Gateway Guide

Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful
access - Standard
Version: 1
Page 1 of 61
Security Baseline for the

Gateway on SAP Systems
Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access Standard
Version:
Page 2 of 61
Executive Summary
This document describes the required steps needed in order to secure gateway
communications on SAP systems. It contains descriptions that are to be set in order to
maintain a minimum level of security.
Summary of changes compared to previous version

This is the initial creation of this document.
Owner of the Standard

Name
Function
Effective date of current version/ Transition period

Effective date
End of transition period
Applicable for
Mandatory for
Recommended for
All Common SAP ABAP Systems

All SAP ABAP Systems
Approval by the ITLT and higher body if needed

Approving body
t.b.d.
Date
t.b.d.
Next planned review

Reason for review
Based on frequency
Based on trigger
Timeline/ Trigger
At least every year this document needs to be reviewed.
In case of new developments or new solutions this
document must be reviewed and updated appropriately to
remain compliant with the solutions that it describes.
Taxonomy
Infrastructure & Technology, Information Security, Identity and Access Management,
Powerful Access
Version:
Page 3 of 61
Enterprise Keywords
SAP Security, SAP Basis, SAP Gateway
Expert group members to create the document

Name of SME
Function
Version:
Page 4 of 61
Table of Contents
1
Introduction....................................................................................................... 5
General overview on SAP gateway....................................................................6
3 Configuring Network-Based Access Control Lists (ACL).........................................6

4 Security Parameters of the Gateway.....................................................................8
5 Security Settings in the Gateway........................................................................11
6 Configuring Connections betweenGatewayand External Programs Securely......12
7 Logging-Based Configuration of Gateway...........................................................14
Context............................................................................................................... 14
Procedure........................................................................................................... 14
8 Setting Up Gateway Logging...............................................................................15
9 Evaluating the Gateway Log File.........................................................................18
Prerequisites....................................................................................................... 18
Context............................................................................................................... 19
Procedure........................................................................................................... 19
10 Gateway Security Files secinfo and reginfo.......................................................21
11 Checking the Security Configuration ofGateway...............................................25
12 Gateway Parameters - Reference......................................................................33
Version:
Page 5 of 61
1 Introduction
This document describes and prescribes all minimal configuration settings that need to
be implemented to ensure the SAP ABAP systems gateway is complaint with the
Information Security Standard as well as offer a minimal security baseline. Since there is
a great variety of SAP ABAP systems and versions this document describes the settings
based on the latest insights. Nevertheless in case a deviation from the settings in this
document is needed then ensure it is documented.
For more background on SAP security and authorization we refer to the knowledge item
Logical Access Control on SAP systems that can be found on One2Share as well as the
SAP site that contains a lot of material on this topic.
Version:
Page 6 of 61
2 General overview on SAP

gateway
SAP Gateway is a technology that provides a simple way to connect devices,
environments and platforms to SAP software based on market standards. It offers
connectivity to SAP applications using any programming language or model without the
need for SAP knowledge.
3 Configuring Network-Based
Access Control Lists (ACL)
Use
You can set up an access control list (ACL) and use it to control which connections
the Gateway accepts and which it does not. They are based on the IP addresses of the
clients. The same ACL file is used for the "standard"port and for the "SNC" port of the
SAP gateway.
Procedure
1.
2.
Create an ACL file using the syntax described below.

In the instance profile of the SAP gateway instance you set
parameter gw/acl_file to the file path of the ACL file.
Caution !!!
If this parameter is not set, the Gateway accepts all connection requests.
Syntax of the ACL File
3.
Lines in the ACL must have the following syntax:
<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]
Where,
permit = permits a connection, and deny = denies a connection.
Version:
Page 7 of 61
<ip address>: The IP address must be an IPv4 or IPv6 address in the following form:
o
IPv4: 4 byte, decimal, '.' separated: e.g. 10.11.12.13
IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported
<mask>: If a mask is specified, it must be a subnetwork prefix mask:
IPv4: 0-32
IPv6: 0-128
<trace level>: Trace level, with which ACL hits (matches of addresses based on
the subnetwork mask) are written to the relevant trace file (default value 2).
<# comment>: Comment lines begin with a hash sign ( #).
The file can contain blank lines.
The rules are checked sequentially from the "top down". The first relevant rule
determines the result ( "first match"). If no rule applies, the connection is rejected. To
make it obvious, an explicit deny (deny 0.0.0.0/0) should be entered anyway as
the last rule.
Example
permit 10.1.2.0/24 # permit client network
permit 192.168.7.0/24 # permit server network
permit 10.0.0.0/8 1 # screening rule
# (learning mode, trace-level 1)
permit 2001:db8::1428:57ab # permit IPv6 host
deny 0.0.0.0/0 # deny the rest
Version:
Page 8 of 61
4 Security Parameters of
the Gateway
Use
The parameters described below are used to configure the gateway to ensure secure
connections.
Prerequisites
Your system must be configured for using the SNC interface.
Features
gw/acl_file
This parameter specifies the name of an access control list (ACL) file. With an ACL you
can configure who is permitted to connect to the gateway.
Note
The same ACL file is used for the standard port and for the SNC port of the
gateway.
If the specified ACL file does not exist or is erroneous, the gateway immediately
closes.
Caution
If the parameter is not set, access control is not valid.
Default Setting
Empty (no ACL file is used)
Dynamic
No
Version:
Page 9 of 61
gw/acl_mode
The parameter defines the behavior of the gateway, if no ACL file
( gw/sec_info or gw/reg_info) exists.
The following values are permitted:
0 : There is no restriction with starting external servers or registering servers.
Recommendation
This setting should not be used in production operation.
1 : External and registered servers are only permitted within the system
(application servers of the same system). All other servers are rejected or have to be
maintained in the respective files.
Default Setting
Dynamic
Yes
gw/logging
With this parameter you can configure gateway logging. You can specify whether the
gateway writes its actions to a log file, which types of actions are logged, and how the
file is renamed. You have the options to define a maximum size for the file, and to specify
whether old files are overwritten.
Recommendation
If the gateway is running in an AS ABAP instance, we recommend you make settings for
gateway logging in the gateway monitor (transaction SMGW). If you want to make
permanent logging settings so that it works again after the instance has been restarted,
you have to set this parameter in the profile.
You must set the parameter as follows:
gw/logging = LOGFILE=<name> ACTION=[TERSMPXVCO]
[MAXSIZEKB=n] [SWITCHTF=t] [FILEWRAP=on]
Version:
Page 10 of 61
The meaning of the individual elements is as follows:
LOGFILE: File name of the log file
ACTION: The character sequence (subset from TERSMPXVCO) specifies the

