Gateway Guide
Gateway Guide
Gateway Guide
access - Standard
Version: 1
Page 1 of 61
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 2 of 61
Executive Summary
This document describes the required steps needed in order to secure gateway
communications on SAP systems. It contains descriptions that are to be set in order to
maintain a minimum level of security.
Function
Applicable for
Mandatory for
Recommended for
Date
t.b.d.
Timeline/ Trigger
At least every year this document needs to be reviewed.
In case of new developments or new solutions this
document must be reviewed and updated appropriately to
remain compliant with the solutions that it describes.
Taxonomy
Infrastructure & Technology, Information Security, Identity and Access Management,
Powerful Access
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 3 of 61
Enterprise Keywords
SAP Security, SAP Basis, SAP Gateway
Function
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 4 of 61
Table of Contents
1
Introduction....................................................................................................... 5
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 5 of 61
1 Introduction
This document describes and prescribes all minimal configuration settings that need to
be implemented to ensure the SAP ABAP systems gateway is complaint with the
Information Security Standard as well as offer a minimal security baseline. Since there is
a great variety of SAP ABAP systems and versions this document describes the settings
based on the latest insights. Nevertheless in case a deviation from the settings in this
document is needed then ensure it is documented.
For more background on SAP security and authorization we refer to the knowledge item
Logical Access Control on SAP systems that can be found on One2Share as well as the
SAP site that contains a lot of material on this topic.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 6 of 61
3 Configuring Network-Based
Access Control Lists (ACL)
Use
You can set up an access control list (ACL) and use it to control which connections
the Gateway accepts and which it does not. They are based on the IP addresses of the
clients. The same ACL file is used for the "standard"port and for the "SNC" port of the
SAP gateway.
Procedure
1.
2.
Caution !!!
If this parameter is not set, the Gateway accepts all connection requests.
Syntax of the ACL File
3.
Where,
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 7 of 61
<ip address>: The IP address must be an IPv4 or IPv6 address in the following form:
o
IPv4: 0-32
IPv6: 0-128
<trace level>: Trace level, with which ACL hits (matches of addresses based on
the subnetwork mask) are written to the relevant trace file (default value 2).
The rules are checked sequentially from the "top down". The first relevant rule
determines the result ( "first match"). If no rule applies, the connection is rejected. To
make it obvious, an explicit deny (deny 0.0.0.0/0) should be entered anyway as
the last rule.
Example
permit 10.1.2.0/24 # permit client network
permit 192.168.7.0/24 # permit server network
permit 10.0.0.0/8 1 # screening rule
# (learning mode, trace-level 1)
permit 2001:db8::1428:57ab # permit IPv6 host
deny 0.0.0.0/0 # deny the rest
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 8 of 61
4 Security Parameters of
the Gateway
Use
The parameters described below are used to configure the gateway to ensure secure
connections.
Prerequisites
Your system must be configured for using the SNC interface.
Features
gw/acl_file
This parameter specifies the name of an access control list (ACL) file. With an ACL you
can configure who is permitted to connect to the gateway.
Note
The same ACL file is used for the standard port and for the SNC port of the
gateway.
If the specified ACL file does not exist or is erroneous, the gateway immediately
closes.
Caution
If the parameter is not set, access control is not valid.
Default Setting
Dynamic
No
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 9 of 61
gw/acl_mode
The parameter defines the behavior of the gateway, if no ACL file
( gw/sec_info or gw/reg_info) exists.
The following values are permitted:
Recommendation
This setting should not be used in production operation.
1 : External and registered servers are only permitted within the system
(application servers of the same system). All other servers are rejected or have to be
maintained in the respective files.
Default Setting
Dynamic
Yes
gw/logging
With this parameter you can configure gateway logging. You can specify whether the
gateway writes its actions to a log file, which types of actions are logged, and how the
file is renamed. You have the options to define a maximum size for the file, and to specify
whether old files are overwritten.
Recommendation
If the gateway is running in an AS ABAP instance, we recommend you make settings for
gateway logging in the gateway monitor (transaction SMGW). If you want to make
permanent logging settings so that it works again after the instance has been restarted,
you have to set this parameter in the profile.
You must set the parameter as follows:
gw/logging = LOGFILE=<name> ACTION=[TERSMPXVCO]
[MAXSIZEKB=n] [SWITCHTF=t] [FILEWRAP=on]
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 10 of 61
MAXSIZEKB (optional): Maximum file size. As soon as the file exceeds this size, a
new file is opened, whereby the new file name can change if special characters are
used. This is a the case unless a condition was specified for SWITCHTF that applies
first.
SWITCHTF (optional): Opens a new file after a specific time period, unless a
condition was specified for MAXSIZEKB that applies first.
The following values can be specified:
o
FILEWRAP (optional): Reuse file. This parameter can only have value ON. If this
value is set, no new file is written, but the one already open is reset and rewritten to.
