Show TOC

Restricting Registration of External Server ProgramsLocate this document in the navigation structure

Use

If you use a registered RFC server (based on RFC SDK, SAP NetWeaver RFC SDK, JCo, .NET Connector or Business Connector), there is always the risk that a potential attacker registers an external harmful program on a RFC destination and catches RFC calls that are to be sent to the correct external RFC program.

Prerequisites

To use the following procedure, the SAP system must fulfill the following prerequisites:

  • SAP Kernel 7.00

  • Patch Level 119

  • ABAP Support Package 13

Procedure

You can use two different mechanisms to prevent unwanted external programs from registering with an RFC destination:

  • Use the reginfo file

  • Use SNC ( Secure Network Communications)

To do this, follow the procedure below:

reginfo File

  • In the $DIR_DATA directory, create a file with the name reginfo.

    Note

    If you want to use another directory and/or file name, you can store the new filename in the gw/reg_info profile parameter.

  • The reginfo file is imported at system start. Each row can contain one or multiples of the following values:

    • Program ID This defines the RFC destination that are to be assigned to the following security settings.

    • Host name (or IP address) from which a registration can be made for this RFC destination.

    • Host name (or IP address) from which RFC calls may be sent to this RFC destination.

    • Host name (or IP address) from which registered external programs may be deregistered.

      Note

      The Gateway allows registered programs to be deregistered remotely. There is the danger that an attacker uses this function for a denial of service attack. You can prevent such attacks by restricting the hosts that are authorized for this.

    • Maximum number of registered servers for the defined program ID.

      Note

      You can either explicitly allow or exclude activities (registration, deregistration, RFC calls) using the reginfo file.

SNC

  • When creating an RFC destination (transaction SM59), activate SNC for this destination and define an SNC name for the external program.

    The Gateway only then allows registration for the related program ID if an external program that has a digitally-signed certificate registers itself using SNC and which contains the SNC name defined.

    Note

    This procedure is intended for defending against IP spoofing attacks in particular which could circumvent the security settings in the reginfo file.

More Information

For detailed information on configuring Gateway and the reginfo file:

For detailed information on SNC: SNC User's Guide:

  • http://service.sap.com/securityStart of the navigation path Security in Detail Next navigation step Secure User Access Next navigation step Authentication & Single Sign-On End of the navigation path