actions to log.
MAXSIZEKB (optional): Maximum file size. As soon as the file exceeds this size, a
new file is opened, whereby the new file name can change if special characters are
used. This is a the case unless a condition was specified for SWITCHTF that applies
first.
SWITCHTF (optional): Opens a new file after a specific time period, unless a
condition was specified for MAXSIZEKB that applies first.
The following values can be specified:
o
year: After one year a new file is opened
month: After one month
week: After one week
day: After one day
hour: After one hour
FILEWRAP (optional): Reuse file. This parameter can only have value ON. If this
value is set, no new file is written, but the one already open is reset and rewritten to.
The values for parameter LOGFILE are only used the first time the file is opened.
gw/monitor
This parameter specifies how the Gateway handles monitor commands.
The following values are possible:
0: No monitor commands are accepted
1: Only commands from the local Gateway monitor are accepted
2: Commands from local Gateway monitors and external Gateway monitors are
accepted.
Version:
Page 11 of 61
Default Setting 1
Dynamic
Yes
(Though only in the direction of more security, that is, from 1 to 2, and not from 2 to 1)
Dynamic yes
gw/sec_info
File with the security information.
Any unauthorized starting of external programs can be prevented by
maintaining the file secinfo in the data directory of the gateway instance.
Default
Setting
<Data Directory>/secinfo
Dynamic
No
(Values cannot be changed dynamically, but you can completely reload the file when the
gateway is running)
gw/reg_info
File with the security information for registered programs.
Unauthorized registration of programs can be prevented by maintaining the file reginfo in
the data directory of the gateway instance.
If the file exists, the system searches for valid registration entries in this list. If there are
none, the system searches, as up to now too, in the gw/sec_info file.
Default
<Data directory>/reg info
Version:
Page 12 of 61
Setting
Dynamic
No
(Values cannot be changed dynamically, but you can completely reload the file when the
system is running)
SNC Parameters
There are a number of additional parameters that control the behavior of the Gateway in
conjunction with SNC (Secure Network Communication).
Parameter
snc/enable
Meaning
Default Dynam
Value
ic
This parameter specifies whether the gateway accepts

connections that protect the data via SNC.
No
snc/permit_insecure_co This parameter specifies whether the gateway accepts

mm
connections without SNC.
No
snc/permit_insecure_st
art
No
No
""
No
This parameter specifies whether the gateway may

establish connections with programs that communicate
without SNC.
snc/permit_common_na This parameter specifies whether the gateway can use a

me
default SNC name specified by the parameter
snc/identity/as, if an SNC name for the connection cannot
be read from secinfo.
snc/gssapi_lib
Path for the shared library of the security system in use.
Version:
Page 13 of 61
Parameter
snc/identity/as
Meaning
Identity of the gateway application server
Default Dynam
Value
ic
""
5 Security Settings in the Gateway

Use
Gateway is an interface between the application server and other SAP systems or
programs. Usually application servers and database hosts are located in the same
network segment. This network is secured from external access through a demilitarized
zone (DMZ).
Communication that leads the Gateway as part of the application server to external
systems beyond the DMZ is in principle insecure. System administrators have several
options available to configure external communication of the Gateway securely.
Features
Configuring Network-Based Access Control Lists (ACL):
In this ACL file ( A ccess C ontrol L ist = security file) you can specify from which
hosts the gateway is to accept connections at TCP/IP level.
Configuring Support of SNC Components:
With two profile parameters you can specify whether the Gateway is to support
SNC, and whether connections to non-SNC programs are to be allowed. By setting up
SNC or using SAP routers, you can make communication between SAP gateways of
different SAP systems secure.
Configuring Connections between Gateway and External Programs Securely:
Version:
Page 14 of 61
No
With two ACL files (Access Control List = security file) you can specify which
external programs are allowed to connect to the Gateway (security file reginfo), and
which programs are allowed to be started from theGateway (security file secinfo).
Setting Up Gateway Logging:
You can configure the Gateway so that actions executed by it, and requests it
receives from external systems, are written to a log file. You can use this log file for
analyzing security settings.
Further Security Parameters:
In addition to the measures described above, further parameters are provided for
you to configure theGateway securely.
6 Configuring Connections
betweenGatewayand External
Programs Securely
Use
To ensure the SAP gateway operates securely, you have to be especially aware of
interaction with external programs. You can configure the Gateway to ensure that
undesirable external programs cannot be run.
There are two ways to do this:
Logging-based configuration
To ensure SAP programs required for system operation are not blocked by a
configuration that is too restrictive, you should configure the security files
to enable all connections, and monitor the Gateway using gateway logging.
This way you get an overview of which programs are to be allowed, and then
you can edit the secinfo and reginfo configuration files accordingly.
Restrictive configuration (secure configuration)

You configure the Gateway so that initially only system-internal programs can be
started and registered.
Version:
Page 15 of 61
After that you can add programs you want to allow to

the secinfo and reginfo configuration files.
Recommendation
This procedure that is recommended by SAP, is described below.
Prerequisites
The parameters have the following value (default setting):
gw/sec_info = $(DIR_DATA)/secinfo
gw/reg_info = $(DIR_DATA)/reginfo
If they have a different value, change them to the value above. If you want to configure
other file paths for the files, set the parameters accordingly.
Parameter gw/acl_mode has the following value (default setting):
gw/acl_mode = 1
Recommendation
reginfo and secinfo are created for and administrated for each application
server. For reasons of maintainability SAP recommends that one reginfo file and
one secinfo file is created in a shared working directory for each SAP system. For
example:
gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo
gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo
If you are using Windows as the operating system, the files should have the ending .DAT.
Procedure
To set up the recommended secure SAP gateway configuration, proceed as follows:
1.
Check the secinfo and reginfo files. To do this, in the gateway monitor
(transaction SMGW) choose Goto Expert Functions External Security Display
(secinfo) or Display (reginfo).
To enable system-internal communication, the files must contain the following entries.
Version:
Page 16 of 61
secinfo
P TP=* USER=* USER-HOST=local HOST=local
P TP=* USER=* USER-HOST=internal HOST=internal
This means that programs on the gateway host can be started by the gateway
host, and that programs within the system can be started from the system.
reginfo
P TP=* HOST=local CANCEL=local ACCESS=*
P TP=* HOST=internal CANCEL=internal ACCESS=*
This means that programs from the gateway host can register, and that programs
within the system can register.
Recommendation
This recommendation applies to existing systems. If a new system has been
installed, we recommend the restrictive setting
P TP=* HOST=local CANCEL=local ACCESS=local
P TP=* HOST=internal CANCEL=internal ACCESS=internal
If the files do not exist, the system behaves as if these entries were
available.
2.
Extend these files as required. Enable the configured RFC destinations

(transaction SM59) as required by making the relevant entries in the secinfo file.
To do this, proceed as follows:
Look at the current secinfo file. In the gateway monitor

(transaction SMGW) choose Goto Expert Functions External Security Display
(secinfo) . Here you can check whether the file complies with your requirements.
To add further entries to the file, choose

External Security
Goto
Expert Functions
Create (secinfo) .
In the following dialog box select the relevant entries, and choose
Version:
Page 17 of 61
The lines in the file appear in a new dialog box.
Choose
If the file already exists, you can decide whether you want to replace this file with
the selected entries, or whether to add the selected entries to this file.
Note
The system always adds the lines referred to in step 1 to the file automatically,
otherwise system operation will be affected.
Decide whether the changes are to be activated immediately or not. If not,

you can activate them at any time by choosing
External Security Reread .
Goto
Expert Functions
Check your secinfo file.

