Security Settings for the SAP Message Server
As the central communication component in an SAP system network, the message server should be protected against unwanted external access.
You can make the following settings to increase the security when the SAP message server is running.
Separate Internal and External Message Server Communication
Access Control List (ACL) for Application Servers
Access Control List (ACL) for Network Connections
Administration Using Profile Parameters
For more information, see SAP Note 821875
.
Features
Separate Internal and External MS Communication
To prevent unwanted clients pretending to the message server to be application servers, you must use parameter rdisp/msserv_internal = <no.>. Value 0 (default setting) means that a separate port is not used for internal communication.
For internal communication a different data channel is used from the one used for external communication, where external clients only have read-only access.
The message server opens another port <nr>
, in addition to its own port sapms<SID>
(rdisp/msserv
), which is used for internal communication with the application servers. This port must be used to log on to an application server. Application servers that log on through the "normal" port sapms<SID>
are denied access (MSEACCESSDENIED
).
Caution
If you want to use this parameter, you must define it on the central system and it must have the same value on all application servers.
The normal sapms<SID>
port can still be used for queries. Load distribution functions and the retrieval of application server lists and logon groups are not affected.
Access Control List (ACL) for Application Servers
With parameter ms/acl_info
you can specify a file with access authorizations to the message server. If this file exists, it must include all host names, domains, IP addresses and/or subnetwork masks from which application servers are allowed to log on to the message server.
The names can be either put in a list or written in separate lines.
This file has no affect on external clients that only want to get information from the message server. They can still do this.
The entries must have the following syntax:
Syntax
HOST=[* | IP address | host name | subnetwork mask | domain ] [, . . .]
You create the file at operating system level. You can then display and reload the file in the message server monitor (SMMS). To do this, choose 
Goto
Security Settings
Access Control
.
Example
HOST = sapapp1, sappapp2 means: (Only logons from sapapp1
and sapapp2
are allowed).
HOST = *.sap.com means: (All host names are allowed from sap.com
).
HOST = 157.23.45.56, 157.23.45.57 means: Only hosts with these IP addresses are allowed.
HOST = 157.23.45.* means: All hosts from this subnetwork are allowed.
Access Control List (ACL) for Network Connections
With an ACL (Access Control List) you can control which hosts are permitted to open a connection to the message server. A separate ACL can be used for each port on the message server.
If you want to look at the syntax of the ACL file, you can find the relevant link under More Information.
You use the following profile parameters for the different message server ports.
Parameter |
Port |
|---|---|
|
Administration port on the message server, which is set with parameter |
|
External port on the message server, which all clients can use. This port is set with parameter |
|
Port number under which an external binding program ( |
|
External port on the message server, which is set with parameter |
|
This parameter identifies the message server port at which HTTP(S) requests can arrive. The character string has the following syntax:
Option ACLFILE specifies the file that is used as the access control list (ACL). If the profile parameter is set, the file must exist and its syntax be correct. Unlike with parameter
Furthermore, only HTTP and HTTPS protocols are accepted - an error message is generated for any other protocol. The parameter replaces parameters Do not use these parameters for the message server any longer. These parameters are only needed by the SAP Web Dispatcher. |
Administration Using Profile Parameters
ms/monitor
With parameter ms/monitor
you can specify that only application servers can modify the internal status of the message server. The external msmon
monitoring program then has restricted access. The parameter can have the following values:
0: Only application servers are allowed to change the internal memory of the message server and perform monitoring functions (default value).
1: External (monitoring ) programs are also allowed to do this.
ms/admin_port
With parameter ms/admin_port = <no.>
(default value 0) you can open and close TCP ports of the message server for administration. An external client can connect to the message server through this port to carry out administration tasks on the message server. By default, administration from external programs is deactivated (ms/monitor = 0). To enable this for individual programs, a special port can be opened. Clients that log on to the message server through this port are allowed to carry out all administration tasks.
The parameter can be changed dynamically. A value smaller or equal to 0 closes the admin port again. If you have administrator authorization, you can see this parameter in the parameter list.
To open, change, or close the admin port in productive operation, in the message server monitor choose Goto
Security Settings
Admin Port
(transaction SMMS).