Show TOC

Procedure documentationMaking Security Settings for External Programs Locate this document in the navigation structure

 

To ensure the SAP gateway operates securely, you have to be especially aware of interaction with external programs. You can configure the gateway to ensure that undesirable external programs cannot be run.

There are two ways to do this:

  • Logging-based configuration

    To ensure SAP programs required for system operation are not blocked by a configuration that is too restrictive, you should configure the security files to enable all connections, and monitor the gateway using gateway logging. This way you get an overview of which programs are to be allowed, and then you can edit the secinfo and reginfo configuration files accordingly.

    For more information about the procedure, see Setting Up Logging-Based Configuration.

  • Restrictive configuration (secure configuration)

    You configure the gateway so that initially only system-internal programs can be started and registered.

    After that you can add programs you want to allow to the secinfo and reginfo configuration files.

    Recommendation Recommendation

    This procedure is recommended by SAP, and is described below.

    End of the recommendation.

Prerequisites

The parameters have the following value (default setting):

gw/sec_info = $(DIR_DATA)/secinfo

gw/reg_info = $(DIR_DATA)/reginfo

If they have a different value, change them to the value above. If you want to configure other file paths for the files, set the parameters accordingly.

Recommendation Recommendation

reginfo and secinfo are created for and administrated for each application server. For reasons of maintainability SAP recommends that one reginfo file and one secinfo file is created in a shared working directory for each SAP system. For example:

  • gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo

  • gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo

If you are using Windows as the operating system, the files should have the ending .DAT.

End of the recommendation.

Procedure

To set up the recommended secure gateway configuration, proceed as follows:

  1. Check the secinfo and reginfo files. To do this, in the gateway monitor (transaction SMGW) choose   Goto   Expert Functions   External Security   Display (secinfo)   or Display (reginfo).

    To enable system-internal communication, the files must contain the following entries.

    • secinfo

      P TP=* USER=* USER-HOST=local HOST=local

      P TP=* USER=* USER-HOST=internal HOST=internal

      This means that programs on the gateway host can be started by the gateway host, and that programs within the system can be started from the system.

    • reginfo

      P TP=* HOST=local CANCEL=local ACCESS=*

      P TP=* HOST=internal CANCEL=internal ACCESS=*

      This means that programs from the gateway host can register, and that programs within the system can register.

      Recommendation Recommendation

      This recommendation applies to existing systems. If a new system has been installed, we recommend the restrictive setting

      P TP=* HOST=local CANCEL=local ACCESS=local

      P TP=* HOST=internal CANCEL=internal ACCESS=internal

      End of the recommendation.

    If the files do not exist, the system behaves as if these entries were available.

  2. Extend these files as required. Enable the configured RFC destinations (transaction SM59) as required by making the relevant entries in the secinfo file.

    To do this, proceed as follows:

    1. Look at the current secinfo file. In the gateway monitor (transaction SMGW) choose   Goto   Expert Functions   External Security   Display (secinfo)  . Here you can check whether the file complies with your requirements.

    2. To add further entries to the file, choose   Goto   Expert Functions   External Security   Create (secinfo)  .

    3. In the following dialog box select the relevant entries, and choose Save Selected Entries in File (Save Selected Entries in File).

      The lines in the file appear in a new dialog box.

    4. Choose Save Entries in File (Save Entries in File).

      If the file already exists, you can decide whether you want to replace this file with the selected entries, or whether to add the selected entries to this file.

      Note Note

      The system always adds the lines referred to in step 1 to the file automatically, otherwise system operation will be affected.

      End of the note.
    5. Decide whether the changes are to be activated immediately or not. If not, you can activate them at any time by choosing   Goto   Expert Functions   External Security   Reread  .

    6. Check your secinfo file.

      Choose Display ACL File (Display ACL File).

      Note Note

      Here you can see the configuration that is currently active in the gateway. If the content of the file has been changed, but the file has not been reread, you can view the message not identical to the content of the file in the file browser (transaction AL11).

      End of the note.

You can maintain the secinfo file at operating system level too, and reread it in transaction SMGW (  Goto   Expert Functions   External Security   Reread  ).

More Information

  • You can find information about the structure and the syntax of the security files secinfo and reginfo in Gateway Security Files secinfo and reginfo.

  • SAP Note 1408081 describes the configuration of the security files for SAP systems for current and older releases.