The values for parameter LOGFILE are only used the first time the file is opened.
gw/monitor
This parameter specifies how the Gateway handles monitor commands.
The following values are possible:
2: Commands from local Gateway monitors and external Gateway monitors are
accepted.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 11 of 61
Default Setting 1
Dynamic
Yes
(Though only in the direction of more security, that is, from 1 to 2, and not from 2 to 1)
Dynamic yes
gw/sec_info
File with the security information.
Any unauthorized starting of external programs can be prevented by
maintaining the file secinfo in the data directory of the gateway instance.
Default
Setting
<Data Directory>/secinfo
Dynamic
No
(Values cannot be changed dynamically, but you can completely reload the file when the
gateway is running)
gw/reg_info
File with the security information for registered programs.
Unauthorized registration of programs can be prevented by maintaining the file reginfo in
the data directory of the gateway instance.
If the file exists, the system searches for valid registration entries in this list. If there are
none, the system searches, as up to now too, in the gw/sec_info file.
Default
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 12 of 61
Setting
Dynamic
No
(Values cannot be changed dynamically, but you can completely reload the file when the
system is running)
SNC Parameters
There are a number of additional parameters that control the behavior of the Gateway in
conjunction with SNC (Secure Network Communication).
Parameter
snc/enable
Meaning
Default Dynam
Value
ic
No
No
snc/permit_insecure_st
art
No
No
""
No
snc/gssapi_lib
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 13 of 61
Parameter
snc/identity/as
Meaning
Default Dynam
Value
ic
""
Features
Configuring Network-Based Access Control Lists (ACL):
In this ACL file ( A ccess C ontrol L ist = security file) you can specify from which
hosts the gateway is to accept connections at TCP/IP level.
With two profile parameters you can specify whether the Gateway is to support
SNC, and whether connections to non-SNC programs are to be allowed. By setting up
SNC or using SAP routers, you can make communication between SAP gateways of
different SAP systems secure.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 14 of 61
No
With two ACL files (Access Control List = security file) you can specify which
external programs are allowed to connect to the Gateway (security file reginfo), and
which programs are allowed to be started from theGateway (security file secinfo).
You can configure the Gateway so that actions executed by it, and requests it
receives from external systems, are written to a log file. You can use this log file for
analyzing security settings.
In addition to the measures described above, further parameters are provided for
you to configure theGateway securely.
6 Configuring Connections
betweenGatewayand External
Programs Securely
Use
To ensure the SAP gateway operates securely, you have to be especially aware of
interaction with external programs. You can configure the Gateway to ensure that
undesirable external programs cannot be run.
There are two ways to do this:
Logging-based configuration
To ensure SAP programs required for system operation are not blocked by a
configuration that is too restrictive, you should configure the security files
to enable all connections, and monitor the Gateway using gateway logging.
This way you get an overview of which programs are to be allowed, and then
you can edit the secinfo and reginfo configuration files accordingly.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 15 of 61
Recommendation
This procedure that is recommended by SAP, is described below.
Prerequisites
The parameters have the following value (default setting):
gw/sec_info = $(DIR_DATA)/secinfo
gw/reg_info = $(DIR_DATA)/reginfo
If they have a different value, change them to the value above. If you want to configure
other file paths for the files, set the parameters accordingly.
Parameter gw/acl_mode has the following value (default setting):
gw/acl_mode = 1
Recommendation
reginfo and secinfo are created for and administrated for each application
server. For reasons of maintainability SAP recommends that one reginfo file and
one secinfo file is created in a shared working directory for each SAP system. For
example:
gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo
gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo
If you are using Windows as the operating system, the files should have the ending .DAT.
Procedure
To set up the recommended secure SAP gateway configuration, proceed as follows:
1.
Check the secinfo and reginfo files. To do this, in the gateway monitor
(transaction SMGW) choose Goto Expert Functions External Security Display
(secinfo) or Display (reginfo).
To enable system-internal communication, the files must contain the following entries.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 16 of 61
secinfo
P TP=* USER=* USER-HOST=local HOST=local
P TP=* USER=* USER-HOST=internal HOST=internal
This means that programs on the gateway host can be started by the gateway
host, and that programs within the system can be started from the system.
reginfo
P TP=* HOST=local CANCEL=local ACCESS=*
P TP=* HOST=internal CANCEL=internal ACCESS=*
This means that programs from the gateway host can register, and that programs
within the system can register.
Recommendation
This recommendation applies to existing systems. If a new system has been
installed, we recommend the restrictive setting
P TP=* HOST=local CANCEL=local ACCESS=local
P TP=* HOST=internal CANCEL=internal ACCESS=internal
If the files do not exist, the system behaves as if these entries were
available.
2.
Goto
Expert Functions
Create (secinfo) .
In the following dialog box select the relevant entries, and choose
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 17 of 61
Choose
If the file already exists, you can decide whether you want to replace this file with
the selected entries, or whether to add the selected entries to this file.
