Start of Content Area

Procedure documentation Restricting Registration of External Server Programs  Locate the document in its SAP Library structure

Use

If you use a registered RFC server (based on RFC SDK, NW RFC SDK, JCo, .NET Connector or Business Connector), there is always the risk that a potential attacker registers an external harmful program on a RFC destination and catches RFC calls that are to be sent to the correct external RFC program.

Prerequisites

To use the following procedure, the SAP system must fulfill the following prerequisites:

      SAP Kernel 7.00

      Patch Level 119

      ABAP Support Package 13

Procedure

You can use two different mechanisms to prevent unwanted external programs from registering with an RFC destination:

      Use the reginfofile

      Use SNC (Secure Network Communications)

      Proceed as follows:

reginfo File

      In the $DIR_DATAdirectory, create a file with the name reginfo.

Note

If you want to use another directory and/or file name, you can store the new filename in the gw/reg_info profile parameter.

      The reginfofile is imported at system start. Each row can contain one or multiples of the following values:

       Program ID This defines the RFC destination that are to be assigned to the following security settings.

       Host name (or IP address) from which a registration can be made for this RFC destination.

       Host name (or IP address) from which RFC calls may be sent to this RFC destination.

       Host name (or IP address) from which registered external programs may be deregistered.

Note

The Gateway allows registered programs to be deregistered remotely. There is the danger that an attacker uses this function for a denial of service attack. You can prevent such attacks by restricting the hosts that are authorized for this.

       Maximum number of registered servers for the defined program ID.

Note

You can either explicitly allow or exclude activities (registration, deregistration, RFC calls) using the reginfo file.

SNC

      When creating an RFC destination (transaction SM59), activate SNC for this destination and define an SNC name for the external program.

The Gateway only then allows registration for the related program ID if an external program that has a digitally-signed certificate registers itself using SNC and which contains the SNC name defined.

Note

This procedure is intended for defending against IP spoofing attacks in particular which could circumvent the security settings in the reginfo file.

More Information

For detailed information on configuring SAP Gateway and the reginfo file:

      SAP Gateway

      Making Security Settings for External Programs

For detailed information on SNC: SNC User's Guide:

      http://service.sap.com/security à Security in Detail à Secure User Access à Authentication & Single Sign-On

 

 

End of Content Area