Gateway Security Files secinfo and reginfo 
The secinfo security file is used to prevent unauthorized launching of external programs.
File reginfo controls the registration of external programs in the gateway.
You can define the file path using profile parameters gw/sec_info and gw/reg_info. The default value is:
gw/sec_info = $(DIR_DATA)/secinfo
gw/reg_info = $(DIR_DATA)/reginfo
When the gateway is started, it rereads both security files. You can make dynamic changes by changing, adding, or deleting entries in the reginfo file. Then the file can be immediately activated by reloading the security files.
Caution
If one of the files has no entries or its syntax is incorrect, the gateway closes down.
Maintaining the Security Files
You can edit the files in the following ways:
Use the gateway monitor in AS ABAP (transaction SMGW).
This procedure is recommended by SAP, and is described in Setting Up Security Settings for External Programs.
Use an editor, and edit the files at operating system level.
You must keep precisely to the syntax of the files, which is described below.
There are two different versions of the syntax for both files: Syntax version 1 does not enable programs to be explicitly forbidden from being started or registered. For this reason, as an alternative you can work with syntax version 2, which complies with the route permission table of the SAProuter. If you want to use this syntax, the whole file must be structured accordingly and the first line must contain the entry #VERSION=2 (written precisely in this format).
Once you have completed the change, you can reload the files without having to restart the gateway. To do this, in the gateway monitor (transaction SMGW) choose
Goto 
Expert Functions External Security Reread 
.
Structure
secinfo
The following syntax is valid for the secinfo file.
Version 1
A line in the file has the format:
Syntax
TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
This order is not mandatory. As separators you can use commas or spaces. If the TP name itself contains spaces, you have to use commas instead.
Use a line of this format to allow the user <user> to start the <tp> program on the host <host>.
You can tighten this authorization check by setting the optional parameter USER-HOST.
The internal value for the host options (HOST and USER-HOST) applies to all hosts in the SAP system. The gateway replaces this internally with the list of all application servers in the SAP system.
Caution
Both options are case-sensitive. For example, for option HOST, the following applies:
Correct: HOST
Incorrect: Host, host, hOst
Example
USER=mueller, HOST=hw1414, TP=test: The user mueller can execute the test program on the host hw1414.
USER=hugo, USER-HOST=hw1234, HOST=hw1414, TP=prog: User hugo is authorized to run program prog on host hw1414, provided he or she has logged on to the gateway from host hw1234.
If the user has used the CMSCSU call to set the security user, then this is also used for checking.
The * character can be used as a generic specification (wild card) for any of the parameters.
If USER-HOST is not specifed, the value * is accepted.
Version 2
The format of the first line is #VERSION=2, all further lines are structured as follows:
Syntax
P|D TP=<tp>, USER=<user>, HOST=<host>, [USER-HOST=<user_host>]
Here the line starting with P or D, followed by a space or a TAB, has the following meaning:
P means that the program is permitted to be started (the same as a line with the old syntax)
D prevents this program from being started.
The order of the remaining entries is of no importance.
Example
Example of a secinfo file in new syntax
#VERSION=2 D HOST=* USER=* TP=/bin/sap/cpict4 P HOST=* USER=* TP=/bin/sap/cpict* P TP=hugo HOST=local USER=* P TP=* USER=* USER-HOST=internal HOST=internal |
This file means:
Program cpict4 is not permitted to be started.
All other programs starting with cpict4 are allowed to be started (on every host and by every user).
Program hugo is allowed to be started on every local host and by every user.
All programs started by hosts within the SAP system can be started on all hosts in the system.
reginfo
Certain programs can be allowed to register on the gateway from an external host by specifying the relevant information. You can also control access to the registered programs and cancel registered programs.
As soon as a program has registered in the gateway, the attributes of the retrieved entry (specifically ACCESS) are passed on to the registered program. This means that if the file is changed and the new entries immediately activated, the servers already logged on will still have the old attributes. To assign the new settings to the registered programs too (if they have been changed at all), the servers must first be deregistered and then registered again.
Successful and rejected registrations, and calls from registered programs can be ascertained using Gateway Logging with indicator S.
Any error lines are put in the trace file dev_rd, and are not read in.
The reginfo file has the following syntax. There are two different syntax versions that you can use (not together).