Note
The system always adds the lines referred to in step 1 to the file automatically,
otherwise system operation will be affected.
Goto
Expert Functions
Note
Here you can see the configuration that is currently active in the Gateway. If the
content of the file has been changed, but the file has not been reread, you can
view the message not identical to the content of the file in the file browser
(transaction AL11).
You can maintain the secinfo file at operating system level too, and reread it in
transaction SMGW ( Goto Expert Functions External Security Reread ).
7 Logging-Based Configuration
of Gateway
Context
For the procedure described here you must first enable full communication with Gateway.
Based on the log file written, adjust the security settings in the secinfo and reginfo files.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 18 of 61
Procedure
1.
Note
To keep the log file as small as possible, you can set a small s instead of a big S. If the
small s is set, only denied actions are logged. This can make it easier for to evaluate
the file for administration purposes.
Note
If an SAP system consists of multiple application servers, add the system ID (threeletter SID) and the server name to the file name. This enables the files to be identified
when they are collected centrally for analysis. You can use the environment
variables $(SAPSYSTEMNAME) and $(SAPLOCALHOST) to set the parameter as follows:
gw/logging = ACTION=S LOGFILE=gw_log_$(SAPSYSTEMNAME)_$
(SAPLOCALHOST)-%y%m%d SWITCHTF=day
This logs all security-relevant gateway actions in a separate file. You can also make
this setting within the system.
For more information, see point on Setting Up Gateway Logging hereafter in the
document.
2.
In the $(DIR_DATA) directory, create the secinfo and reginfo files with the following
contents:
With this configuration of secinfo and reginfo all programs can be started from the
gateway, and all programs can register in the Gateway.
Caution
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 19 of 61
These settings are only temporary and are used for finding out which programs are to
be included in the files. While these settings are active, the Gateway is not protected
against external programs.
3.
4.
5.
6.
7.
8.
Activate the configuration files secinfo and reginfo by choosing Goto Expert
Functions External Security Reread in transaction SMGW. Activate these files on
every application server instance of the system. To do this, call the server overview
(transaction SM51) and switch the instance by double-clicking.
Leave the system running with these settings for a few days, and execute all
actions that relate to external programs and registered servers.
Evaluate the log file. Proceed as described in section Evaluating the Gateway Log
File
Maintain the files secinfo and reginfo accordingly.
Activate the files (see step 3.)
Leave the system running with these settings, but still monitor the
logging. Pay particular attention to the entries secinfo denied and reginfo
denied. These are external programs and registered servers that are not
allowed to be run, as specified in the settings. Possibly, a new component
that requires additional external programs and registered servers is being
tested or introduced. The administrator then has to decide whether these
entries should be included in the security files.
Gateway logging is used to monitor the activities of the Gateway. You can configure
which Gateway actions are to be logged. They are then written to a log file. The log file is
named after its creation time stamp, but you can configure its exact format.
Procedure
You can set up the logging in profile parameter gw/logging or in the gateway monitor
(transaction SMGW). We recommend the following configuration for the gateway
monitor.
Note
The gateway monitor is not available, if you are using a standalone gateway or a Javaonly installation. You then have to configure the gateway monitor in
parameter gw/logging.
More information in the section: Configuration Parameters
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 20 of 61
1.
2.
Choose
Goto
Expert Functions
Logging .
3.
Define a name for the log. To do this enter a name in the File Name field where
you can set the specified time stamp variables. The default setting is gw_log-%y-%m%d. The file will then be called gw_log-2007-06-19.
4.
Choose the gateway actions that you wan to log in the log file. You can select the
following types of gateway actions:
Gateway Action
Indicator in
the Log File
Network
Start/stop/signals
Security
Only rejected actions are logged in the log file. This keeps
the log file small. This can make administration tasks
easier, for example, analysing data.
Rejected accesses that are not listed in the reginfo file nor
in the secinfo file are logged in the log file.
Monitor commands
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 21 of 61
Gateway Action
5.
Indicator in
the Log File
RFC actions
(open/close/send/receive)
External Programs
Registered programs
Create/delete Conversation
IDs
Choose the Toggle Criteria (in the lower section of the screen). You can configure
the following:
Time-Controlled Toggle: You can specify a time period after which a new file
is opened. Possible values are no toggle, and toggle after one hour, one day, or one
year.
Maximum File Size (kByte): You can set the maximum size of the file
(specified in kilobytes). If the log file exceeds this size, the file is closed and a new
one opened. A new file name is assigned provided you use the timestamp variables
when you name the file (see above).
Specify Old File: You select this checkbox to prevent a new file being
created. The old file is then overwritten when the time-controlled toggle condition
is applied or when the maximum file size is exceeded.
6.
Choose whether all programs are to be allowed by default or not (simulation mode
= On).
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 22 of 61
In the default (security mode = Off) all rules in the security files are processed, and all
connections not explicitly listed are rejected.
