Show TOC

SAP GatewaySecurity Files secinfo and reginfoLocate this document in the navigation structure

Use

The secinfo security file is used to prevent unauthorized launching of external programs.

File reginfo controls the registration of external programs in the gateway.

You can define the file path using profile parameters gw/sec_info and gw/reg_info. The default value is:

gw/sec_info = $(DIR_DATA)/secinfo

gw/reg_info = $(DIR_DATA)/reginfo

When the gateway is started, it rereads both security files. You can make dynamic changes by changing, adding, or deleting entries in the reginfo file. Then the file can be immediately activated by reloading the security files.

Displaying and Editing Security Files

There are various tools with different functions provided to administrators for working with security files.

  • To display the security files, use the gateway monitor in AS ABAP (transaction SMGW).

    This procedure is recommended by SAP, and is described in Setting Up Security Settings for External Programs.

  • To edit the security files, you can use the Gateway ACL editor. In the Gateway monitor, choose: Start of the navigation path Transaction SMGW Next navigation step Goto Next navigation step Expert Functions Next navigation step External Security Next navigation step Maintenance of ACL Files End of the navigation path.

    You must keep precisely to the syntax of the files, which is described below.

    There are two different versions of the syntax for both files: Syntax version 1 does not enable programs to be explicitly forbidden from being started or registered. For this reason, as an alternative you can work with syntax version 2, which complies with the route permission table of the SAProuter. If you want to use this syntax, the whole file must be structured accordingly and the first line must contain the entry #VERSION=2 (written precisely in this format).

    Once you have completed the change, you can reload the files without having to restart the gateway. To do this, in the gateway monitor (transaction SMGW) choose Start of the navigation path Goto Next navigation step Expert Functions Next navigation step External Security Next navigation step Maintenance of ACL Files End of the navigation path. From here, choose Start of the navigation path Goto Next navigation step Reread End of the navigation path.

Structure

secinfo

The following syntax is valid for the secinfo file.

Version 1

A line in the file has the format:

TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
            

This order is not mandatory. As separators you can use commas or spaces. If the TP name itself contains spaces, you have to use commas instead.

Use a line of this format to allow the user <user> to start the <tp> program on the host <host>.

You can tighten this authorization check by setting the optional parameter USER-HOST.

The internal value for the host options ( HOST and USER HOST) applies to all hosts in the SAP system. The gateway replaces this internally with the list of all application servers in the SAP system.

Example
  • USER=mueller, HOST=hw1414, TP=test: The user mueller can execute the test program on the host hw1414.

  • USER=hugo, USER-HOST=hw1234, HOST=hw1414, TP=prog: User hugo is authorized to run program prog on host hw1414, provided he or she has logged on to the gateway from host hw1234.

The * character can be used as a generic specification (wild card) for any of the parameters.

If USER-HOST is not specifed, the value * is accepted.

Version 2

The format of the first line is #VERSION=2, all further lines are structured as follows:

P|D TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
            

Here the line starting with P or D, followed by a space or a TAB, has the following meaning:

  • P means that the program is permitted to be started (the same as a line with the old syntax)

  • D prevents this program from being started.

The order of the remaining entries is of no importance.

Example

Example of a secinfo file in new syntax

#VERSION=2

D HOST=* USER=* TP=/bin/sap/cpict4

P HOST=* USER=* TP=/bin/sap/cpict*

P TP=hugo HOST=local USER=*

P TP=* USER=* USER-HOST=internal HOST=internal

This file means:

  • Program cpict4 is not permitted to be started.

  • All other programs starting with cpict are allowed to be started (on every host and by every user).

  • Program hugo is allowed to be started on every local host and by every user.

  • All programs started by hosts within the SAP system can be started on all hosts in the system.

reginfo

Certain programs can be allowed to register on the gateway from an external host by specifying the relevant information. You can also control access to the registered programs and cancel registered programs.

As soon as a program has registered in the gateway, the attributes of the retrieved entry (specifically ACCESS) are passed on to the registered program. This means that if the file is changed and the new entries immediately activated, the servers already logged on will still have the old attributes. To assign the new settings to the registered programs too (if they have been changed at all), the servers must first be deregistered and then registered again.

Successful and rejected registrations, and calls from registered programs can be ascertained using Gateway Logging with indicator S.

Any error lines are put in the trace file dev_rd, and are not read in.

The reginfo file has the following syntax. There are two different syntax versions that you can use (not together).

