Show TOC

Making Security Settings for External ProgramsLocate this document in the navigation structure

Use

To ensure the SAP gateway operates securely, you have to be especially aware of interaction with external programs. You can configure the gateway to ensure that undesirable external programs cannot be run.

There are two ways to do this:

  • Logging-based configuration

    To ensure SAP programs required for system operation are not blocked by a configuration that is too restrictive, you should configure the security files to enable all connections, and monitor the gateway using gateway logging. This way you get an overview of which programs are to be allowed, and then you can edit the secinfo and reginfo configuration files accordingly.

    For more information about the procedure, see Setting Up Logging-Based Configuration.

  • Restrictive configuration (secure configuration)

    You configure the gateway so that initially only system-internal programs can be started and registered.

    After that you can add programs you want to allow to the secinfo and reginfo configuration files.

    Recommendation

    This procedure is recommended by SAP, and is described below.

Prerequisites

The parameters have the following value (default setting):

gw/sec_info = $(DIR_DATA)/secinfo

gw/reg_info = $(DIR_DATA)/reginfo

If they have a different value, change them to the value above. If you want to configure other file paths for the files, set the parameters accordingly.

Recommendation

reginfo and secinfo are created for and administrated for each application server. For reasons of maintainability SAP recommends that one reginfo file and one secinfo file is created in a shared working directory for each SAP system. For example:

  • gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo

  • gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo

If you are using Windows as the operating system, the files should have the ending .DAT.

Procedure

To set up the recommended secure gateway configuration, proceed as follows:

  1. Check the secinfo and reginfo files. To do this, in the gateway monitor (transaction SMGW) choose Start of the navigation path Goto Next navigation step Expert Functions Next navigation step External Security Next navigation step Display (secinfo) End of the navigation path or Display (reginfo).

    To enable system-internal communication, the files must contain the following entries.

    • secinfo

      P TP=* USER=* USER-HOST=local HOST=local

      P TP=* USER=* USER-HOST=internal HOST=internal

      This means that programs on the gateway host can be started by the gateway host, and that programs within the system can be started from the system.

    • reginfo

      P TP=* HOST=local CANCEL=local ACCESS=*

      P TP=* HOST=internal CANCEL=internal ACCESS=*

      This means that programs from the gateway host can register, and that programs within the system can register.

      Recommendation

      This recommendation applies to existing systems. If a new system has been installed, we recommend the restrictive setting

      P TP=* HOST=local CANCEL=local ACCESS=local

      P TP=* HOST=internal CANCEL=internal ACCESS=internal

    If the files do not exist, the system behaves as if these entries were available.

  2. Extend these files as required. Enable the configured RFC destinations (transaction SM59) as required by making the relevant entries in the secinfo file.

    To do this, proceed as follows:

    1. Look at the current secinfo file. In the gateway monitor (transaction SMGW) choose Start of the navigation path Goto Next navigation step Expert Functions Next navigation step External Security Next navigation step Display (secinfo) End of the navigation path. Here you can check whether the file complies with your requirements.

    2. To add further entries to the file, choose Start of the navigation path Goto Next navigation step Expert Functions Next navigation step External Security Next navigation step Create (secinfo) End of the navigation path.

    3. In the following dialog box select the relevant entries, and choose Save Selected Entries in File.

      The lines in the file appear in a new dialog box.

    4. Choose Save Entries in File.

      If the file already exists, you can decide whether you want to replace this file with the selected entries, or whether to add the selected entries to this file.

      Note

      The system always adds the lines referred to in step 1 to the file automatically, otherwise system operation will be affected.

    5. Decide whether the changes are to be activated immediately or not. If not, you can activate them at any time by choosing Start of the navigation path Goto Next navigation step Expert Functions Next navigation step External Security Next navigation step Reread End of the navigation path.

    6. Check your secinfo file.

      Choose Display ACL File.

      Note

      Here you can see the configuration that is currently active in the gateway. If the content of the file has been changed, but the file has not been reread, you can view the message not identical to the content of the file in the file browser (transaction AL11).

You can maintain the secinfo file at operating system level too, and reread it in transaction SMGW (Start of the navigation path Goto Next navigation step Expert Functions Next navigation step External Security Next navigation step Reread End of the navigation path).

More Information

  • You can find information about the structure and the syntax of the security files secinfo and reginfo in Gateway Security Files secinfo and reginfo.

  • SAP Note 1408081 Information published on SAP site describes the configuration of the security files for SAP systems for current and older releases.