
reginfo
P TP=* HOST=local CANCEL=local ACCESS=*
P TP=* HOST=internal CANCEL=internal ACCESS=*
6/29/2019
This means that programs from the gateway host can register, and that programs within the system can register.
Recommendation
This recommendation applies to existing systems. If a new system has been installed, we recommend the
restrictive setting
P TP=* HOST=local CANCEL=local ACCESS=local
P TP=* HOST=internal CANCEL=internal ACCESS=internal
If the les do not exist, the system behaves as if these entries were available.
2. Extend these les as required. Enable the con gured RFC destinations (transaction SM59) as required by making the
relevant entries in the secinfo le.
To do this, proceed as follows:
a. Look at the current secinfo le. In the gateway monitor (transaction SMGW) choose Goto Expert
Functions External Security Maintenance of ACL Files . Here you can check whether the le complies with your
requirements.
b. To add further entries to the le, choose Goto Create (secinfo) .
c. In the following dialog box select the relevant entries, and choose .
The lines in the le appear in a new dialog box.
d. Choose .
If the le already exists, you can decide whether you want to replace this le with the selected entries, or whether
to add the selected entries to this le.
Note
The system always adds the lines referred to in step 1 to the le automatically, otherwise system operation will
be affected.
e. Decide whether the changes are to be activated immediately or not. If not, you can activate them at any time by
choosing Goto Expert Functions External Security Maintenance of ACL Files . From here, choose
Goto Reread .
f. Check your secinfo le.
Choose .
Note
Here you can see the con guration that is currently active in the Gateway. If the content of the le has been
changed, but the le has not been reread, you can view the message not identical to the content of the le in
the le browser (transaction AL11).
If you have made changes to the secinfo le (in the Gateway ACL Editor or at operating system level), you can reread the le in
SMGW ( Goto Expert Functions External Security Maintenance of ACL Files ). From here, choose Goto Reread .
More Information
SAP Gateway Security Files secinfo and reginfo.
6/29/2019
Security Parameters of Gateway.
Setting Up SAP Gateway Logging
Logging-Based Con guration of the Gateway
Checking the Security Con guration of the Gateway
SAP Note 1408081 describes the con guration of the security les for SAP systems for current and older releases.
Gateway ACL Editor
Logging-Based Con guration of the

Gateway
Context
For the procedure described here you must rst enable full communication with the Gateway. Based on the log le written,
adjust the security settings in the secinfo and reginfo les.
Procedure
1. Set up gateway logging by setting the following parameters in the pro le:
gw/logging = ACTION=S LOGFILE=gw_log-%y-%m%d SWITCHTF=day
Note
To keep the log le as small as possible, you can set a small s instead of a big S. If the small s is set, only denied
actions are logged. This can make it easier for to evaluate the le for administration purposes.
Note
If an SAP system consists of multiple application servers, add the system ID (three-letter SID) and the server name
to the le name. This enables the les to be identi ed when they are collected centrally for analysis. You can use the
environment variables $(SAPSYSTEMNAME) and $(SAPLOCALHOST) to set the parameter as follows:
gw/logging = ACTION=S LOGFILE=gw_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)-%y%m%d

SWITCHTF=day
This logs all security-relevant gateway actions in a separate le. You can also make this setting within the system.
More information: Setting Up Gateway Logging
2. In the $(DIR_DATA) directory, create secinfo and reginfo les with the following contents:
secinfo contains line USER=* HOST=* TP=* only
reginfo contains line TP=* only
With this secinfo and reginfo con guration all programs can be started from the gateway, and all programs can
register in the Gateway.
6/29/2019
Caution
These settings are only temporary and are intended to nd out which programs are to be included in the les. While
these settings are active, the Gateway is not protected against external programs.
3. Activate the con guration les secinfo and reginfo by choosing Goto Expert Functions External Security Maintenance
of ACL Files in transaction SMGW. From here, choose Goto Reread . Activate these les on every application server
instance of the system. To do this, call the server overview (transaction SM51) and switch the instance by double-clicking.
4. Leave the system running with these settings for a few days, and execute all actions that relate to external programs
and registered servers.
5. Evaluate the log le. Proceed as described in section Evaluating the Log File.
6. Maintain the les secinfo and reginfo accordingly.
7. Activate les (see step 3.)
8. Leave the system running with these settings, but still monitor the logging. Pay particular attention to the entries
secinfo denied and reginfo denied. These are external programs and registered servers that, based on the
settings, are not allowed to be run. Possibly, a new component that requires additional external programs and registered
servers is being tested or introduced. The administrator then has to decide whether these entries should be included in
the security les.
Next Steps
Making Security Settings for External Programs
Evaluating the Log File Gateway
Con guring Connections between Gateway and External Programs Securely
SAP GatewaySecurity Files secinfo and

