Start of Content Area

Procedure documentation Making Security Settings for External Programs  Locate the document in its SAP Library structure

Use

To ensure the SAP gateway operates securely, you have to be especially aware of interaction with external programs. You can configure the gateway to ensure that undesirable external programs cannot be run.

To make sure SAP programs required for system operation are not blocked by an overly restrictive configuration, we recommend you run gateway logging in order to identify these programs, and then define the secinfo and reginfo configuration files accordingly.

Prerequisites

To use gateway logging in the gateway monitor (transaction SMGW), you need at least:

      SAP Kernel 7.00 patch level 119

      ABAP Support Package 13

Procedure

...

       1.      Set up gateway logging by setting the following parameters in the profile:

gw/secinfo = $(DIR_DATA)/secinfo 

gw/reginfo = $(DIR_DATA)/reginfo 

gw/logging = ACTION=S LOGFILE=gw_log-%y-%m%d SWITCHTF=day  

Note

If an SAP system consists of multiple application servers, add the system ID (three-letter SID) and the server name to the file name. This enables the files to be identified when they are collected centrally for analysis. You can use the environment variables $(SAPSYSTEMNAME) and $(SAPLOCALHOST) set the parameter as follows:

gw/logging = ACTION=S LOGFILE=gw_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)-%y%m%d SWITCHTF=day   

This logs all security-relevant gateway actions in a separate file. You can also make this setting within the system.

More information: Setting Up Gateway Logging

       2.      In directory $(DIR_DATA) create files secinfo and reginfo  with the following content:

       secinfo contains line USER=* HOST=* TP=* only

       reginfo contains line TP=* only

With this secinfo and reginfo configuration all programs can be started from the gateway, and all programs can register in the gateway.

Caution

These settings are only temporary and are intended to find out which programs are to be included in the files. While these settings are active, the gateway is not protected against external programs.

       3.      Activate the configuration files secinfo and reginfo by choosing Goto Expert Functions External Security Read Again in transaction SMGW. Activate these files on every application server instance of the system. To do this, call the server overview (transaction SM51) and switch the instance by double-clicking.

       4.      Leave the system running with these settings for a few days, and execute all actions that relate to external programs and registered servers.

       5.      Evaluate the log file. Proceed as described in section Evaluating the Log File.

       6.      Define the files secinfo and reginfo as appropriate.

       7.      Activate files (see step 3.)

       8.      Leave the system running with these settings, but still monitor the logging. Pay particular attention to the entries secinfo denied and reginfo denied. These are external programs and registered servers that, based on the settings, are not allowed to be run. Possibly, a new component that requires additional external programs and registered servers is being tested or introduced.  The administrator then has to decide whether these entries should be included in the security files.

More Information

secinfo: Assigning Start Authorizations for External Programs

reginfo:  Registration Authorizations for Starting External Programs

 

 

End of Content Area