Choose
Note
Here you can see the configuration that is currently active in the Gateway. If the
content of the file has been changed, but the file has not been reread, you can
view the message not identical to the content of the file in the file browser
(transaction AL11).
You can maintain the secinfo file at operating system level too, and reread it in
transaction SMGW ( Goto Expert Functions External Security Reread ).
7 Logging-Based Configuration
of Gateway
Context
For the procedure described here you must first enable full communication with Gateway.
Based on the log file written, adjust the security settings in the secinfo and reginfo files.
Version:
Page 18 of 61
Procedure
1.
Set up gateway logging by setting the following parameters in the profile:

gw/logging = ACTION=S LOGFILE=gw_log-%y-%m%d SWITCHTF=day
Note
To keep the log file as small as possible, you can set a small s instead of a big S. If the
small s is set, only denied actions are logged. This can make it easier for to evaluate
the file for administration purposes.
Note
If an SAP system consists of multiple application servers, add the system ID (threeletter SID) and the server name to the file name. This enables the files to be identified
when they are collected centrally for analysis. You can use the environment
variables $(SAPSYSTEMNAME) and $(SAPLOCALHOST) to set the parameter as follows:
gw/logging = ACTION=S LOGFILE=gw_log_$(SAPSYSTEMNAME)_$
(SAPLOCALHOST)-%y%m%d SWITCHTF=day
This logs all security-relevant gateway actions in a separate file. You can also make
this setting within the system.
For more information, see point on Setting Up Gateway Logging hereafter in the
document.
2.
In the $(DIR_DATA) directory, create the secinfo and reginfo files with the following
contents:
secinfo contains line USER=* HOST=* TP=* only
reginfo contains line TP=* only
With this configuration of secinfo and reginfo all programs can be started from the
gateway, and all programs can register in the Gateway.
Caution
Version:
Page 19 of 61
These settings are only temporary and are used for finding out which programs are to
be included in the files. While these settings are active, the Gateway is not protected
against external programs.
3.
4.
5.
6.
7.
8.
Activate the configuration files secinfo and reginfo by choosing Goto Expert
Functions External Security Reread in transaction SMGW. Activate these files on
every application server instance of the system. To do this, call the server overview
(transaction SM51) and switch the instance by double-clicking.
Leave the system running with these settings for a few days, and execute all
actions that relate to external programs and registered servers.
Evaluate the log file. Proceed as described in section Evaluating the Gateway Log
File
Maintain the files secinfo and reginfo accordingly.
Activate the files (see step 3.)
Leave the system running with these settings, but still monitor the
logging. Pay particular attention to the entries secinfo denied and reginfo
denied. These are external programs and registered servers that are not
allowed to be run, as specified in the settings. Possibly, a new component
that requires additional external programs and registered servers is being
tested or introduced. The administrator then has to decide whether these
entries should be included in the security files.
8 Setting Up Gateway Logging

Use
Gateway logging is used to monitor the activities of the Gateway. You can configure
which Gateway actions are to be logged. They are then written to a log file. The log file is
named after its creation time stamp, but you can configure its exact format.
Procedure
You can set up the logging in profile parameter gw/logging or in the gateway monitor
(transaction SMGW). We recommend the following configuration for the gateway
monitor.
Note
The gateway monitor is not available, if you are using a standalone gateway or a Javaonly installation. You then have to configure the gateway monitor in
parameter gw/logging.
More information in the section: Configuration Parameters
Version:
Page 20 of 61
1.
Call the gateway monitor (from the menu or in transaction SMGW)
2.
Choose
Goto
Expert Functions
Logging .
3.
Define a name for the log. To do this enter a name in the File Name field where
you can set the specified time stamp variables. The default setting is gw_log-%y-%m%d. The file will then be called gw_log-2007-06-19.
4.
Choose the gateway actions that you wan to log in the log file. You can select the
following types of gateway actions:
Gateway Action
Description (actions logged)
Indicator in
the Log File
Network
Network actions, opening and closing network connections T
Start/stop/signals
Receipt of start and stop commands or other (operating

system) signals
Security
Security setttings and their changes (reloading files).
Rejected accesses only
Only rejected actions are logged in the log file. This keeps
the log file small. This can make administration tasks
easier, for example, analysing data.
Rejected accesses without

rules
Rejected accesses that are not listed in the reginfo file nor
in the secinfo file are logged in the log file.
Monitor commands
Administration command that the gateway receives from

the gateway monitor ( SMGW or externally gwmon)
Dynamic parameter changes Changes profile parameters in productive operation
Version:
Page 21 of 61
Gateway Action
5.
Description (actions logged)
Indicator in
the Log File
Open RFC connection
Creates new RFC connections
RFC actions
(open/close/send/receive)
RFC actions: Opens and closes connections, sends and

receives data
External Programs
Launching of external programs.
Registered programs
Registration and deregistration of servers.
Create/delete Conversation
IDs
Creates new conversation IDs, deletes conversation IDs
Choose the Toggle Criteria (in the lower section of the screen). You can configure
the following:
Time-Controlled Toggle: You can specify a time period after which a new file
is opened. Possible values are no toggle, and toggle after one hour, one day, or one
year.
Maximum File Size (kByte): You can set the maximum size of the file
(specified in kilobytes). If the log file exceeds this size, the file is closed and a new
one opened. A new file name is assigned provided you use the timestamp variables
when you name the file (see above).
Specify Old File: You select this checkbox to prevent a new file being
created. The old file is then overwritten when the time-controlled toggle condition
is applied or when the maximum file size is exceeded.
6.
Choose whether all programs are to be allowed by default or not (simulation mode
= On).
Version:
Page 22 of 61
In the default (security mode = Off) all rules in the security files are processed, and all
connections not explicitly listed are rejected.
In the simulation mode all the rules in the security files are processed too, and
furthermore, all connections not explicitly included in the security files are allowed.
This function can support you and is described in the Logging-Based Configuration of
Gateway.
7.
Select
to accept your settings.
Caution
The settings you make here are saved in the shared memory of the instance.
They are retained when the gateway is restarted. However, if the whole
instance is closed down, the settings are lost. If you want to make general
logging settings, you have to set parameter gw/logging in the profile file.
More information on the Configuration Parameters section.
Recommendation
You can set the profile parameter as follows:
gw/logging=ACTION=SPX LOGFILE=gw_log_$(SAPSYSTEMNAME)_$
(SAPLOCALHOST)-%y&m%d SWITCHTF=day
Then signals, profile parameter changes, and security actions will always be logged, and
if required, you can also extend the logging as described above.
Result
The log file is created, and further files are written depending on the settings. The files
can be found in the workdirectory of the instance.
You can see existing log files at the top next to the name of the log file. To look at the file,
choose
.
Example
If you select gateway actions Start/Stop/Signals, Security and Dynamic Parameter
Changes for logging, and you use the standard setting for the file name, you will get, for
example, file gw_log-2007-10-10 with the following content:
Version:
Page 23 of 61
P Wed Oct 10 2007 11:07:19:891 trace file opened