In the simulation mode all the rules in the security files are processed too, and
furthermore, all connections not explicitly included in the security files are allowed.
This function can support you and is described in the Logging-Based Configuration of
Gateway.
7.
Select
Caution
The settings you make here are saved in the shared memory of the instance.
They are retained when the gateway is restarted. However, if the whole
instance is closed down, the settings are lost. If you want to make general
logging settings, you have to set parameter gw/logging in the profile file.
More information on the Configuration Parameters section.
Recommendation
You can set the profile parameter as follows:
gw/logging=ACTION=SPX LOGFILE=gw_log_$(SAPSYSTEMNAME)_$
(SAPLOCALHOST)-%y&m%d SWITCHTF=day
Then signals, profile parameter changes, and security actions will always be logged, and
if required, you can also extend the logging as described above.
Result
The log file is created, and further files are written depending on the settings. The files
can be found in the workdirectory of the instance.
You can see existing log files at the top next to the name of the log file. To look at the file,
choose
.
Example
If you select gateway actions Start/Stop/Signals, Security and Dynamic Parameter
Changes for logging, and you use the standard setting for the file name, you will get, for
example, file gw_log-2007-10-10 with the following content:
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 23 of 61
Page 24 of 61
HOST=wdfd00146227a.dhcp.wdf.sap.corp (10.18.94.4)
X Wed Oct 10 2007 11:14:15:900 received signal SIGUSR1 (decrement trace, level=0)
S Wed Oct 10 2007 11:13:40:177 secinfo denied: USER=rehm, USER-HOST=ld8400.wdf.sap.corp
(10.21.80.16), HOST=ld8400.wdf.sap.corp (10.21.80.16), TP=/priv/rehm/p4/bas/CGK/workU/_out/cpict2
S Wed Oct 10 2007 11:13:40:277 reginfo denied server: TP=cpict2, HOST= ld8400.wdf.sap.corp
(10.21.80.16)
X Wed Oct 10 2007 11:14:24:033 received signal SIGUSR2 (increment trace, level=1)
P Wed Oct 10 2007 11:14:34:523 trace file closed
Context
The evaluation of the log file provides you with an overview of the communication
running through the gateway. You can see which external programs have been started
and which have been rejected (with reasons). This enables you to manage your
configuration.
If you are using the logging-based setting, after you have evaluated the log file you can
adjust the configuration of security files secinfo and reginfo to meet your requirements.
Recommendation
We recommend you start with a restrictive configuration, and then allow further
programs as required. The procedure is described in section Configuring Connections
between Gateway and External Programs Securely.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 25 of 61
Procedure
1.
Display the contents of the file. You can display the file contents, and save them
to your local computer in transaction SMGW. Choose Goto Expert Functions
Logging .
Since everything is permitted in secinfo and reginfo, you will only see entries
with reginfo acceptedand secinfo accepted.
Entries in secinfo accepted are checked against entries in secinfo.
Entries in reginfo accepted are checked against entries in reginfo.
2.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 26 of 61
Local stands for synonymous for all IP addresses of your own host.
Internal stands for synonymous for all IP addresses of all hosts displayed in
transaction SM51, as well as all IP addresses of variable SAPDBHOST.
The list is refreshed at each new logon of an instance, as well as every five
minutes.
You could now simply filter out all duplicate entries from the log file and write the
remaining entries to the secinfo file. This allows all programs that are running in the
environment.
If this means there are a large number of programs, group together entries using
appropriate wild cards to make the secinfo file more manageable.
Example
Example of entries in secinfo file
TP=/usr/sap/BIN/SYS/exe/run/* allows all programs in the executable directory of
the server to be started
HOST=* Allows programs to be started on any host. This could be restricted to a
subnetwork mask or domain name, for example, 10.66.66.* or *.sap.corp
USER=* Allows all users to use the external program.
Caution
With programs started from SAPGUI, the Gateway cannot check whether this SAPGUI
is allowed. The IP address of the application server is used to make the check (see
next line).
S Wed Aug 01 2007 10:39:05:740 secinfo accepted: USER=MUSTER, USERHOST=host1.wdf.sap.corp, HOST=host1.wdf.sap.corp, TP=gnetx.exe .
3.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 27 of 61
You could now simply filter out all duplicate entries from the log file and write the
remaining entries to the reginfo file. This allows all programs as they are running in
the environment to register.
If there are a large number of programs to register, group together entries using
appropriate wild cards to make the reginfo file more manageable.
Example
Example of Entries in reginfo File
TP= IGS.WDFD00146227A HOST=* allows registration of IGS.WDFD00146227A
from every host.
TP=Bex* HOST=*sap.corp allows programs with registration ID Bex* to register
provided they come from hosts in the SAP network.