Version 1
A line in the file has the format:
Syntax
TP=<tp> [HOST=<hostname>,...] [NO=<n>] [ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
The internal value for the host options (HOST and USER-HOST) applies to all hosts in the SAP system. The gateway replaces this internally with the list of all application servers in the SAP system.
Caution
Both options are case-sensitive. For example, for option HOST, the following applies:
Correct: HOST
Incorrect: Host, host, hOst
Comment lines begin with #
The individual options can have the following values:
TP Name (TP=): Maximum 64 characters, blank spaces not allowed. The wild card character * stands for any number of characters; the entry * therefore means no limitation, fo* stands for all names beginning with fo; foo stands precisely for the name foo.
Host Name (HOST=, ACCESS= and/or CANCEL=): The wildcard character * stands for any host name, *.sap.com for a domain, sapprod for host sapprod. If the option is missing, this is equivalent to HOST=*.
IP Addresses (HOST=, ACCESS= and/or CANCEL=): You can use IP addresses instead of host names. Examples of valid addresses are:
All address strings 1.2.3.4
A:B:C:D:E:F:1:2
A:B:C:D:E:F:1.2.3.4
A:B
Standard address prefixes 192.1.1.3/12
A:B:C:D:E:1:2/60
Old SAProuter wild cards 192.1.1.*
192.1.1.101xxxxx
Number (NO=): Number between 0 and 65535. If the TP name has been specified without wild cards, you can specify the number of registrations allowed here.
ExampleTP=Foo NO=1, that is, only one program with the name foo is allowed to register, all further attempts to register a program with this name are rejected. If this addition is missing, any number of servers with the same ID are allowed to log on.
End of the example.
ACCESS List
To control access from the client side too, you can define an access list for each entry. This is a list of host names that must comply with the rules above. If no access list is specified, the program can be used from any client. The local gateway where the program is registered always has access.
What is important here is that the check is made on the basis of hosts and not at user level.
Example
TP=foo ACCESS=*.sap.com
Program foo is only allowed to be used by hosts from domain *.sap.com. Access attempts coming from a different domain will be rejected. Of course the local application server is allowed access.
To permit registered servers to be used by local application servers only, the file must contain the following entry.
TP=* ACCESS=local [CANCEL=local]
CANCEL List
To control the cancellation of registered programs, a cancel list can be defined for each entry (same as for the ACCESS list). If no cancel list is specified, any client can cancel the program. The local gateway where the program is registered can always cancel the program.
In the gateway monitor (SMGW) choose Goto Logged On Clients , use the cursor to select the registered program, and choose Goto Logged On Clients Delete Client .
Note
The RFC library provides functions for closing registered programs. If this client does not match the criteria in the CANCEL list, then it is not able to cancel a registered program. No error is returned, but the number of cancelled programs is zero.
Examples of valid entries
Entry |
Meaning |
|---|---|
TP=* HOST=* |
All registrations allowed |
TP=foo* HOST=* |
Registrations beginning with foo and not f or fo are allowed |
TP=foo* |
All registrations beginning with foo but not f or fo are allowed (missing HOST rated as *) |
TP=* HOST=*.sap.com |
All registrations from domain *.sap.com are allowed |
TP=* ACCESS=*.sap.com |
Only clients from domain *.sap.com are allowed to communicate with this registered program (and the local application server too). |
TP=* ACCESS=local |
Only clients from the local application server are allowed to communicate with this registered program. |
Version 2
The format of the first line is #VERSION=2, all further lines are structured as follows:
Syntax
P|D TP=<tp> [HOST=<hostname>,...] [NO=<n>] [ACCESS=<hostname,...>] [CANCEL=<hostname,...>]
Here the line starting with P or D, followed by a space or a TAB, has the following meaning:
P means that the program is permitted to be registered (the same as a line with the old syntax)
D prevents this program from being registered on the gateway.
Example
#VERSION=2 P TP=cpict4 HOST=10.18.210.140 D TP=* HOST=10.18.210.140 P TP=cpict2 ACCESS=ld8060,localhost CANCEL=ld8060,localhost P TP=cpict4 P TP=* USER=* HOST=internal |
This file means:
Program cpict4 is allowed to be registered if it arrives from the host with address 10.18.210.140.
All other programs from host 10.18.210.140 are not allowed to be registered.
Program cpict2 is allowed to be registered, but can only be run and stopped on the local host or hostld8060.
Program cpict4 is allowed to be registered by any host.
Programs within the system are allowed to register.