P Wed Oct 10 2007 11:07:19:891 change gw/logging from ACTION= LOGFILE=gw_log-%y-%m-%d
SWITCHTF=day MAXSIZEKB=100 => ACTION=SPX LOGFILE=gw_log-%y-%m-%d SWITCHTF=day
MAXSIZEKB=100
S Wed Oct 10 2007 11:07:38:196 reginfo accepted server: TP=cpict2, HOST=ld8060.wdf.sap.corp
(10.66.66.90)
S Wed Oct 10 2007 11:08:14:974 reginfo accepted server: TP=IGS.WDFD00146227A,
HOST=wdfd00146227a.dhcp.wdf.sap.corp (10.18.94.4)
S Wed Oct 10 2007 11:08:20:103 secinfo accepted: USER=rehm, USER-HOST=ld8060.wdf.sap.corp
(10.66.66.90), HOST=ld8061.wdf.sap.corp (10.66.66.91), TP=/usr/sap/BIN/SYS/exe/run/tp
S Wed Oct 10 2007 11:09:00:497 secinfo accepted: USER=rehm, USER-HOST=ld8060.wdf.sap.corp
(10.66.66.90), HOST=ld8061.wdf.sap.corp (10.66.66.91), TP=/usr/sap/BIN/SYS/exe/run/tp
S Wed Oct 10 2007 11:11:04:780 secinfo accepted: USER=REHM, USER-HOST=ld8061.wdf.sap.corp
(10.66.66.91), HOST=ld8061.wdf.sap.corp (ld8061) (10.66.66.91), TP=/usr/sap/BIN/SYS/exe/run/tp
(10.66.66.91), HOST=ld8061.wdf.sap.corp (%%SAPGUI%%) (10.66.66.91), TP=gnetx.exe
(10.66.66.91), HOST=ld8061.wdf.sap.corp (ld8061) (10.66.66.91), TP=sapxpg
(10.66.66.91), HOST=ld8061.wdf.sap.corp (ld8061) (10.66.66.91), TP=sapxpg
P Wed Oct 10 2007 11:13:21:871 change gw/cpic_timeout from 120 => 121
Version:
Page 24 of 61
X Wed Oct 10 2007 11:14:15:900 received signal SIGUSR1 (decrement trace, level=0)
S Wed Oct 10 2007 11:13:40:177 secinfo denied: USER=rehm, USER-HOST=ld8400.wdf.sap.corp
(10.21.80.16), HOST=ld8400.wdf.sap.corp (10.21.80.16), TP=/priv/rehm/p4/bas/CGK/workU/_out/cpict2
S Wed Oct 10 2007 11:13:40:277 reginfo denied server: TP=cpict2, HOST= ld8400.wdf.sap.corp
(10.21.80.16)
X Wed Oct 10 2007 11:14:24:033 received signal SIGUSR2 (increment trace, level=1)
P Wed Oct 10 2007 11:14:34:523 trace file closed
9 Evaluating the Gateway Log File

Prerequisites
The registration authorization applies to all programs, which means that the reginfo file
comprises line TP=*.
Context
The evaluation of the log file provides you with an overview of the communication
running through the gateway. You can see which external programs have been started
and which have been rejected (with reasons). This enables you to manage your
configuration.
If you are using the logging-based setting, after you have evaluated the log file you can
adjust the configuration of security files secinfo and reginfo to meet your requirements.
Recommendation
We recommend you start with a restrictive configuration, and then allow further
programs as required. The procedure is described in section Configuring Connections
between Gateway and External Programs Securely.
Version:
Page 25 of 61
Procedure
1.
Display the contents of the file. You can display the file contents, and save them
to your local computer in transaction SMGW. Choose Goto Expert Functions
Logging .
Since everything is permitted in secinfo and reginfo, you will only see entries
with reginfo acceptedand secinfo accepted.
Entries in secinfo accepted are checked against entries in secinfo.
Entries in reginfo accepted are checked against entries in reginfo.
S Wed Aug 01 2007 10:36:52:181 reginfo accepted server: TP=IGS.WDFD00146227A,

HOST=WDFD00146227A
HOST=WDFD00146227A
HOST=WDFD00146227A
S Wed Aug 01 2007 10:39:05:740 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp,
HOST=ld8061.wdf.sap.corp, TP=gnetx.exe
S Wed Aug 01 2007 10:39:48:577 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp,
HOST=ld8061.wdf.sap.corp, TP=/usr/sap/BIN/SYS/exe/run/tp
2.
Find the entries for the secinfo file.

Entries for secinfo always contain the following components
USER=<name>: User who wants to start the external program
USER-HOST=<user host>: Host name from where the Gateway was

requested to start the program (when the program is started from the system, the
host name is always the name of the application server).
HOST=<host>: Host on which the program was started.

Special values of <host> are "local" and "internal".
Version:
Page 26 of 61
Local stands for synonymous for all IP addresses of your own host.
Internal stands for synonymous for all IP addresses of all hosts displayed in
transaction SM51, as well as all IP addresses of variable SAPDBHOST.
The list is refreshed at each new logon of an instance, as well as every five
minutes.
TP=<program name>: Program name
You could now simply filter out all duplicate entries from the log file and write the
remaining entries to the secinfo file. This allows all programs that are running in the
environment.
If this means there are a large number of programs, group together entries using
appropriate wild cards to make the secinfo file more manageable.
Example
Example of entries in secinfo file
TP=/usr/sap/BIN/SYS/exe/run/* allows all programs in the executable directory of
the server to be started
HOST=* Allows programs to be started on any host. This could be restricted to a
subnetwork mask or domain name, for example, 10.66.66.* or *.sap.corp
USER=* Allows all users to use the external program.
Caution
With programs started from SAPGUI, the Gateway cannot check whether this SAPGUI
is allowed. The IP address of the application server is used to make the check (see
next line).
S Wed Aug 01 2007 10:39:05:740 secinfo accepted: USER=MUSTER, USERHOST=host1.wdf.sap.corp, HOST=host1.wdf.sap.corp, TP=gnetx.exe .
3.
Find the entries for the reginfo file.

Entries for reginfo always contain the following components
TP=<regi id>: Registration ID of the server program that is being

registered
Version:
Page 27 of 61
HOST=<host>: Host from where the server is permitted to log on.
ACCESS=<host>: Host from which the RFC client is permitted to use a

registered program.
CANCEL=<host>: Host from which the RFC client is permitted to stop a

registered program.
You could now simply filter out all duplicate entries from the log file and write the
remaining entries to the reginfo file. This allows all programs as they are running in
the environment to register.
If there are a large number of programs to register, group together entries using
appropriate wild cards to make the reginfo file more manageable.
Example
Example of Entries in reginfo File
TP= IGS.WDFD00146227A HOST=* allows registration of IGS.WDFD00146227A
from every host.
TP=Bex* HOST=*sap.corp allows programs with registration ID Bex* to register
provided they come from hosts in the SAP network.
Note
If you want to allow access to the registered server, for example, from the local
application server only, you have to add ACCESS=local to the entry. To stop the
server in transaction SMGW, you need to add CANCEL=local.
10 Gateway Security Files secinfo

and reginfo
Use
The secinfo security file is used to prevent unauthorized launching of external programs.
File reginfo controls the registration of external programs in the gateway.
Version:
Page 28 of 61
You can define the file path using profile parameters gw/sec_info and gw/reg_info. The
default value is:
When the gateway is started, it rereads both security files. You can make dynamic
changes by changing, adding, or deleting entries in the reginfo file. Then the file can be
immediately activated by reloading the security files.
Displaying and Editing Security Files
There are various tools with different functions provided to administrators for working
with security files.
To display the security files, use the gateway monitor in AS ABAP