Note
If you want to allow access to the registered server, for example, from the local
application server only, you have to add ACCESS=local to the entry. To stop the
server in transaction SMGW, you need to add CANCEL=local.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 28 of 61
You can define the file path using profile parameters gw/sec_info and gw/reg_info. The
default value is:
gw/sec_info = $(DIR_DATA)/secinfo
gw/reg_info = $(DIR_DATA)/reginfo
When the gateway is started, it rereads both security files. You can make dynamic
changes by changing, adding, or deleting entries in the reginfo file. Then the file can be
immediately activated by reloading the security files.
Displaying and Editing Security Files
There are various tools with different functions provided to administrators for working
with security files.
To edit the security files,you have to use an editor at operating system level.
You must keep precisely to the syntax of the files, which is described below.
There are two different versions of the syntax for both files: Syntax version 1 does not
enable programs to be explicitly forbidden from being started or registered. For this
reason, as an alternative you can work with syntax version 2, which complies with the
route permission table of the SAProuter. If you want to use this syntax, the whole file
must be structured accordingly and the first line must contain the
entry #VERSION=2(written precisely in this format).
Once you have completed the change, you can reload the files without having to
restart the gateway. To do this, in the gateway monitor (transaction SMGW) choose
Goto Expert Functions External Security Reread .
Structure
secinfo
The following syntax is valid for the secinfo file.
Version 1
A line in the file has the format:
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 29 of 61
This order is not mandatory. As separators you can use commas or spaces. If the TP
name itself contains spaces, you have to use commas instead.
Use a line of this format to allow the user <user> to start the <tp> program on the
host <host>.
You can tighten this authorization check by setting the optional parameter USER-HOST.
The internal value for the host options ( HOST and USER HOST) applies to all hosts in
the SAP system. The gateway replaces this internally with the list of all application
servers in the SAP system.
Example
The * character can be used as a generic specification (wild card) for any of the
parameters.
If USER-HOST is not specifed, the value * is accepted.
Version 2
The format of the first line is #VERSION=2, all further lines are structured as follows:
P|D TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
Here the line starting with P or D, followed by a space or a TAB, has the following
meaning:
P means that the program is permitted to be started (the same as a line with the
old syntax)
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 30 of 61
Example
Example of a secinfo file in new syntax
#VERSION=2
D HOST=* USER=* TP=/bin/sap/cpict4
P HOST=* USER=* TP=/bin/sap/cpict*
P TP=hugo HOST=local USER=*
P TP=* USER=* USER-HOST=internal HOST=internal
All other programs starting with cpict4 are allowed to be started (on every host
and by every user).
Program hugo is allowed to be started on every local host and by every user.
All programs started by hosts within the SAP system can be started on all hosts in
the system.
reginfo
Certain programs can be allowed to register on the gateway from an external host by
specifying the relevant information. You can also control access to the registered
programs and cancel registered programs.
As soon as a program has registered in the gateway, the attributes of the retrieved entry
(specifically ACCESS) are passed on to the registered program. This means that if the file
is changed and the new entries immediately activated, the servers already logged on will
still have the old attributes. To assign the new settings to the registered programs too (if
they have been changed at all), the servers must first be deregistered and then
registered again.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 31 of 61
Successful and rejected registrations, and calls from registered programs can be
ascertained using Gateway Logging with indicator S.
Any error lines are put in the trace file dev_rd, and are not read in.
The reginfo file has the following syntax. There are two different syntax versions that you
can use (not together).
Version 1
A line in the file has the format:
TP=<tp> [HOST=<hostname>,...] [NO=<n>]
[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
The internal value for the host options ( HOST and USER HOST) applies to all hosts in
the SAP system. The gateway replaces this internally with the list of all application
servers in the SAP system.
Comment lines begin with #
The individual options can have the following values:
TP Name (TP=): Maximum 64 characters, blank spaces not allowed. The wild
card character * stands for any number of characters; the entry * therefore means no
limitation, fo* stands for all names beginning with fo; foo stands precisely for the
name foo.
A:B:C:D:E:F:1:2
A:B:C:D:E:F:1.2.3.4
A:B
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 32 of 61
A:B:C:D:E:1:2/60
192.1.1.101xxxxx
Number (NO=): Number between 0 and 65535. If the TP name has been
specified without wild cards, you can specify the number of registrations allowed here.
Example
TP=Foo NO=1, that is, only one program with the name foo is allowed to register, all
further attempts to register a program with this name are rejected. If this addition is
missing, any number of servers with the same ID are allowed to log on.
ACCESS List
To control access from the client side too, you can define an access list for each entry.
This is a list of host names that must comply with the rules above. If no access list is
specified, the program can be used from any client. The local gateway where the
program is registered always has access.
What is important here is that the check is made on the basis of hosts and not at user
level.
Example
TP=foo ACCESS=*.sap.com
Program foo is only allowed to be used by hosts from domain *.sap.com. Access attempts
coming from a different domain will be rejected. Of course the local application server is
allowed access.
To permit registered servers to be used by local application servers only, the file must
contain the following entry.
