Show TOC

 Profile Parameter Settings on the GatewayLocate this document in the navigation structure

To use SNC for securing connections that connect via the Gateway, you also need to set the appropriate parameters in the gateway profile. The gateway itself does not directly use the routines from the security product; however, it does supply the SNC configuration parameters to the programs that it starts.

The following profile parameters are relevant for the gateway settings:

  • snc/enable

    For a gateway to accept SNC-protected connections, you need to set the profile parameter snc/enable to the value 1. The gateway then knows that an SNC environment is in operation and takes the following precautions:

    • In addition to the standard port (sapgw<nn>), it opens a secure port (sapgw<nn>s), where it accepts only connections that use SNC protection.
    • It starts programs only when SNC protection for the communication is used. You may explicitly allow the starting of programs without using SNC protection by setting the parameter snc/permit_insecure_start (see the description below).
  • snc/gssapi_lib

    As with the application server, if snc/enable = 1, then the parameter snc/gssapi_lib must contain the path and file name of the external library. The gateway passes this information to the external programs that it starts.

  • snc/permit_insecure_start

    If snc/enable = 1, then the gateway does not start or register any external programs without using SNC-protected communications (as default). You can explicitly override this configuration by setting the parameter snc/permit_insecure_start to the value 1. The gateway will then start or register programs even if SNC protection is not used for the communication. The parameter is only necessary if programs without SNC protection are to be directly started by or registered on the gateway.

    Note

    If the gateway is started directly on an application server, it uses the application server's profile settings. In this case, the parameters snc/enable and snc/gssapi_lib are set in the application server's profile. For the gateway, you then only need to consider the parameter snc/permit_insecure_start.

    If a gateway is to be started independent of the application server (stand alone gateway), then you need to consider all of the above mentioned parameters.

Because the gateway passes the name of the external library on to the programs that it starts, as well as for security reasons, you should only start programs on the computer where the gateway is located. To prevent remote program starts, include the following parameter settings in the gateway profile:

  • As of Release 4.5A:

    gw/rem_start=DISABLED

  • Releases 4.0A and 4.0B: (In these releases, you need to define an invalid remote shell to prevent remote program starts.)

    gw/rem_start=REMOTE_SHELL

    gw/remsh=.

    Note

    The gateway uses the common Berkeley remote shell (rsh or remsh) to start programs on remote hosts. The Berkeley remote shell performs only a simple authentication based on the IP address and cannot protect the TCP datastream that it uses. Therefore, we recommend you do not use the starting of programs on remote hosts when using SNC.