(transaction SMGW).
To edit the security files,you have to use an editor at operating system level.
You must keep precisely to the syntax of the files, which is described below.
There are two different versions of the syntax for both files: Syntax version 1 does not
enable programs to be explicitly forbidden from being started or registered. For this
reason, as an alternative you can work with syntax version 2, which complies with the
route permission table of the SAProuter. If you want to use this syntax, the whole file
must be structured accordingly and the first line must contain the
entry #VERSION=2(written precisely in this format).
Once you have completed the change, you can reload the files without having to
restart the gateway. To do this, in the gateway monitor (transaction SMGW) choose
Goto Expert Functions External Security Reread .
Structure
secinfo
The following syntax is valid for the secinfo file.
Version 1
A line in the file has the format:
Version:
Page 29 of 61
TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
This order is not mandatory. As separators you can use commas or spaces. If the TP
name itself contains spaces, you have to use commas instead.
Use a line of this format to allow the user <user> to start the <tp> program on the
host <host>.
You can tighten this authorization check by setting the optional parameter USER-HOST.
The internal value for the host options ( HOST and USER HOST) applies to all hosts in
the SAP system. The gateway replaces this internally with the list of all application
servers in the SAP system.
Example
USER=mueller, HOST=hw1414, TP=test: The user mueller can execute the

test program on the host hw1414.
USER=hugo, USER-HOST=hw1234, HOST=hw1414, TP=prog: User hugo is

authorized to run program prog on host hw1414, provided he or she has logged on to
the gateway from host hw1234.
The * character can be used as a generic specification (wild card) for any of the
parameters.
If USER-HOST is not specifed, the value * is accepted.
Version 2
The format of the first line is #VERSION=2, all further lines are structured as follows:
P|D TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
Here the line starting with P or D, followed by a space or a TAB, has the following
meaning:
P means that the program is permitted to be started (the same as a line with the
old syntax)
D prevents this program from being started.
Version:
Page 30 of 61
The order of the remaining entries is of no importance.
Example
Example of a secinfo file in new syntax
#VERSION=2
D HOST=* USER=* TP=/bin/sap/cpict4
P HOST=* USER=* TP=/bin/sap/cpict*
P TP=hugo HOST=local USER=*
P TP=* USER=* USER-HOST=internal HOST=internal
This file means:
Program cpict4 is not permitted to be started.
All other programs starting with cpict4 are allowed to be started (on every host
and by every user).
Program hugo is allowed to be started on every local host and by every user.
All programs started by hosts within the SAP system can be started on all hosts in
the system.
reginfo
Certain programs can be allowed to register on the gateway from an external host by
specifying the relevant information. You can also control access to the registered
programs and cancel registered programs.
As soon as a program has registered in the gateway, the attributes of the retrieved entry
(specifically ACCESS) are passed on to the registered program. This means that if the file
is changed and the new entries immediately activated, the servers already logged on will
still have the old attributes. To assign the new settings to the registered programs too (if
they have been changed at all), the servers must first be deregistered and then
registered again.
Version:
Page 31 of 61
Successful and rejected registrations, and calls from registered programs can be
ascertained using Gateway Logging with indicator S.
Any error lines are put in the trace file dev_rd, and are not read in.
The reginfo file has the following syntax. There are two different syntax versions that you
can use (not together).
Version 1
A line in the file has the format:
TP=<tp> [HOST=<hostname>,...] [NO=<n>]
[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
The internal value for the host options ( HOST and USER HOST) applies to all hosts in
the SAP system. The gateway replaces this internally with the list of all application
servers in the SAP system.
Comment lines begin with #
The individual options can have the following values:
TP Name (TP=): Maximum 64 characters, blank spaces not allowed. The wild
card character * stands for any number of characters; the entry * therefore means no
limitation, fo* stands for all names beginning with fo; foo stands precisely for the
name foo.
Host Name (HOST=, ACCESS= and/or CANCEL=): The wildcard

character * stands for any host name,*.sap.com for a domain, sapprod for host
sapprod. If the option is missing, this is equivalent to HOST=*.
IP Addresses (HOST=, ACCESS= and/or CANCEL=): You can use IP addresses

instead of host names. Examples of valid addresses are:
o
All address strings 1.2.3.4
A:B:C:D:E:F:1:2
A:B:C:D:E:F:1.2.3.4
A:B
Version:
Page 32 of 61
Standard address prefixes 192.1.1.3/12
A:B:C:D:E:1:2/60
Old SAProuter wild cards 192.1.1.*
192.1.1.101xxxxx
Number (NO=): Number between 0 and 65535. If the TP name has been
specified without wild cards, you can specify the number of registrations allowed here.
Example
TP=Foo NO=1, that is, only one program with the name foo is allowed to register, all
further attempts to register a program with this name are rejected. If this addition is
missing, any number of servers with the same ID are allowed to log on.
ACCESS List
To control access from the client side too, you can define an access list for each entry.
This is a list of host names that must comply with the rules above. If no access list is
specified, the program can be used from any client. The local gateway where the
program is registered always has access.
What is important here is that the check is made on the basis of hosts and not at user
level.
Example
TP=foo ACCESS=*.sap.com
Program foo is only allowed to be used by hosts from domain *.sap.com. Access attempts
coming from a different domain will be rejected. Of course the local application server is
allowed access.
To permit registered servers to be used by local application servers only, the file must
contain the following entry.
TP=* ACCESS=local [CANCEL=local]
CANCEL List
To control the cancellation of registered programs, a cancel list can be defined for each
entry (same as for the ACCESS list). If no cancel list is specified, any client can cancel the
Version:
Page 33 of 61
program. The local gateway where the program is registered can always cancel the
program.
In the gateway monitor (transaction SMGW) choose Goto Logged On Clients , use
the cursor to select the registered program, and choose Goto Logged On Clients
Delete Client .
Note
The RFC library provides functions for closing registered programs. If this client does not
match the criteria in the CANCEL list, then it is not able to cancel a registered program.
No error is returned, but the number of cancelled programs is zero.
Examples of valid entries
Entry
Meaning
TP=* HOST=*
All registrations allowed
TP=foo* HOST=*
Registrations beginning with foo and not f or fo are allowed
TP=foo*
All registrations beginning with foo but not f or fo are allowed (missing HOST rated
as *)
TP=*
HOST=*.sap.com
All registrations from domain *.sap.com are allowed
TP=*
Only clients from domain *.sap.com are allowed to communicate with this
ACCESS=*.sap.com registered program (and the local application server too).
TP=* ACCESS=local Only clients from the local application server are allowed to communicate with this
registered program.
Version 2
Version:
Page 34 of 61
The format of the first line is #VERSION=2, all further lines are structured as follows:
P|D TP=<tp> [HOST=<hostname>,...] [NO=<n>]
[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
Here the line starting with P or D, followed by a space or a TAB, has the following
meaning:
P means that the program is permitted to be registered (the same as a line with
the old syntax)
D prevents this program from being registered on the gateway.
Example
#VERSION=2
P TP=cpict4 HOST=10.18.210.140
D TP=* HOST=10.18.210.140
P TP=cpict2 ACCESS=ld8060,localhost CANCEL=ld8060,localhost
P TP=cpict4
P TP=* USER=* HOST=internal
This file means:
Program cpict4 is allowed to be registered if it arrives from the host with address
10.18.210.140.
All other programs from host 10.18.210.140 are not allowed to be registered.
Program cpict2 is allowed to be registered, but can only be run and stopped on
the local host or hostld8060.
Program cpict4 is allowed to be registered by any host.
Programs within the system are allowed to register.
Version:
Page 35 of 61
11 Checking the Security