TP=* ACCESS=local [CANCEL=local]
CANCEL List
To control the cancellation of registered programs, a cancel list can be defined for each
entry (same as for the ACCESS list). If no cancel list is specified, any client can cancel the
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 33 of 61
program. The local gateway where the program is registered can always cancel the
program.
In the gateway monitor (transaction SMGW) choose Goto Logged On Clients , use
the cursor to select the registered program, and choose Goto Logged On Clients
Delete Client .
Note
The RFC library provides functions for closing registered programs. If this client does not
match the criteria in the CANCEL list, then it is not able to cancel a registered program.
No error is returned, but the number of cancelled programs is zero.
Examples of valid entries
Entry
Meaning
TP=* HOST=*
TP=foo* HOST=*
TP=foo*
All registrations beginning with foo but not f or fo are allowed (missing HOST rated
as *)
TP=*
HOST=*.sap.com
TP=*
Only clients from domain *.sap.com are allowed to communicate with this
ACCESS=*.sap.com registered program (and the local application server too).
TP=* ACCESS=local Only clients from the local application server are allowed to communicate with this
registered program.
Version 2
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 34 of 61
The format of the first line is #VERSION=2, all further lines are structured as follows:
P|D TP=<tp> [HOST=<hostname>,...] [NO=<n>]
[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
Here the line starting with P or D, followed by a space or a TAB, has the following
meaning:
P means that the program is permitted to be registered (the same as a line with
the old syntax)
Example
#VERSION=2
P TP=cpict4 HOST=10.18.210.140
D TP=* HOST=10.18.210.140
P TP=cpict2 ACCESS=ld8060,localhost CANCEL=ld8060,localhost
P TP=cpict4
P TP=* USER=* HOST=internal
Program cpict4 is allowed to be registered if it arrives from the host with address
10.18.210.140.
All other programs from host 10.18.210.140 are not allowed to be registered.
Program cpict2 is allowed to be registered, but can only be run and stopped on
the local host or hostld8060.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 35 of 61
To ensure that your configuration of security files secinfo and reginfo is free of errors,
while the system is running you can check that the files do not contain incorrect entries
by using the gateway trace file.
As described in the relevant sections there are two ways to define the files:
The new syntax with title line #VERSION=2 and P or D at the start of each line;
conventional syntax lines start with a P in the new syntax.
Here you have to decide on the syntax for each file - mixed files are not accepted.
Prerequisites
You have maintained the security files, they are located in the correct directory, and
the Gateway has been restarted.
Procedure
Display the Gateway trace file dev_rd. You can do this using the gateway monitor
(transaction SMGW), the trace file display (transaction ST11), the management console,
or at operating system level.
Search for entries of type
*** WARNING => Errors found in ./secinfo
*** WARNING => Errors found in ./reginfo
that are written to standard trace level 1.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 36 of 61
Example
The following examples show which error messages are in the trace if the files are
correctly set up.
Mixed File
Here the files have been created using the new syntax (with #VERSION=2), but contain
entries without P or D at the start of the lines).
#VERSION=2
TP=hugo PWD=secret HOST=local USER=*
D HOST=* USER=* TP=/bin/sap/cpict4
P HOST=* USER=* TP=/bin/sap/cpict*
HOST=local USER=* TP=*
D TP=hugo PWD=geheim HOST=local USER=*
#VERSION=2
P TP=cpict4 HOST=10.18.210.140
D TP=* HOST=10.18.210.140
TP=ABC NO=1
P TP=cpict2 ACCESS=ld8060,localhost CANCEL=ld8060,localhost
P TP=cpict4
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 37 of 61
P TP=cpict4 HOST=10.18.210.140
D TP=* HOST=10.18.210.140
TP=ABC NO=1
P TP=cpict2 ACCESS=ld8060,localhost CANCEL=ld8060,localhost
P TP=cpict4
Page 38 of 61
*** ERROR => invalid Permit/Deny in ./secinfo line 2 detected (first line should be #VERSION=2)
*** ERROR => invalid Permit/Deny in ./secinfo line 3 detected (first line should be #VERSION=2)
*** ERROR => invalid Permit/Deny in ./secinfo line 5 detected (first line should be #VERSION=2)
*** WARNING => Errors found in ./secinfo
*** WARNING => Please correct the invalid entries
GwIRegInitRegInfo: reginfo version = 1
*** ERROR => invalid Permit/Deny in ./reginfo line 1 detected (first line should be #VERSION=2)
*** ERROR => invalid Permit/Deny in ./reginfo line 2 detected (first line should be #VERSION=2)
*** ERROR => invalid Permit/Deny in ./reginfo line 4 detected (first line should be #VERSION=2)
*** ERROR => invalid Permit/Deny in ./reginfo line 5 detected (first line should be #VERSION=2)
*** WARNING => Errors found in ./reginfo
*** WARNING => Please correct the invalid entries
12 Configuration Parameters
Use
The parameters described here specify the basic settings of the SAP Gateway - startup,
execution of remote programs, tracing, etc.
