SAP GatewaySecurity Files secinfo and reginfo
Use
The secinfo security file is used to prevent unauthorized launching of external programs.
File reginfo controls the registration of external programs in the gateway.
You can define the file path using profile parameters gw/sec_info and gw/reg_info. The default value is:
gw/sec_info = $(DIR_DATA)/secinfo
gw/reg_info = $(DIR_DATA)/reginfo
When the gateway is started, it rereads both security files. You can make dynamic changes by changing, adding, or deleting entries in the reginfo file. Then the file can be immediately activated by reloading the security files.
Displaying and Editing Security Files
There are various tools with different functions provided to administrators for working with security files.
-
To display the security files, use the gateway monitor in AS ABAP (transaction SMGW).
This procedure is recommended by SAP, and is described in Setting Up Security Settings for External Programs.
-
To edit the security files, you can use the Gateway ACL editor. In the Gateway monitor, choose:
Transaction SMGW 
Goto Expert Functions External Security Maintenance of ACL Files
.You must keep precisely to the syntax of the files, which is described below.
There are two different versions of the syntax for both files: Syntax version 1 does not enable programs to be explicitly forbidden from being started or registered. For this reason, as an alternative you can work with syntax version 2, which complies with the route permission table of the SAProuter. If you want to use this syntax, the whole file must be structured accordingly and the first line must contain the entry #VERSION=2 (written precisely in this format).
Once you have completed the change, you can reload the files without having to restart the gateway. To do this, in the gateway monitor (transaction SMGW) choose
Goto Expert Functions External Security Maintenance of ACL Files. From here, choose Goto Reread.
Structure
secinfo
The following syntax is valid for the secinfo file.
Version 1
A line in the file has the format:
TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
This order is not mandatory. As separators you can use commas or spaces. If the TP name itself contains spaces, you have to use commas instead.
Use a line of this format to allow the user <user> to start the <tp> program on the host <host>.
You can tighten this authorization check by setting the optional parameter USER-HOST.
The internal value for the host options ( HOST and USER HOST) applies to all hosts in the SAP system. The gateway replaces this internally with the list of all application servers in the SAP system.
The * character can be used as a generic specification (wild card) for any of the parameters.
If USER-HOST is not specifed, the value * is accepted.
Version 2
The format of the first line is #VERSION=2, all further lines are structured as follows:
P|D TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
Here the line starting with P or D, followed by a space or a TAB, has the following meaning:
-
P means that the program is permitted to be started (the same as a line with the old syntax)
-
D prevents this program from being started.
The order of the remaining entries is of no importance.
reginfo
Certain programs can be allowed to register on the gateway from an external host by specifying the relevant information. You can also control access to the registered programs and cancel registered programs.
As soon as a program has registered in the gateway, the attributes of the retrieved entry (specifically ACCESS) are passed on to the registered program. This means that if the file is changed and the new entries immediately activated, the servers already logged on will still have the old attributes. To assign the new settings to the registered programs too (if they have been changed at all), the servers must first be deregistered and then registered again.
Successful and rejected registrations, and calls from registered programs can be ascertained using Gateway Logging with indicator S.
Any error lines are put in the trace file dev_rd, and are not read in.
The reginfo file has the following syntax. There are two different syntax versions that you can use (not together).
Version 1
A line in the file has the format:
TP=<tp> [HOST=<hostname>,...] [NO=<n>]
[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
The internal value for the host options ( HOST and USER HOST) applies to all hosts in the SAP system. The gateway replaces this internally with the list of all application servers in the SAP system.
Comment lines begin with #
The individual options can have the following values:
-
TP Name (TP=): Maximum 64 characters, blank spaces not allowed. The wild card character * stands for any number of characters; the entry * therefore means no limitation, fo* stands for all names beginning with fo; foo stands precisely for the name foo.
-
Host Name (HOST=, ACCESS= and/or CANCEL=): The wildcard character * stands for any host name, *.sap.com for a domain, sapprod for host sapprod. If the option is missing, this is equivalent to HOST=*.
-
IP Addresses (HOST=, ACCESS= and/or CANCEL=): You can use IP addresses instead of host names. Examples of valid addresses are:
-
All address strings 1.2.3.4
-
A:B:C:D:E:F:1:2
-
A:B:C:D:E:F:1.2.3.4
-
A:B
-
Standard address prefixes 192.1.1.3/12
-
A:B:C:D:E:1:2/60
-
Old SAProuter wild cards 192.1.1.*
-
192.1.1.101xxxxx
-
-
Number (NO=): Number between 0 and 65535. If the TP name has been specified without wild cards, you can specify the number of registrations allowed here.
ACCESS List
To control access from the client side too, you can define an access list for each entry. This is a list of host names that must comply with the rules above. If no access list is specified, the program can be used from any client. The local gateway where the program is registered always has access.
What is important here is that the check is made on the basis of hosts and not at user level.
To permit registered servers to be used by local application servers only, the file must contain the following entry.
TP=* ACCESS=local [CANCEL=local]
CANCEL List
To control the cancellation of registered programs, a cancel list can be defined for each entry (same as for the ACCESS list). If no cancel list is specified, any client can cancel the program. The local gateway where the program is registered can always cancel the program.
In the gateway monitor (transaction ) choose Goto Logged On Clients, use the cursor to select the registered program, and choose Goto Logged On Clients Delete Client.
Examples of valid entries
|
Entry |
Meaning |
|---|---|
|
TP=* HOST=* |
All registrations allowed |
|
TP=foo* HOST=* |
Registrations beginning with foo and not f or fo are allowed |
|
TP=foo* |
All registrations beginning with foo but not f or fo are allowed (missing HOST rated as *) |
|
TP=* HOST=*.sap.com |
All registrations from domain *.sap.com are allowed |
|
TP=* ACCESS=*.sap.com |
Only clients from domain *.sap.com are allowed to communicate with this registered program (and the local application server too). |
|
TP=* ACCESS=local |
Only clients from the local application server are allowed to communicate with this registered program. |
Version 2
The format of the first line is #VERSION=2, all further lines are structured as follows:
P|D TP=<tp> [HOST=<hostname>,...] [NO=<n>]
[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
Here the line starting with P or D, followed by a space or a TAB, has the following meaning:
-
P means that the program is permitted to be registered (the same as a line with the old syntax)
-
D prevents this program from being registered on the gateway.