Configuration of Gateway.
Use
To ensure that your configuration of security files secinfo and reginfo is free of errors,
while the system is running you can check that the files do not contain incorrect entries
by using the gateway trace file.
As described in the relevant sections there are two ways to define the files:
The conventional way with no version specification (interpreted internally as

VERSION=1)
The new syntax with title line #VERSION=2 and P or D at the start of each line;
conventional syntax lines start with a P in the new syntax.
Here you have to decide on the syntax for each file - mixed files are not accepted.
Prerequisites
You have maintained the security files, they are located in the correct directory, and
the Gateway has been restarted.
Procedure
Display the Gateway trace file dev_rd. You can do this using the gateway monitor
(transaction SMGW), the trace file display (transaction ST11), the management console,
or at operating system level.
Search for entries of type
*** WARNING => Errors found in ./secinfo
*** WARNING => Errors found in ./reginfo
that are written to standard trace level 1.
Version:
Page 36 of 61
Then check the relevant file.
Example
The following examples show which error messages are in the trace if the files are
correctly set up.
Mixed File
Here the files have been created using the new syntax (with #VERSION=2), but contain
entries without P or D at the start of the lines).
#VERSION=2
TP=hugo PWD=secret HOST=local USER=*
HOST=local USER=* TP=*
D TP=hugo PWD=geheim HOST=local USER=*
#VERSION=2
D TP=* HOST=10.18.210.140
TP=ABC NO=1
P TP=cpict4
GwIInitSecInfo: secinfo version = 2

*** ERROR => invalid first character T in ./secinfo line 2
Version:
Page 37 of 61
*** ERROR => invalid first character H in ./secinfo line 5

*** WARNING => Please correct the invalid entries
GwIRegInitRegInfo: reginfo version = 2
*** ERROR => invalid first character T in ./reginfo line 4
*** WARNING => Please correct the invalid entry
Version specification is missing

Here the version specification is missing, but the new syntax is used in some lines.
TP=hugo PWD=geheim HOST=local USER=*

HOST=local USER=* TP=*
D TP=hugo PWD=geheim HOST=local USER=*
D TP=* HOST=10.18.210.140
TP=ABC NO=1
P TP=cpict4
GwIInitSecInfo: secinfo version = 1

Version:
Page 38 of 61
*** ERROR => invalid Permit/Deny in ./secinfo line 2 detected (first line should be #VERSION=2)
GwIRegInitRegInfo: reginfo version = 1
*** ERROR => invalid Permit/Deny in ./reginfo line 1 detected (first line should be #VERSION=2)
12 Configuration Parameters
Use
The parameters described here specify the basic settings of the SAP Gateway - startup,
execution of remote programs, tracing, etc.
Features
gw/startup
File containing statements to start programs when the gateway starts. This is useful if
CPIC/RFC server programs are always to run. When the gateway is restarted, these
programs are started as well.
Version:
Page 39 of 61
To start the gateway on another host you can use a remote shell or a secure shell.
Default Setting
Unit
File Name
Dynamic
No
File syntax:
Start program locally local program [parameter ...]
Starting a program on another computer (using remote shell, or the value of

the gw/remsh parameter, or using secure shell or the value of gw/ssh):
[REMSH|SSH] host name program [parameter ...]
;*! can be used as comment characters. The individual parameters in the file
must be separated by tabs.
For parameters gwhost and gwserv, macros $(GWHOST) and $(GWSERV) can be
used. They are replaced by the current host name and gateway service
(sapgw <xx> ).
With the GWCHECK option you can activate monitoring of the program started by
the gateway. If the program terminates, it is automatically restarted by the gateway.
Example
In Windows options (starting with '-' ) or strings containing a '/' have to be placed within
quotation marks, for example:
hw1439 "/priv/cpict2" "-tp" cpict2 "-gwhost" p29290 "-gwserv" sapgw53
Example of a file
; start local program ( registers using ID on gateway
Version:
Page 40 of 61
; cpicsrc on gateway running locally and responding to service

; sapgw53)
local /usr/sap/BIN/SYS/exe/run/cpicserver -tp cpicsrv -gwhost uw1033 -gwserv sapgw53
; start program remotely
hw1439 /usr/sap/BIN/SYS/exe/run/rfcserver -tp rfcsrv -gwhost uw1033 -gwserv sapgw53
; start remote program with remote shell
[REMSH] hw1439 /usr/sap/BIN/SYS/exe/run/rfcserver -tp rfcsrv -gwhost uw1033 -gwserv sapgw53
; start remote program with secure shell
SSH hw1439 /usr/sap/BIN/SYS/exe/run/rfcserver -tp rfcsrv -gwhost uw1033 -gwserv sapgw53
; start local program and activate gateway
; switch on. This monitoring is activated with
; keyword GWCHECK. If the
; program terminates, it is automatically restarted by the gateway.
local GWCHECK /usr/sap/BIN/SYS/exe/run/rfcserver -tp rfcsrv -gwhost uw1033 -gwserv sapgw53
gw/start_in_homedir
Determines the directory in which the gateway starts programs:
0: Start in work directory (work)
1: Start in home directory
Caution
This parameter is not valid for Microsoft Windows. Here, programs are always started in
the work directory.
Default Setting
Version:
Page 41 of 61
Unit
Truth value
Dynamic
Yes
gw/accept_remote_trace_level
Specifies whether the trace level of a CPIC or RFC connection should be transferred. In
order to prevent misuse, you can use this parameter to prevent the trace level from
being transferred within the gateway.
0: Trace level is not allowed to be accepted
1: Transfer trace level allowed
Default Setting
Unit
Truth value
Dynamic
Yes
gw/rem_start
Determines how remote CPIC programs are to be started:
REMOTE_SHELL : Start via remote shell
SSH_SHELL: Start via secure shell
REXEC: Start via rexec (UNIX only!)
DISABLED: Deactivate remote activation of programs
Version:
Page 42 of 61
Remote programs to be started via remote shell always run under the gateway
identification. If remote programs are started using rexec, they run under the
identification defined by the parameters SAPUSERNAME and SAPPASSWORD.
Default Setting
REMOTE_SHELL
Unit
Special string
Dynamic
Yes(*)
(*) but only if changing the parameter affords increased security, thus REMOTE_SHELL ->
DISABLED or REXEC -> DISABLED is allowed, whereas DISABLED -> REMOTE_SHELL or
DIABLED -> REXEC is not.
gw/start_threshold
If programs are started using rexec, blockages may occur in the gateway. To make it
easier to analyze any blockages, a warning is written to the trace file once the time has
exceeded by five seconds. This check is also made for remote shell calls.
The value 0 deactivates this check.
Default Setting
5 (seconds)
Unit
Seconds
Dynamic
Yes
SAPUSERNAME
Identification for starting remote CPIC programs using rexec.
Default Setting
Version:
Page 43 of 61
Unit
Character string
Dynamic
No
SAPPASSWORD
Identification for starting remote CPIC programs using rexec.
Default Setting
Unit
Character string
Dynamic
No
gw/remsh
Specifies the call path of the remote shell to start programs on other hosts. If the
variable USER is defined in the environment, then the value with der Wert mit l <value> is transferred to the remote shell.
Default Setting
HP
Linux
/usr/bin/remsh
SNI
/usr/bin/remsh
AIX
/usr/ucb/remsh
/usr/bin/remsh
Version:
Page 44 of 61
OSF1
/usr/ucb/rsh
SUN
/bin/rsh
OS/2
rsh
Windows
rsh
Otherwise
remsh
Unit
Data path
Dynamic
No
gw/ssh
Specifies the call path of the secure shell to start programs on other hosts.
Default Setting
HP
Linux
usr/bin/ssh
AIX
/usr/ucb/ssh
OSF1
/usr/ucb/ssh
usr/bin/ssh
Version:
Page 45 of 61
SUN
/bin/ssh
OS/2
ssh
Windows
ssh
Otherwise
ssh
Unit
Data path
Dynamic
No
gw/stat
Determines the status of the gateway statistics after starting the gateway. The gateway
statistics can be evaluated using the gateway monitor (gwmon or transaction SMGW),
and can be changed dynamically.
0: Statistics deactivated
1: Statistics active
Default Setting
Unit
Truth value
Dynamic
Yes
Version:
Page 46 of 61
gw/monitor
This parameter determines whether the gateway should communicate with the monitor
locally or remotely.
0 : No monitor commands allowed
1: Only monitor commands from the local monitors accepted
2: Commands from local and remote monitors accepted
Default Setting
Unit
Integer: 0,1,2
Dynamic
Yes(*)
(*) but only if changing the parameter affords increased security, thus 2 -> 1 is allowed,
1 -> 2 is not allowed.
gw/logging
With this parameter you can configure gateway logging. You can specify whether the
gateway writes its actions to a log file, which types of actions are logged, and how the
file is renamed. You have the options to define a maximum size for the file, and to specify
whether old files are overwritten.
Recommendation
If the gateway is running in an AS ABAP instance, we recommend you make settings for
gateway logging in the gateway monitor (transaction SMGW). If you want to make
permanent logging settings so that it works again after the instance has been restarted,
you have to set this parameter in the profile.
You must set the parameter as follows:
Version:
Page 47 of 61
gw/logging = LOGFILE=<name> ACTION=[TERSMPXVCO]