Features
gw/startup
File containing statements to start programs when the gateway starts. This is useful if
CPIC/RFC server programs are always to run. When the gateway is restarted, these
programs are started as well.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 39 of 61
To start the gateway on another host you can use a remote shell or a secure shell.
Default Setting
Unit
File Name
Dynamic
No
File syntax:
;*! can be used as comment characters. The individual parameters in the file
must be separated by tabs.
For parameters gwhost and gwserv, macros $(GWHOST) and $(GWSERV) can be
used. They are replaced by the current host name and gateway service
(sapgw <xx> ).
With the GWCHECK option you can activate monitoring of the program started by
the gateway. If the program terminates, it is automatically restarted by the gateway.
Example
In Windows options (starting with '-' ) or strings containing a '/' have to be placed within
quotation marks, for example:
hw1439 "/priv/cpict2" "-tp" cpict2 "-gwhost" p29290 "-gwserv" sapgw53
Example of a file
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 40 of 61
gw/start_in_homedir
Determines the directory in which the gateway starts programs:
Caution
This parameter is not valid for Microsoft Windows. Here, programs are always started in
the work directory.
Default Setting
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 41 of 61
Unit
Truth value
Dynamic
Yes
gw/accept_remote_trace_level
Specifies whether the trace level of a CPIC or RFC connection should be transferred. In
order to prevent misuse, you can use this parameter to prevent the trace level from
being transferred within the gateway.
0: Trace level is not allowed to be accepted
1: Transfer trace level allowed
Default Setting
Unit
Truth value
Dynamic
Yes
gw/rem_start
Determines how remote CPIC programs are to be started:
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 42 of 61
Remote programs to be started via remote shell always run under the gateway
identification. If remote programs are started using rexec, they run under the
identification defined by the parameters SAPUSERNAME and SAPPASSWORD.
Default Setting
REMOTE_SHELL
Unit
Special string
Dynamic
Yes(*)
(*) but only if changing the parameter affords increased security, thus REMOTE_SHELL ->
DISABLED or REXEC -> DISABLED is allowed, whereas DISABLED -> REMOTE_SHELL or
DIABLED -> REXEC is not.
gw/start_threshold
If programs are started using rexec, blockages may occur in the gateway. To make it
easier to analyze any blockages, a warning is written to the trace file once the time has
exceeded by five seconds. This check is also made for remote shell calls.
The value 0 deactivates this check.
Default Setting
5 (seconds)
Unit
Seconds
Dynamic
Yes
SAPUSERNAME
Identification for starting remote CPIC programs using rexec.
Default Setting
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 43 of 61
Unit
Character string
Dynamic
No
SAPPASSWORD
Identification for starting remote CPIC programs using rexec.
Default Setting
Unit
Character string
Dynamic
No
gw/remsh
Specifies the call path of the remote shell to start programs on other hosts. If the
variable USER is defined in the environment, then the value with der Wert mit l <value> is transferred to the remote shell.
Default Setting
HP
Linux
/usr/bin/remsh
SNI
/usr/bin/remsh
AIX
/usr/ucb/remsh
/usr/bin/remsh
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 44 of 61
OSF1
/usr/ucb/rsh
SUN
/bin/rsh
OS/2
rsh
Windows
rsh
Otherwise
remsh
Unit
Data path
Dynamic
No
gw/ssh
Specifies the call path of the secure shell to start programs on other hosts.
Default Setting
HP
Linux
usr/bin/ssh
AIX
/usr/ucb/ssh
OSF1
/usr/ucb/ssh
usr/bin/ssh
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 45 of 61
SUN
/bin/ssh
OS/2
ssh
Windows
ssh
Otherwise
ssh
Unit
Data path
Dynamic
No
gw/stat
Determines the status of the gateway statistics after starting the gateway. The gateway
statistics can be evaluated using the gateway monitor (gwmon or transaction SMGW),
and can be changed dynamically.
0: Statistics deactivated
1: Statistics active
Default Setting
Unit
Truth value
Dynamic
Yes
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 46 of 61
gw/monitor
This parameter determines whether the gateway should communicate with the monitor
locally or remotely.
Default Setting
Unit
Integer: 0,1,2
Dynamic
Yes(*)
(*) but only if changing the parameter affords increased security, thus 2 -> 1 is allowed,
1 -> 2 is not allowed.
gw/logging
With this parameter you can configure gateway logging. You can specify whether the
gateway writes its actions to a log file, which types of actions are logged, and how the
file is renamed. You have the options to define a maximum size for the file, and to specify
whether old files are overwritten.
Recommendation
If the gateway is running in an AS ABAP instance, we recommend you make settings for
gateway logging in the gateway monitor (transaction SMGW). If you want to make
permanent logging settings so that it works again after the instance has been restarted,
you have to set this parameter in the profile.
