Configuring Connections betweenGateway and External Programs Securely

Use

To ensure the SAP gateway operates securely, you have to be especially aware of interaction with external programs. You can configure the Gateway to ensure that undesirable external programs cannot be run.

There are two ways to do this:

• Logging-based configuration

  To ensure SAP programs required for system operation are not blocked by a configuration that is too restrictive, you should configure the security files to enable all connections, and monitor the Gateway using gateway logging. This way you get an overview of which programs are to be allowed, and then you can edit the secinfo and reginfo configuration files accordingly.

  For more information about the procedure, see Setting Up Logging-Based Configuration.

• Restrictive configuration (secure configuration)

  You configure the Gateway so that initially only system-internal programs can be started and registered.

  After that you can add programs you want to allow to the secinfo and reginfo configuration files.

Prerequisites

The parameters have the following value (default setting):

gw/sec_info = $(DIR_DATA)/secinfo

gw/reg_info = $(DIR_DATA)/reginfo

If they have a different value, change them to the value above. If you want to configure other file paths for the files, set the parameters accordingly.

Parameter gw/acl_mode has the following value (default setting):

gw/acl_mode = 1

Procedure

To set up the recommended secure SAP gateway configuration, proceed as follows:

1. Check the secinfo and reginfo files. To do this, in the gateway monitor (transaction SMGW) choose Goto  Expert Functions  External Security  Display (secinfo) or Display (reginfo).

   To enable system-internal communication, the files must contain the following entries.

   • secinfo

     P TP=* USER=* USER-HOST=local HOST=local

     P TP=* USER=* USER-HOST=internal HOST=internal

     This means that programs on the gateway host can be started by the gateway host, and that programs within the system can be started from the system.

   • reginfo

     P TP=* HOST=local CANCEL=local ACCESS=*

     P TP=* HOST=internal CANCEL=internal ACCESS=*

     This means that programs from the gateway host can register, and that programs within the system can register.

   If the files do not exist, the system behaves as if these entries were available.

2. Extend these files as required. Enable the configured RFC destinations (transaction SM59) as required by making the relevant entries in the secinfo file.

   To do this, proceed as follows:

   1. Look at the current secinfo file. In the gateway monitor (transaction SMGW) choose Goto  Expert Functions  External Security  Display (secinfo) . Here you can check whether the file complies with your requirements.

   2. To add further entries to the file, choose Goto  Expert Functions  External Security  Create (secinfo).

   3. In the following dialog box select the relevant entries, and choose .

      The lines in the file appear in a new dialog box.

   4. Choose .

      If the file already exists, you can decide whether you want to replace this file with the selected entries, or whether to add the selected entries to this file.

   5. Decide whether the changes are to be activated immediately or not. If not, you can activate them at any time by choosing Goto  Expert Functions  External Security  Reread.

   6. Check your secinfo file.

      Choose .

You can maintain the secinfo file at operating system level too, and reread it in transaction SMGW (Goto  Expert Functions  External Security  Reread).

More Information

• SAP Gateway Security Files secinfo and reginfo.

• security parameters of Gateway

• Setting Up SAP Gateway Logging

• Evaluating the Gateway Log File

• Logging-Based Configuration of the Gateway

• Checking the Security Configuration of the Gateway

• SAP Note 1408081 describes the configuration of the security files for SAP systems for current and older releases.