[MAXSIZEKB=n] [SWITCHTF=t] [FILEWRAP=on]
The meaning of the individual elements is as follows:
LOGFILE: File name of the log file
ACTION: The character sequence (subset from TERSMPXVCO) specifies the

actions to log.
MAXSIZEKB (optional): Maximum file size As soon as the file exceeds this size, a
new file is opened, whereby the new file name can change if special characters are
used. This happens unless a condition was specified for SWITCHTF that applies first.
SWITCHTF (optional): Opens a new file after a specific time period, unless a
condition was specified for MAXSIZEKB that applies first.
The following values can be specified:
o
year: After one year a new file is opened
month: After one month
week: After one week
day: After one day
hour: After one hour
FILEWRAP (optional): Reuse file This parameter can only have value ON. If this
value is set, no new file is written, but the one already open is reset and rewritten to.
The values for parameter LOGFILE are only used the first time the file is opened.
gw/prxy_info
Use this parameter to specify the proxy settings of the gateway.
For instance, you can specify restrictions for forwarding requests from other gateways.
Requests can be forwarded to other gateways if the gateway options are defined for the
RFC destination, or if load distribution is activated.
By making entries in the file you can permit or deny processing of requests from specific
gateways.
Version:
Page 48 of 61
Each line indicates permitted or denied connections. Each line must have the following
syntax:
P D SOURCE=hosta DEST=hostb
The first character must be a P (permit) or a D (deny).
P: These entries indicate permitted connections.
D: These entries indicate denied connections.
For SOURCE and DEST lists of host names, IP addresses, subnetwork masks and/or
domain names can be specified. These entries must be separated by a comma.
A port number can also be included. If it is, then only requests from the specified system
are accepted or rejected. The port number must be the number of the gateway, for
example, 3300 for the system with number 00. Wild cards are not permitted.
Example
P SOURCE=saphosta DEST=saphostb
D SOURCE=saphosta:3300 DEST=saphostb
D SOURCE=10.18.54.56 DEST=10.18.55.*
P SOURCE=*.sap.com DEST=*.sap.com
P SOURCE=*.sap.com,*sap.corp DEST=*
If a request arrives from another gateway and is to be forwarded, the file is searched
sequentially and stopped at the first matching entry. In accordance with the entry, the
request is forwarded or rejected.
If no matching entry is found, the request is rejected.
If the file does not exist, all requests are forwarded.
Default Setting
/usr/sap/<SID>/<instance>/data/prxyinfo
Version:
Page 49 of 61
Unit
File Name
Dynamic
No
13 Gateway Parameters Reference

The Gateway is started within an instance of the dispatcher. It reads its parameters from
the profile file stored in the profile directory. In standalone operation the Gateway is
started from the command line or using the administration tools (SAP Management
Console).
You can change the following parameters in the gateway.
Some parameters can be changed (dynamically) in production operation (in
transaction RZ11 or in the gateway monitor (transaction SMGW Goto Parameter
Change ).
Table 1: Gateway Parameters - Reference
Parameter
Description
gw/accept_remote_trace_lev Specifies whether the trace

el
level of a CPIC or RFC
connection should be
transferred.
Default Value
(configuration parameter)
gw/accept_timeout
Maximum allowed time period

for the login process of a
server program.
60 seconds
(timeout parameter)
gw/acl_file
Specifies the name of an
No ACL file is used
Version:
Page 50 of 61

Parameter
Description
Default Value
access control list (ACL) file.

(security parameter)
gw/acl_mode
The parameter defines the

behavior of the gateway, if no
ACL file (gw/sec_info oder
gw/reg_info) exists.
gw/alternative_hostnames
List of alternative host names

for local host.
No alternative host names
Network Parameters
gw/close_routes
Specifies the period (in

120 seconds
seconds) after which a route to
a remote gateway through
which a CPIC connection is
open is closed.
(timeout parameter)
gw/conn_disconnect
Specifies the maximum

number of seconds for which
an active connection can
remain in the status
DISCONNECT or
DISCONNECTED.
900 seconds
(timeout parameter)
Version:
Page 51 of 61

Parameter
gw/conn_pending
Description
Default Value

60 seconds
number of seconds for which a
connection can remain in the
status CONN_PENDING.
(timeout parameter)
gw/cpic_timeout
Specifies the maximum wait

time for a connection setup.
20 seconds
(timeout parameter)
gw/deallocate_timeout
Time period in which the

network connection for a
DEALLOCATE must be closed.
600 seconds
(timeout parameter)
gw/frag_timeout
Determines the timeout for

incomplete network write
operations.
120 seconds
(timeout parameter)
gw/gw_disconnect

1800 seconds
number of seconds for which a
GW-GW connection can remain
inactive.
(timeout parameter)
Version:
Page 52 of 61

Parameter
gw/internal_timeout
Description
Default Value
Specifies the timeout value

0 milliseconds
for NiReadand NiWrite call
s.
(timeout parameter)
gw/keepalive
Specifies the maximum time

period (in seconds) before the
system checks, using a ping,
whether the partner is still
alive when there is no data
transfer across a CPIC
connection.
300 seconds
(timeout parameter)
gw/listen_queue_len
The operating system must

