Show TOC

Setting Up Logging-Based ConfigurationLocate this document in the navigation structure

Context

For the procedure described here you must first enable full communication with the gateway. Based on the log file written, adjust the security settings in the secinfo and reginfo files.

Procedure

  1. Set up gateway logging by setting the following parameters in the profile:

    gw/sec_info = $(DIR_DATA)/secinfo

    gw/reg_info = $(DIR_DATA)/reginfo

    gw/logging = ACTION=S LOGFILE=gw_log-%y-%m%d SWITCHTF=day

    Note

    If an SAP system consists of multiple application servers, add the system ID (three-letter SID) and the server name to the file name. This enables the files to be identified when they are collected centrally for analysis. You can use the environment variables $(SAPSYSTEMNAME) and $(SAPLOCALHOST) to set the parameter as follows:

    gw/logging = ACTION=S LOGFILE=gw_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)-%y%m%d SWITCHTF=day

    This logs all security-relevant gateway actions in a separate file. You can also make this setting within the system.

    For more information: Setting Up Gateway Logging

  2. In the $(DIR_DATA) directory, create the secinfo and reginfo files with the following contents:

    • secinfo contains line USER=* HOST=* TP=* only

    • reginfo contains line TP=* only

    With this configuration of secinfo and reginfo all programs can be started from the gateway, and all programs can register in the gateway.

    Caution

    These settings are only temporary and are used for finding out which programs are to be included in the files. While these settings are active, the gateway is not protected against external programs.

  3. Activate the configuration files secinfo and reginfo by choosing Start of the navigation path Goto Next navigation step Expert Functions Next navigation step External Security Next navigation step Reread End of the navigation path in transaction SMGW. Activate these files on every application server instance of the system. To do this, call the server overview (transaction SM51 ) and switch the instance by double-clicking.
  4. Leave the system running with these settings for a few days, and execute all actions that relate to external programs and registered servers.
  5. Evaluate the log file. Proceed as described in section Evaluating the Log File .
  6. Maintain the files secinfo and reginfo accordingly.
  7. Activate the files (see step 3.)
  8. Leave the system running with these settings, but still monitor the logging. Pay particular attention to the entries secinfo denied and reginfo denied . These are external programs and registered servers that are not allowed to be run, as specified in the settings. Possibly, a new component that requires additional external programs and registered servers is being tested or introduced. The administrator then has to decide whether these entries should be included in the security files.

Next Steps

Making Security Settings for External Programs

Gateway Security Files secinfo and reginfo