You must set the parameter as follows:
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 47 of 61
MAXSIZEKB (optional): Maximum file size As soon as the file exceeds this size, a
new file is opened, whereby the new file name can change if special characters are
used. This happens unless a condition was specified for SWITCHTF that applies first.
SWITCHTF (optional): Opens a new file after a specific time period, unless a
condition was specified for MAXSIZEKB that applies first.
The following values can be specified:
o
FILEWRAP (optional): Reuse file This parameter can only have value ON. If this
value is set, no new file is written, but the one already open is reset and rewritten to.
The values for parameter LOGFILE are only used the first time the file is opened.
gw/prxy_info
Use this parameter to specify the proxy settings of the gateway.
For instance, you can specify restrictions for forwarding requests from other gateways.
Requests can be forwarded to other gateways if the gateway options are defined for the
RFC destination, or if load distribution is activated.
By making entries in the file you can permit or deny processing of requests from specific
gateways.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 48 of 61
Each line indicates permitted or denied connections. Each line must have the following
syntax:
P D SOURCE=hosta DEST=hostb
For SOURCE and DEST lists of host names, IP addresses, subnetwork masks and/or
domain names can be specified. These entries must be separated by a comma.
A port number can also be included. If it is, then only requests from the specified system
are accepted or rejected. The port number must be the number of the gateway, for
example, 3300 for the system with number 00. Wild cards are not permitted.
Example
P SOURCE=saphosta DEST=saphostb
D SOURCE=saphosta:3300 DEST=saphostb
D SOURCE=10.18.54.56 DEST=10.18.55.*
P SOURCE=*.sap.com DEST=*.sap.com
P SOURCE=*.sap.com,*sap.corp DEST=*
If a request arrives from another gateway and is to be forwarded, the file is searched
sequentially and stopped at the first matching entry. In accordance with the entry, the
request is forwarded or rejected.
If no matching entry is found, the request is rejected.
If the file does not exist, all requests are forwarded.
Default Setting
/usr/sap/<SID>/<instance>/data/prxyinfo
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 49 of 61
Unit
File Name
Dynamic
No
Description
Default Value
(configuration parameter)
gw/accept_timeout
60 seconds
(timeout parameter)
gw/acl_file
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 50 of 61
Description
Default Value
gw/acl_mode
(security parameter)
gw/alternative_hostnames
Network Parameters
gw/close_routes
gw/conn_disconnect
900 seconds
(timeout parameter)
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 51 of 61
gw/conn_pending
Description
Default Value
gw/cpic_timeout
20 seconds
(timeout parameter)
gw/deallocate_timeout
600 seconds
(timeout parameter)
gw/frag_timeout
120 seconds
(timeout parameter)
gw/gw_disconnect
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 52 of 61
gw/internal_timeout
Description
Default Value
gw/keepalive
300 seconds
(timeout parameter)
gw/listen_queue_len
gw/local_addr
Network Parameters
gw/logging
(configuration parameter)
gw/max_conn
500
Page 53 of 61
Description
Default Value
management)
gw/max_conn_per_dest
10
gw/max_overflow_size
gw/max_overflow_usage
gw/max_sleep
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 54 of 61
gw/max_sys
Description
Default Value
gw/monitor
gw/netstat_once
gw/nibuf_max
Used by NI interface
Network Parameters
gw/nibuf_retry
Used by NI interface.
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 55 of 61
Description
Default Value
gw/nifragtest
Network Parameters
gw/nitrace
Network Parameters
gw/prxy_info
/
usr/sap/<SID>/<instance>/data/prxyi
nfo
(configuration parameter)
gw/reg_info
(security parameter)
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 56 of 61
gw/reg_keepalive
Description
Default Value
300 seconds
(timeout parameter)
gw/reg_lb_default
20
gw/reg_lb_ip
gw/reg_lb_level
gw/reg_timeout
60 seconds
(timeout parameter)
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 57 of 61
gw/remsh
Description
Default Value
(configuration parameter)
gw/rem_start
REMOTE_SHELL
(configuration parameter)
gw/req_stack_size
30
gw/resolve_phys_addr
gw/resolve_timeout
0 milliseconds
(timeout parameter)
gw/sec_info
<Data Directory>/secinfo
(security parameter)
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 58 of 61
gw/so_keepalive
Description
Default Value
Network Parameters
gw/ssh
(configuration parameter)
gw/start_in_homedir
(configuration parameter)
gw/start_threshold
5 seconds
(configuration parameter)
gw/startup
(configuration parameter)
gw/stat
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 59 of 61
Description
Default Value
gw/tcp_security
(security parameter)
gw/timeout
0 milliseconds
snc/enable
snc/gssapi_lib
(security parameter)
snc/identity/as
(security parameter)
snc/permit_common_name
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 60 of 61
Description
Default Value
snc/permit_insecure_comm
snc/permit_insecure_start
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 61 of 61