Version 1

A line in the file has the format:

TP=<tp> [HOST=<hostname>,...] [NO=<n>] 
[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
            

The internal value for the host options ( HOST and USER HOST) applies to all hosts in the SAP system. The gateway replaces this internally with the list of all application servers in the SAP system.

Comment lines begin with #

The individual options can have the following values:

  • TP Name (TP=): Maximum 64 characters, blank spaces not allowed. The wild card character * stands for any number of characters; the entry * therefore means no limitation, fo* stands for all names beginning with fo; foo stands precisely for the name foo.

  • Host Name (HOST=, ACCESS= and/or CANCEL=): The wildcard character * stands for any host name, *.sap.com for a domain, sapprod for host sapprod. If the option is missing, this is equivalent to HOST=*.

  • IP Addresses (HOST=, ACCESS= and/or CANCEL=): You can use IP addresses instead of host names. Examples of valid addresses are:

    • All address strings 1.2.3.4

    • A:B:C:D:E:F:1:2

    • A:B:C:D:E:F:1.2.3.4

    • A:B

    • Standard address prefixes 192.1.1.3/12

    • A:B:C:D:E:1:2/60

    • Old SAProuter wild cards 192.1.1.*

    • 192.1.1.101xxxxx

  • Number (NO=): Number between 0 and 65535. If the TP name has been specified without wild cards, you can specify the number of registrations allowed here.

    Example

    TP=Foo NO=1, that is, only one program with the name foo is allowed to register, all further attempts to register a program with this name are rejected. If this addition is missing, any number of servers with the same ID are allowed to log on.

ACCESS List

To control access from the client side too, you can define an access list for each entry. This is a list of host names that must comply with the rules above. If no access list is specified, the program can be used from any client. The local gateway where the program is registered always has access.

What is important here is that the check is made on the basis of hosts and not at user level.

Example

TP=foo ACCESS=*.sap.com

Program foo is only allowed to be used by hosts from domain *.sap.com. Access attempts coming from a different domain will be rejected. Of course the local application server is allowed access.

To permit registered servers to be used by local application servers only, the file must contain the following entry.

TP=* ACCESS=local [CANCEL=local]

CANCEL List

To control the cancellation of registered programs, a cancel list can be defined for each entry (same as for the ACCESS list). If no cancel list is specified, any client can cancel the program. The local gateway where the program is registered can always cancel the program.

In the gateway monitor (transaction ) choose Start of the navigation path Goto Next navigation step Logged On Clients End of the navigation path, use the cursor to select the registered program, and choose Start of the navigation path Goto Next navigation step Logged On Clients Next navigation step Delete Client End of the navigation path.

Note

The RFC library provides functions for closing registered programs. If this client does not match the criteria in the CANCEL list, then it is not able to cancel a registered program. No error is returned, but the number of cancelled programs is zero.

Examples of valid entries

Entry

Meaning

TP=* HOST=*

All registrations allowed

TP=foo* HOST=*

Registrations beginning with foo and not f or fo are allowed

TP=foo*

All registrations beginning with foo but not f or fo are allowed (missing HOST rated as *)

TP=* HOST=*.sap.com

All registrations from domain *.sap.com are allowed

TP=* ACCESS=*.sap.com

Only clients from domain *.sap.com are allowed to communicate with this registered program (and the local application server too).

TP=* ACCESS=local

Only clients from the local application server are allowed to communicate with this registered program.

Version 2

The format of the first line is #VERSION=2, all further lines are structured as follows:

P|D TP=<tp> [HOST=<hostname>,...] [NO=<n>] 
[ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
            

Here the line starting with P or D, followed by a space or a TAB, has the following meaning:

  • P means that the program is permitted to be registered (the same as a line with the old syntax)

  • D prevents this program from being registered on the gateway.

Example

#VERSION=2

P TP=cpict4 HOST=10.18.210.140

D TP=* HOST=10.18.210.140

P TP=cpict2 ACCESS=ld8060,localhost CANCEL=ld8060,localhost

P TP=cpict4

P TP=* USER=* HOST=internal

This file means:

  • Program cpict4 is allowed to be registered if it arrives from the host with address 10.18.210.140.

  • All other programs from host 10.18.210.140 are not allowed to be registered.

  • Program cpict2 is allowed to be registered, but can only be run and stopped on the local host or host ld8060.

  • Program cpict4 is allowed to be registered by any host.

  • Programs within the system are allowed to register.