To ensure the SAP gateway operates securely, you have to be especially aware of interaction with external programs. You can configure the Gateway to ensure that undesirable external programs cannot be run.
There are two ways to do this:
Logging-based configuration
To ensure SAP programs required for system operation are not blocked by a configuration that is too restrictive, you should configure the security files to enable all connections, and monitor the Gateway using gateway logging. This way you get an overview of which programs are to be allowed, and then you can edit the secinfo and reginfo configuration files accordingly.
For more information about the procedure, see Setting Up Logging-Based Configuration.
Restrictive configuration (secure configuration)
You configure the Gateway so that initially only system-internal programs can be started and registered.
After that you can add programs you want to allow to the secinfo and reginfo configuration files.
This procedure is recommended by SAP, and is described below.
The parameters have the following value (default setting):
gw/sec_info = $(DIR_DATA)/secinfo
gw/reg_info = $(DIR_DATA)/reginfo
If they have a different value, change them to the value above. If you want to configure other file paths for the files, set the parameters accordingly.
Parameter gw/acl_mode has the following value (default setting):
gw/acl_mode = 1
secinfo and reginfo are created and administrated for each application server. For reasons of maintainability SAP recommends that one reginfo file and one secinfo file is created in a shared working directory for each SAP system. For example:
gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo
gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo
If you are using Windows as the operating system, the files should have the ending .DAT.
To set up the recommended secure SAP Gateway configuration, proceed as follows:
Check the secinfo and reginfo files. To do this, in the gateway monitor (transaction SMGW) choose .
This opensb the Gateway ACL Editor, where you can display the relevant files.
To enable system-internal communication, the files must contain the following entries.
secinfo
P TP=* USER=* USER-HOST=local HOST=local
P TP=* USER=* USER-HOST=internal HOST=internal
This means that programs on the gateway host can be started by the gateway host, and that programs within the system can be started from the system.
reginfo
P TP=* HOST=local CANCEL=local ACCESS=*
P TP=* HOST=internal CANCEL=internal ACCESS=*
This means that programs from the gateway host can register, and that programs within the system can register.
This recommendation applies to existing systems. If a new system has been installed, we recommend the restrictive setting
P TP=* HOST=local CANCEL=local ACCESS=local
P TP=* HOST=internal CANCEL=internal ACCESS=internal
If the files do not exist, the system behaves as if these entries were available.
Extend these files as required. Enable the configured RFC destinations (transaction SM59) as required by making the relevant entries in the secinfo file.
To do this, proceed as follows:
Look at the current secinfo file. In the gateway monitor (transaction SMGW) choose . Here you can check whether the file complies with your requirements.
To add further entries to the file, choose
.In the following dialog box select the relevant entries, and choose .
The lines in the file appear in a new dialog box.
Choose .
If the file already exists, you can decide whether you want to replace this file with the selected entries, or whether to add the selected entries to this file.
The system always adds the lines referred to in step 1 to the file automatically, otherwise system operation will be affected.
Decide whether the changes are to be activated immediately or not. If not, you can activate them at any time by choosing
. From here, choose .Check your secinfo file.
Choose .
Here you can see the configuration that is currently active in the Gateway. If the content of the file has been changed, but the file has not been reread, you can view the message not identical to the content of the file in the file browser (transaction AL11).
If you have made changes to the secinfo file (in the Gateway ACL Editor or at operating system level), you can reread the file in SMGW ( ). From here, choose .
SAP Note 1408081 describes the configuration of the security files for SAP systems for current and older releases.