The registration authorization applies to all programs, which means that the reginfo file comprises line TP=* .
The evaluation of the log file provides you with an overview of the communication running through the gateway. You can see which external programs have been started and which have been rejected (with reasons). This enables you to manage your configuration.
If you are using the Logging-Based Setting , after you have evaluated the log file you can adjust the configuration of security files secinfo and reginfo to meet your requirements.
We recommend you start with a restrictive configuration, and then allow further programs as required. The procedure is described in section Making Security Settings for External Programs .
Display the contents of the file. You can display the file contents, and save them to your local computer in transaction SMGW. Choose .
Since everything is permitted in secinfo and reginfo, you will only see entries with reginfo accepted and secinfo accepted .
Entries in secinfo accepted are checked against entries in secinfo.
Entries in reginfo accepted are checked against entries in reginfo.
S Wed Aug 01 2007 10:36:52:181 reginfo accepted server: TP=IGS.WDFD00146227A, HOST=WDFD00146227A
S Wed Aug 01 2007 10:37:57:183 reginfo accepted server: TP=IGS.WDFD00146227A, HOST=WDFD00146227A
S Wed Aug 01 2007 10:39:02:185 reginfo accepted server: TP=IGS.WDFD00146227A, HOST=WDFD00146227A
S Wed Aug 01 2007 10:39:05:740 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp, HOST=ld8061.wdf.sap.corp, TP=gnetx.exe
S Wed Aug 01 2007 10:39:48:577 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp, HOST=ld8061.wdf.sap.corp, TP=/usr/sap/BIN/SYS/exe/run/tp
Find the entries for the secinfo file.
Entries for secinfo always contain the following components
USER=<name> : User who wants to start the external program
USER-HOST=<user host> : Host name from where the gateway was requested to start the program (when the program is started from the system, the host name is always the name of the application server).
HOST=<host> : Host on which the program was started.
TP=<program name> : Program name
You could now simply filter out all duplicate entries from the log file and write the remaining entries to the secinfo file. This allows all programs that are running in the environment.
If this means there are a large number of programs, group together entries using appropriate wild cards to make the secinfo file more manageable.
Example of Entries in secinfo File
TP=/usr/sap/BIN/SYS/exe/run/* allows all programs in the executable directory of the server to be started
HOST=* Allows programs to be started on any host. This could be restricted to a subnetwork mask or domain name, for example, 10.66.66.* or *.sap.corp
USER=* Allows all users to use the external program.
With programs started from SAPGUI, the gateway cannot check whether this SAPGUI is allowed. The IP address of the application server is used to make the check (see next line).
S Wed Aug 01 2007 10:39:05:740 secinfo accepted: USER=MUSTER, USER-HOST=host1.wdf.sap.corp, HOST=host1.wdf.sap.corp, TP=gnetx.exe .
Find the entries for the reginfo file.
Entries for reginfo always contain the following components
TP=<regi id> : Registration ID of the server program that is being registered
HOST=<host> : Host from where the server is permitted to log on.
ACCESS=<host> : Host from which the RFC client is permitted to use a registered program.
CANCEL=<host> : Host from which the RFC client is permitted to stop a registered program.
You could now simply filter out all duplicate entries from the log file and write the remaining entries to the reginfo file. This allows all programs as they are running in the environment to register.
If there are a large number of programs to register, group together entries using appropriate wild cards to make the reginfo file more manageable.
Example of Entries in reginfo File
TP= IGS.WDFD00146227A HOST=* allows registration of IGS.WDFD00146227A from every host.
TP=Bex* HOST=*sap.corp allows programs with registration ID Bex* to register provided they come from hosts in the SAP network.
If you want to allow access to the registered server, for example, from the local application server only, you have to add ACCESS=local to the entry. To terminate the server from transaction SMGW , you need to add CANCEL=local .