512
keep requests in a queue while
the connection is being set up.
(parameter for resource
management)
gw/local_addr
Network Parameters
gw/logging
With this parameter you can

configure gateway logging.
see detailed parameter documentation.
gw/max_conn

number of connections that
can be active at a time.
500

Version:
Page 53 of 61

Parameter
Description
Default Value
management)
gw/max_conn_per_dest
Configures how many TCP/IP

connections to a remote
gateway or ABAP Application
Server can be opened in
parallel.
10

management)
gw/max_overflow_size
This parameter specifies the

size of the overflow area in
bytes.
10000000 Bytes (10 MB)

management)
gw/max_overflow_usage
Specifies the usage of the

20 %
overflow area as a percentage
from which the gateway slows
down its clients, that is it sends
SYNC requests.
management)
gw/max_sleep
Specifies the maximum time in 20 seconds

seconds for which the gateway
read process sleeps on the
select.
(timeout parameter)
Version:
Page 54 of 61

Parameter
gw/max_sys
Description
Default Value

300
number of clients connected at
a time.
management)
gw/monitor
This parameter determines

1
whether the gateway should
communicate with the monitor
locally or remotely.
gw/netstat_once
There are high availability

1
solutions in which the IP
addresses can move from one
host to another. This means
that the entries read when the
gateway was started up may
no longer be valid. In such
cases, the current
configuration must always be
read using the command when
making the test for a local IP
address.
Network Parameters
gw/nibuf_max
Number of entries in the host

name buffer.
Used by NI interface
Network Parameters
gw/nibuf_retry
Time period after which the

invalid entries are deleted in
Used by NI interface.
Version:
Page 55 of 61

Parameter
Description
Default Value
the host name buffer.

(timeout parameter)
gw/nifragtest
Tests fragmentation on the

network layer.
Network Parameters
gw/nitrace
Activates or deactivates the

trace for NI connections.
Network Parameters
gw/prxy_info
This parameter is used to

specify the proxy settings of
the gateway.
/
usr/sap/<SID>/<instance>/data/prxyi
nfo
gw/reg_info
File with the security

information for registered
programs.
<Data directory>/reg info
Version:
Page 56 of 61

Parameter
gw/reg_keepalive
Description
Specifies the maximum time

period in seconds before the
system checks, using a ping,
whether the partners are still
alive in a registered server
program with the status
WAITING.
Default Value
300 seconds
(timeout parameter)
gw/reg_lb_default
Default value for the load of a

server if its IP address cannot
be found in the list.
20
(Load balancing parameter)
gw/reg_lb_ip
Specifies the load value for an

IP address or for a range of IP
addresses.
gw/reg_lb_level
Defines the type of load

balancing for registered
programs.
gw/reg_timeout
Specifies the maximum wait

time for setting up the
connection with a registered
program.
60 seconds
(timeout parameter)
Version:
Page 57 of 61

Parameter
gw/remsh
Description
Specifies the call path of the

remote shell to start programs
on other hosts.
Default Value
gw/rem_start
Determines how remote CPIC

programs are to be started.
REMOTE_SHELL
gw/req_stack_size
Specifies the number of CICP

requests that can be stacked
for each CPIC connection.
30

management)
gw/resolve_phys_addr
This parameter specifies

whether theGateway will
Perform name resolution
resolve names of IP addresses.
gw/resolve_timeout
This parameter is used to

activate a time measurement
for the network lookup calls
(host name - IP address,
service name - port number).
0 milliseconds
(timeout parameter)
gw/sec_info
File with the security

information.
<Data Directory>/secinfo
Version:
Page 58 of 61

Parameter
gw/so_keepalive
Description
Parameter to activate the

socket option KEEPALIVE for
the network connections.
Default Value
Network Parameters
gw/ssh
Specifies the call path of the

secure shell to start programs
on other hosts.
gw/start_in_homedir
Determines the directory in

which the gateway starts
programs.
gw/start_threshold
If programs are started using

rexec, blockages may occur in
the gateway. To make it easier
to analyze any blockages, a
warning is written to the trace
file once the time has
exceeded by the defined time.
5 seconds
gw/startup
File containing statements to

start programs when the
gateway starts.
gw/stat
Determines the status of the
Version:
Page 59 of 61

Parameter
Description
Default Value
gateway statistics after

starting the gateway.
gw/tcp_security
gw/timeout
Specifies the timeout value for
0 milliseconds
the establishing connections to

other gateways.
(timeout parameter)
snc/enable
Specifies whether the gateway 0

accepts connections that
protect the data via SNC.
snc/gssapi_lib
Path for the shared library of

the security system in use.
snc/identity/as
Identity of the gateway

application server
snc/permit_common_name

can use a default SNC name
specified by the parameter
snc/identity/as, if an SNC name
Version:
Page 60 of 61

Parameter
Description
Default Value
for the connection cannot be

read from the secinfo.
snc/permit_insecure_comm

accepts connections without
SNC.
snc/permit_insecure_start

may establish connections with
programs that communicate
without SNC.
Version:
Page 61 of 61

Gateway Guide

Uploaded by

Copyright:

Available Formats

Gateway Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gateway Guide

Uploaded by

Copyright:

Available Formats

What is the purpose of this document?

What is the purpose of this document?

What are some of the security parameters discussed in the document?

What are some of the security parameters discussed in the document?

Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful

Security Baseline for the

Summary of changes compared to previous version

Owner of the Standard

Effective date of current version/ Transition period

All Common SAP ABAP Systems

Approval by the ITLT and higher body if needed

Next planned review

Expert group members to create the document

General overview on SAP gateway....................................................................6

3 Configuring Network-Based Access Control Lists (ACL).........................................6

2 General overview on SAP

Create an ACL file using the syntax described below.

Lines in the ACL must have the following syntax:

<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]

permit = permits a connection, and deny = denies a connection.

IPv4: 4 byte, decimal, '.' separated: e.g. 10.11.12.13

IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported

<mask>: If a mask is specified, it must be a subnetwork prefix mask:

<# comment>: Comment lines begin with a hash sign ( #).

The file can contain blank lines.

Empty (no ACL file is used)

0 : There is no restriction with starting external servers or registering servers.

The meaning of the individual elements is as follows:

LOGFILE: File name of the log file

ACTION: The character sequence (subset from TERSMPXVCO) specifies the

year: After one year a new file is opened

month: After one month

week: After one week

day: After one day

hour: After one hour

0: No monitor commands are accepted

1: Only commands from the local Gateway monitor are accepted

<Data directory>/reg info

This parameter specifies whether the gateway accepts

snc/permit_insecure_co This parameter specifies whether the gateway accepts

This parameter specifies whether the gateway may

snc/permit_common_na This parameter specifies whether the gateway can use a

Path for the shared library of the security system in use.

Identity of the gateway application server

5 Security Settings in the Gateway

Configuring Support of SNC Components:

Configuring Connections between Gateway and External Programs Securely:

Setting Up Gateway Logging:

Further Security Parameters:

Restrictive configuration (secure configuration)

After that you can add programs you want to allow to

Extend these files as required. Enable the configured RFC destinations

Look at the current secinfo file. In the gateway monitor

To add further entries to the file, choose

The lines in the file appear in a new dialog box.

Decide whether the changes are to be activated immediately or not. If not,

Check your secinfo file.

Set up gateway logging by setting the following parameters in the profile: