Select language:

Security Settings for the SAP Message Server

Use

As the central communication component in an SAP system network, the message server should be protected against unwanted external access.

You can make the following settings to increase the security when the SAP message server is running.

  • Separate Internal and External Message Server Communication

  • Access Control List (ACL) for Application Servers

  • Access Control List (ACL) for Network Connections

  • Administration Using Profile Parameters

For more information, see SAP Note 821875 Information published on SAP site.

Features

Separate Internal and External MS Communication

To prevent unwanted clients pretending to the message server to be application servers, you must use parameterrdisp/msserv_internal = <no.>. Value 0 (default setting) means that a separate port is not used for internal communication.

For internal communication a different data channel is used from the one used for external communication, where external clients only have read-only access.

The message server opens another port <nr>, in addition to its own port sapms<SID> (rdisp/msserv), which is used for internal communication with the application servers. This port must be used to log on to an application server. Application servers that log on through the "normal" port sapms<SID> are denied access (MSEACCESSDENIED).

Caution

If you want to use this parameter, you must define it on the central system and it must have the same value on all application servers.

The normal sapms<SID> port can still be used for queries. Load distribution functions and the retrieval of application server lists and logon groups are not affected.

Access Control List (ACL) for Application Servers

With parameter ms/acl_info you can specify a file with access authorizations to the message server. If this file exists, it must include all host names, domains, IP addresses and/or subnetwork masks from which application servers are allowed to log on to the message server.

The names can be either put in a list or written in separate lines.

This file has no affect on external clients that only want to get information from the message server. They can still do this.

The entries must have the following syntax:

HOST=[* | IP address | host name | subnetwork mask | domain ] [, . . .]

You create the file at operating system level. You can then display and reload the file in the message server monitor (SMMS). Choose Start of the navigation path Goto Next navigation step Security Settings Next navigation step Access Control End of the navigation path.

Example

HOST = sapapp1, sappapp2 means: (Only logons from sapapp1 and sapapp2 are allowed).

HOST = *.sap.com means: (All host names are allowed from sap.com).

HOST = 157.23.45.56, 157.23.45.57 means: Only hosts with these IP addresses are allowed.

HOST = 157.23.45.* means: All hosts from this subnetwork are allowed.

Access Control List (ACL) for Network Connections

With an ACL (Access Control List) you can control which hosts are permitted to open a connection to the message server. A separate ACL can be used for each port on the message server.

If you want to look at the syntax of the ACL file, you can find the relevant link under More Information.

You use the following profile parameters for the different message server ports.

Parameter

Port

ms/acl_file_admin

Administration port on the message server, which is set with parameter ms/admin_port (see above).

ms/acl_file_ext

External port on the message server, which all clients can use. This port is set with parameter rdisp/msserv.

ms/acl_file_extbnd

Port number under which an external binding program (icmbnd) has to log on to in order to bind a port. This port is set with parameter rdisp/extbnd_port.

ms/acl_file_int

External port on the message server, which is set with parameter rdisp/msserv_internal (see above).

ms/server_port_<xx>

This parameter identifies the message server port at which HTTP(S) requests can arrive.

The character string has the following syntax:

PROT=<protocol name>, PORT=<port or service name>[, TIMEOUT=<timeout>, PROCTIMEOUT=<proctimeout>, EXTBIND=1, HOST=<host name>, SSLCONFIG=ssl_config_<xx>, VCLIENT=<SSL client verification>, ACLFILE= <ACL file>]

Option ACLFILE specifies the file that is used as the access control list (ACL). If the profile parameter is set, the file must exist and its syntax be correct.

Unlike with parameter icm/server_port_<xx> the following options are ignored:

  • KEEPALIVE

  • VCLIENT

  • TIMEOUT

Furthermore, only HTTP and HTTPS protocols are accepted - an error message is generated for any other protocol.

The parameter replaces parameters ms/http_port and ms/https_port, which were used earlier.

Do not use these parameters for the message server any longer. These parameters are only needed by the SAP Web Dispatcher.

Administration Using Profile Parameters

ms/monitor

With parameter ms/monitor you can specify that only application servers can modify the internal status of the message server. The external msmon monitoring program then has restricted access. The parameter can have the following values:

  • 0: Only application servers are allowed to change the internal memory of the message server and perform monitoring functions (default value).

  • 1: External (monitoring ) programs are also allowed to do this.

ms/admin_port

With parameter ms/admin_port = <no.> (default value 0) you can open and close TCP ports of the message server for administration. An external client can connect to the message server through this port to carry out administration tasks on the message server. By default, administration from external programs is deactivated (ms/monitor = 0). To enable this for individual programs, a special port can be opened. Clients that log on to the message server through this port are allowed to carry out all administration tasks.

The parameter can be changed dynamically. A value smaller or equal to 0 closes the admin port again. If you have administrator authorization, you can see this parameter in the parameter list.

To open, change, or close the admin port in productive operation, in the message server monitor (transaction SMMS) choose Start of the navigation path Goto Next navigation step Security Settings Next navigation step Admin Port. End of the navigation path