reginfo
Use
The secinfo security le is used to prevent unauthorized launching of external programs.
File reginfo controls the registration of external programs in the gateway.
You can de ne the le path using pro le parameters gw/sec_info and gw/reg_info. The default value is:
When the gateway is started, it rereads both security les. You can make dynamic changes by changing, adding, or deleting
entries in the reginfo le. Then the le can be immediately activated by reloading the security les.
Displaying and Editing Security Files
There are various tools with different functions provided to administrators for working with security les.
6/29/2019
To display the security les, use the gateway monitor in AS ABAP (transaction SMGW).
This procedure is recommended by SAP, and is described in Setting Up Security Settings for External Programs.
To edit the security les, you can use the Gateway ACL editor. In the Gateway monitor, choose: Transaction
SMGW Goto Expert Functions External Security Maintenance of ACL Files .
You must keep precisely to the syntax of the les, which is described below.
There are two different versions of the syntax for both les: Syntax version 1 does not enable programs to be explicitly
forbidden from being started or registered. For this reason, as an alternative you can work with syntax version 2, which
complies with the route permission table of the SAProuter. If you want to use this syntax, the whole le must be
structured accordingly and the rst line must contain the entry #VERSION=2 (written precisely in this format).
Once you have completed the change, you can reload the les without having to restart the gateway. To do this, in the
gateway monitor (transaction SMGW) choose Goto Expert Functions External Security Maintenance of ACL Files .
From here, choose Goto Reread .
Structure
secinfo
The following syntax is valid for the secinfo le.
Version 1
A line in the le has the format:
TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
This order is not mandatory. As separators you can use commas or spaces. If the TP name itself contains spaces, you have to
use commas instead.
Use a line of this format to allow the user <user> to start the <tp> program on the host <host>.
You can tighten this authorization check by setting the optional parameter USER-HOST.
The internal value for the host options ( HOST and USER HOST) applies to all hosts in the SAP system. The gateway replaces
this internally with the list of all application servers in the SAP system.
 Example
USER=mueller, HOST=hw1414, TP=test: The user mueller can execute the test program on the host hw1414.
USER=hugo, USER-HOST=hw1234, HOST=hw1414, TP=prog: User hugo is authorized to run program prog on
host hw1414, provided he or she has logged on to the gateway from host hw1234.
The * character can be used as a generic speci cation (wild card) for any of the parameters.
If USER-HOST is not specifed, the value * is accepted.
Version 2
The format of the rst line is #VERSION=2, all further lines are structured as follows:
6/29/2019
P|D TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
Here the line starting with P or D, followed by a space or a TAB, has the following meaning:
P means that the program is permitted to be started (the same as a line with the old syntax)
D prevents this program from being started.
The order of the remaining entries is of no importance.
 Example
Example of a secinfo le in new syntax
#VERSION=2
D HOST=* USER=* TP=/bin/sap/cpict4
P HOST=* USER=* TP=/bin/sap/cpict*
P TP=hugo HOST=local USER=*
P TP=* USER=* USER-HOST=internal HOST=internal
This le means:
Program cpict4 is not permitted to be started.
All other programs starting with cpict are allowed to be started (on every host and by every user).
Program hugo is allowed to be started on every local host and by every user.
All programs started by hosts within the SAP system can be started on all hosts in the system.
reginfo
Certain programs can be allowed to register on the gateway from an external host by specifying the relevant information. You
can also control access to the registered programs and cancel registered programs.
As soon as a program has registered in the gateway, the attributes of the retrieved entry (speci cally ACCESS) are passed on
to the registered program. This means that if the le is changed and the new entries immediately activated, the servers already
logged on will still have the old attributes. To assign the new settings to the registered programs too (if they have been changed
at all), the servers must rst be deregistered and then registered again.
Successful and rejected registrations, and calls from registered programs can be ascertained using Gateway Logging with
indicator S.
Any error lines are put in the trace le dev_rd, and are not read in.
The reginfo le has the following syntax. There are two different syntax versions that you can use (not together).
Version 1
A line in the le has the format:
6/29/2019
TP=<tp> [HOST=<hostname>,...] [NO=<n>]

[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
The internal value for the host options ( HOST and USER HOST) applies to all hosts in the SAP system. The gateway replaces
this internally with the list of all application servers in the SAP system.
Comment lines begin with #
The individual options can have the following values:
TP Name (TP=): Maximum 64 characters, blank spaces not allowed. The wild card character * stands for any number of
characters; the entry * therefore means no limitation, fo* stands for all names beginning with fo; foo stands precisely
for the name foo.
Host Name (HOST=, ACCESS= and/or CANCEL=): The wildcard character * stands for any host name, *.sap.com for
a domain, sapprod for host sapprod. If the option is missing, this is equivalent to HOST=*.
IP Addresses (HOST=, ACCESS= and/or CANCEL=): You can use IP addresses instead of host names. Examples of valid
addresses are:
All address strings 1.2.3.4
A:B:C:D:E:F:1:2
A:B:C:D:E:F:1.2.3.4
A:B
Standard address pre xes 192.1.1.3/12
A:B:C:D:E:1:2/60
Old SAProuter wild cards 192.1.1.*
192.1.1.101xxxxx
Number (NO=): Number between 0 and 65535. If the TP name has been speci ed without wild cards, you can specify the
number of registrations allowed here.
 Example
TP=Foo NO=1, that is, only one program with the name foo is allowed to register, all further attempts to register a
program with this name are rejected. If this addition is missing, any number of servers with the same ID are allowed
to log on.
ACCESS List
To control access from the client side too, you can de ne an access list for each entry. This is a list of host names that must
comply with the rules above. If no access list is speci ed, the program can be used from any client. The local gateway where the
program is registered always has access.
What is important here is that the check is made on the basis of hosts and not at user level.
 Example
TP=foo ACCESS=*.sap.com
6/29/2019
Program foo is only allowed to be used by hosts from domain *.sap.com. Access attempts coming from a different domain
will be rejected. Of course the local application server is allowed access.
To permit registered servers to be used by local application servers only, the le must contain the following entry.
TP=* ACCESS=local [CANCEL=local]
CANCEL List
To control the cancellation of registered programs, a cancel list can be de ned for each entry (same as for the ACCESS list). If
no cancel list is speci ed, any client can cancel the program. The local gateway where the program is registered can always
cancel the program.
In the gateway monitor (transaction ) choose Goto Logged On Clients , use the cursor to select the registered program, and
choose Goto Logged On Clients Delete Client .
Note
The RFC library provides functions for closing registered programs. If this client does not match the criteria in the CANCEL
list, then it is not able to cancel a registered program. No error is returned, but the number of cancelled programs is zero.
Examples of valid entries
Entry Meaning
TP=* HOST=* All registrations allowed
TP=foo* HOST=* Registrations beginning with foo and not f or fo are allowed
TP=foo* All registrations beginning with foo but not f or fo are allowed (missing HOST rated as
*)
TP=* HOST=*.sap.com All registrations from domain *.sap.com are allowed
TP=* ACCESS=*.sap.com Only clients from domain *.sap.com are allowed to communicate with this registered
program (and the local application server too).
TP=* ACCESS=local Only clients from the local application server are allowed to communicate with this
registered program.
Version 2
The format of the rst line is #VERSION=2, all further lines are structured as follows:
P|D TP=<tp> [HOST=<hostname>,...] [NO=<n>]

[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
Here the line starting with P or D, followed by a space or a TAB, has the following meaning:
P means that the program is permitted to be registered (the same as a line with the old syntax)
D prevents this program from being registered on the gateway.
 Example
6/29/2019
#VERSION=2
P TP=cpict4 HOST=10.18.210.140
D TP=* HOST=10.18.210.140
P TP=cpict2 ACCESS=ld8060,localhost CANCEL=ld8060,localhost
P TP=cpict4
P TP=* USER=* HOST=internal
This le means:
Program cpict4 is allowed to be registered if it arrives from the host with address 10.18.210.140.
All other programs from host 10.18.210.140 are not allowed to be registered.
Program cpict2 is allowed to be registered, but can only be run and stopped on the local host or host ld8060.
Program cpict4 is allowed to be registered by any host.
Programs within the system are allowed to register.
More Information
Con guring Secure Connections Between Gateway and External Programs
Gateway ACL Editor

Use
The parameters described below are used to con gure the gateway to ensure secure connections.
Integration
Refer also to Security Settings in the Gateway.
Prerequisites
Your system must be con gured for using the SNC interface.
Features
gw/acl_ le
This parameter speci es the name of an access control list (ACL) le. With an ACL you can con gure who is permitted to
connect to the gateway.
6/29/2019
Note
The same ACL le is used for the standard port and for the SNC port of the gateway.
If the speci ed ACL le does not exist or is erroneous, the gateway immediately closes.
Caution
If the parameter is not set, access control is not valid.
Default Setting Empty (no ACL le is

used)
Dynamic No
For more information, see: Con guring Network-Based Access Control Lists (ACL)
gw/acl_mode
The parameter de nes the behavior of the gateway, if no ACL le ( gw/sec_info or gw/reg_info) exists.
The following values are permitted:
0 : There is no restriction with starting external servers or registering servers.
Recommendation
This setting should not be used in production operation.
1 : External and registered servers are only permitted within the system (application servers of the same system). All
other servers are rejected or have to be maintained in the respective les.
Default Setting 1
Dynamic Yes
gw/logging
With this parameter you can con gure gateway logging. You can specify whether the gateway writes its actions to a log le,
which types of actions are logged, and how the le is renamed. You have the options to de ne a maximum size for the le, and
to specify whether old les are overwritten.
Recommendation
If the gateway is running in an AS ABAP instance, we recommend you make settings for gateway logging in the gateway
monitor (transaction SMGW). If you want to make permanent logging settings so that it works again after the instance has
been restarted, you have to set this parameter in the pro le.
You must set the parameter as follows:
gw/logging = LOGFILE=<name> ACTION=[TERSMPXVCO]

[MAXSIZEKB=n] [SWITCHTF=t] [FILEWRAP=on]
6/29/2019
The meaning of the individual elements is as follows:
LOGFILE: File name of the log le
ACTION: The character sequence (subset from TERSMPXVCO) speci es the actions to log.
MAXSIZEKB (optional): Maximum le size. As soon as the le exceeds this size, a new le is opened, whereby the new le
name can change if special characters are used. This is a the case unless a condition was speci ed for SWITCHTF that
applies rst.
SWITCHTF (optional): Opens a new le after a speci c time period, unless a condition was speci ed for MAXSIZEKB that
applies rst.
The following values can be speci ed:
year: After one year a new le is opened
month: After one month
week: After one week
day: After one day
hour: After one hour
FILEWRAP (optional): Reuse le. This parameter can only have value ON. If this value is set, no new le is written, but the
one already open is reset and rewritten to. The values for parameter LOGFILE are only used the rst time the le is
opened.
gw/monitor
This parameter speci es how the Gateway handles monitor commands.
The following values are possible:
0: No monitor commands are accepted
1: Only commands from the local Gateway monitor are accepted
2: Commands from local Gateway monitors and external Gateway monitors are accepted.
Default Setting 1
Dynamic Yes
(Though only in the direction of more security, that is, from 1 to 2, and not from 2 to 1)
Dynamic yes
gw/sec_info
File with the security information.
Any unauthorized starting of external programs can be prevented by maintaining the le secinfo in the data directory of the
gateway instance.
Default Setting <Data Directory>/secinfo
Dynamic No
6/29/2019
(Values cannot be changed dynamically, but you can completely reload the le
when the gateway is running)
For more information, see: Making Security Settings for External Programs
gw/reg_info
File with the security information for registered programs.
Unauthorized registration of programs can be prevented by maintaining the le reginfo in the data directory of the gateway
instance.
If the le exists, the system searches for valid registration entries in this list. If there are none, the system searches, as up to
now too, in the gw/sec_info le.
Default Setting <Data directory>/reg info
Dynamic No
(Values cannot be changed dynamically, but you can completely reload the
le when the system is running)
For more information, see: Making Security Settings for External Programs
SNC Parameters
There are a number of additional parameters that control the behavior of the Gateway in conjunction with SNC (Secure
Network Communication).
Parameter Meaning Default Value Dynamic
snc/enable This parameter speci es whether the gateway accepts 0 No

connections that protect the data via SNC.
snc/permit_insecure_comm This parameter speci es whether the gateway accepts 0 No

connections without SNC.
snc/permit_insecure_start This parameter speci es whether the gateway may 0 No

establish connections with programs that communicate
without SNC.
snc/permit_common_name This parameter speci es whether the gateway can use a 0 No

default SNC name speci ed by the parameter
snc/identity/as, if an SNC name for the connection cannot
be read from secinfo.
snc/gssapi_lib Path for the shared library of the security system in use. "" No
snc/identity/as Identity of the gateway application server "" No
More Information
6/29/2019
Checking the Security Con guration of

Gateway.
Use
To ensure that your con guration of security les secinfo and reginfo is free of errors, while the system is running you can
check that the les do not contain incorrect entries by using the gateway trace le.
As described in the relevant sections there are two ways to de ne the les:
The conventional way with no version speci cation (interpreted internally as VERSION=1)
The new syntax with title line #VERSION=2 and P or D at the start of each line; conventional syntax lines start with a P in
the new syntax.
Here you have to decide on the syntax for each le - mixed les are not accepted.
Prerequisites
You have maintained the security les, they are located in the correct directory, and the Gateway has been restarted.
Procedure
Display the Gateway trace le dev_rd. You can do this using the gateway monitor (transaction SMGW), the trace le display
(transaction ST11), the management console, or at operating system level.
Search for entries of type
*** WARNING => Errors found in ./secinfo
*** WARNING => Errors found in ./reginfo
that are written to standard trace level 1.
Then check the relevant le.
Example
The following examples show which error messages are in the trace if the les are correctly set up.
Mixed File
Here the les have been created using the new syntax (with #VERSION=2), but contain entries without P or D at the start of
the lines).
#VERSION=2
TP=hugo PWD=secret HOST=local USER=*
6/29/2019
HOST=local USER=* TP=*
D TP=hugo PWD=geheim HOST=local USER=*
#VERSION=2
D TP=* HOST=10.18.210.140
TP=ABC NO=1
P TP=cpict4
GwIInitSecInfo: secinfo version = 2
*** ERROR => invalid first character T in ./secinfo line 2
*** ERROR => invalid first character H in ./secinfo line 5
*** WARNING => Please correct the invalid entries
GwIRegInitRegInfo: reginfo version = 2
*** ERROR => invalid first character T in ./reginfo line 4
*** WARNING => Please correct the invalid entry
Version speci cation is missing
Here the version speci cation is missing, but the new syntax is used in some lines.
TP=hugo PWD=geheim HOST=local USER=*
HOST=local USER=* TP=*
D TP=hugo PWD=geheim HOST=local USER=*
D TP=* HOST=10.18.210.140
TP=ABC NO=1
P TP=cpict4
GwIInitSecInfo: secinfo version = 1
*** ERROR => invalid Permit/Deny in ./secinfo line 2 detected (first line should be #VERSION=2)
6/29/2019
GwIRegInitRegInfo: reginfo version = 1
*** ERROR => invalid Permit/Deny in ./reginfo line 1 detected (first line should be #VERSION=2)
More Information
Monitoring and Error Handling in the Gateway
Gateway ACL Editor

The gateway ACL editor is used to maintain ACL (access control list) les in the SAP Gateway.
You access it from the following menu path: Transaction SMGW Goto Expert Functions External Security Maintenance of
ACL Files .
Files that are de ned by the following pro le parameters can be edited:
gw/sec_info
gw/reg_info
gw/prxy_info
Content currently active in the gateway memory is displayed. You can make changes, check contents, save changes at le level
in the corresponding ACL les and if you want, activate these changes immediately in the gateway running.

ACLGatewaySAP PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

ACLGatewaySAP PDF

Enviado por

Direitos autorais:

Formatos disponíveis

6/29/2019

Security Settings for Gateway

SAP NetWeaver 7.5 | 7.5.6

For more information, please visit the SAP Help Portal.

Security Settings in the Gateway

Con guring Support of SNC Components:

Con guring Connections between Gateway and External Programs Securely:

Setting Up Gateway Logging:

Further Security Parameters:

Con guring Support of SNC Components

Setting Up Gateway Logging.

Evaluating the Gateway Log File

Con guring Connections between Gateway and External Programs Securely

Logging-Based Con guration of Gateway

Gateway Security Files secinfo and reginfo

Security Parameters of the Gateway

Con guring Network-Based Access Control

Syntax of the ACL File

Lines in the ACL must have the following syntax:

<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]

permit = permits a connection, and deny = denies a connection.

IPv4: 4 byte, decimal, '.' separated: e.g. 10.11.12.13

IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported

<mask>: If a mask is speci ed, it must be a subnetwork pre x mask:

<# comment>: Comment lines begin with a hash sign ( #).

The le can contain blank lines.

permit 10.1.2.0/24 # permit client network

permit 192.168.7.0/24 # permit server network

permit 10.0.0.0/8 1 # screening rule

# (learning mode, trace-level 1)

permit 2001:db8::1428:57ab # permit IPv6 host

deny 0.0.0.0/0 # deny the rest

Con guring Support of SNC Components

Using SAProuter to Secure the Connection Between Two Gateways

Setting Up Gateway Logging

More information: Con guration Parameters

1. Call the gateway monitor (from the menu or in transaction SMGW)

2. Choose Goto Expert Functions Logging .

Gateway Action Description (actions logged) Indicator in the Log

Network Network actions, opening and closing network connections T

Security Security setttings and their changes (reloading les). S

More information: Security Settings in the Gateway

Dynamic parameter changes Changes pro le parameters in productive operation P

More information: Parameterization of the Gateway

Open RFC connection Creates new RFC connections O

Gateway Action Description (actions logged) Indicator in the Log

External Programs Launching of external programs. E

More information: Making Security Settings for External Programs

Registered programs Registration and deregistration of servers. R

More information: Making Security Settings for External Programs

Create/delete Conversation Creates new conversation IDs, deletes conversation IDs V

7. Select to accept your settings.

More information: Con guration Parameters

gw/logging=ACTION=SPX LOGFILE=gw_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)-%y&m%d SWITCHTF=day

P Wed Oct 10 2007 11:07:19:891 trace file opened

S Wed Oct 10 2007 11:07:38:196 reginfo accepted server: TP=cpict2, HOST=ld8060.wdf.sap.corp

S Wed Oct 10 2007 11:08:14:974 reginfo accepted server: TP=IGS.WDFD00146227A,

S Wed Oct 10 2007 11:08:20:103 secinfo accepted: USER=rehm, USER-HOST=ld8060.wdf.sap.corp

S Wed Oct 10 2007 11:09:00:497 secinfo accepted: USER=rehm, USER-HOST=ld8060.wdf.sap.corp

S Wed Oct 10 2007 11:09:19:974 reginfo accepted server: TP=IGS.WDFD00146227A,

S Wed Oct 10 2007 11:10:24:975 reginfo accepted server: TP=IGS.WDFD00146227A,

S Wed Oct 10 2007 11:11:04:780 secinfo accepted: USER=REHM, USER-HOST=ld8061.wdf.sap.corp

S Wed Oct 10 2007 11:11:29:976 reginfo accepted server: TP=IGS.WDFD00146227A,