Start of Content Area

Procedure documentation Evaluating the Log file  Locate the document in its SAP Library structure

Use

To make optimal security settings for the gateway, we recommend you let gateway logging run for a while, and use the generated log file as a basis for the evaluation.

Once you have evaluated the log file, you can modify the configuration to meet your requirements.

Prerequisites

You have followed the preceding steps in section Making Security Settings for External Programs.

Procedure

...

       1.      Display the contents of the file. You can display the file contents, and save them to your local computer in transaction SMGW. Choose Go To Expert Functions Logging.

Since everything is permitted in secinfo and reginfo, you will only see entries with reginfo accepted and secinfo accepted.

Entries in secinfo accepted are checked against entries in secinfo.

Entries in reginfo accepted are checked against entries in reginfo.

Example Example of an Excerpt from a Log File

S Wed Aug 01 2007 10:36:52:181 secinfo accepted: TP=IGS.WDFD00146227A, HOST=WDFD00146227A

S Wed Aug 01 2007 10:37:57:183 reginfo accepted server: TP=IGS.WDFD00146227A, HOST=WDFD00146227A

S Wed Aug 01 2007 10:39:02:185 reginfo accepted server: TP=IGS.WDFD00146227A, HOST=WDFD00146227A

S Wed Aug 01 2007 10:39:05:740 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp, HOST=ld8061.wdf.sap.corp, TP=gnetx.exe

S Wed Aug 01 2007 10:39:48:577 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp, HOST=ld8061.wdf.sap.corp, TP=/usr/sap/BIN/SYS/exe/run/tp

       2.      Find the entries for the secinfo file.

Entries for secinfo always contain the following components:

       USER=<name>: User who wants to start the external program

       USER-HOST=<user host>: Host name from where the gateway was requested to start the program (when the program is started from the system, the host name is always the name of the application server).

       HOST=<host>: Host on which the program was started.

       TP=<program name>: Program name

You could simply filter out all duplicate entries from the log file, and write the remaining entries to the secinfo file. This allows all programs that are running in the environment.

If this means there are a large number of programs, group together entries using appropriate wild cards to make the secinfo file more manageable.

Example Example of Entries in secinfo File

TP=/usr/sap/BIN/SYS/exe/run/* allows all programs in the executable directory of the server to be started

HOST=* Allows programs to be started on any host. This could be restricted to a subnetwork mask or domain name, for example, 10.66.66.* or *.sap.corp

USER=* Allows all users to use the external program.

Caution

With programs started from SAPGUI, the gateway cannot check whether this SAPGUI is allowed. The IP address of the application server is used to make the check (see next line).

S Wed Aug 01 2007 10:39:05:740 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp, HOST=host1.wdf.sap.corp, TP=gnetx.exe    .

More information: Assigning Start Authorizations for External Programs

       3.      Find the entries for the reginfo file.

Entries for reginfo always contain the following components:

       TP=<regi id>: Registration ID of the server program that is being registered

       HOST=<host>: Host from where the server is logging on.

You could now simply filter out all duplicate entries from the log file and write the remaining entries to the reginfo file. This allows all programs as they are running in the environment to register.

If there are a large number of programs to register, group together entries using appropriate wild cards to make the reginfo file more manageable.

Example Example of Entries in reginfo File

TP= IGS.WDFD00146227A HOST=* allows registration of IGS.WDFD00146227A from every host.

TP=Bex* HOST=*sap.corp allows programs with registration ID Bex* to register provided they come from hosts in the SAP network.

Note

If you want to allow access to the registered server, for example, from the local application server only, you have to add ACCESS=local to the entry. To terminate the server from transaction SMGW, you need to add  CANCEL=local.

More information:

Access Controls for Registered Programs

Defining the reginfo File

 

End of Content Area