Configuring Connections between SAP Gateway and External Programs Securely

To ensure the SAP gateway operates securely, you have to be especially aware of interaction with external programs. You can configure the SAP gateway to ensure that undesirable external programs cannot be run.

There are two ways to do this:

Logging-based configuration
To ensure SAP programs required for system operation are not blocked by a configuration that is too restrictive, you should configure the security files to enable all connections, and monitor the SAP gateway using gateway logging. This way you get an overview of which programs are to be allowed, and then you can edit the secinfo and reginfo configuration files accordingly.

For more information about the procedure, see Setting Up Logging-Based Configuration.
Restrictive configuration (secure configuration)
You configure the SAP gateway so that initially only system-internal programs can be started and registered.

After that you can add programs you want to allow to the secinfo and reginfo configuration files.

Recommendation
This procedure is recommended by SAP, and is described below.

End of the recommendation.

Prerequisites

The parameters have the following value (default setting):

gw/sec_info = $(DIR_DATA)/secinfo

gw/reg_info = $(DIR_DATA)/reginfo

If they have a different value, change them to the value above. If you want to configure other file paths for the files, set the parameters accordingly.

Parameter gw/acl_mode has the following value (default setting):

gw/acl_mode = 1

Recommendation

reginfo and secinfo are created for and administrated for each application server. For reasons of maintainability SAP recommends that one reginfo file and one secinfo file is created in a shared working directory for each SAP system. For example:

gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo
gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo

If you are using Windows as the operating system, the files should have the ending .DAT.

End of the recommendation.

Procedure

To set up the recommended secure SAP gateway configuration, proceed as follows:

Check the secinfo and reginfo files. To do this, in the gateway monitor (transaction SMGW) choose Goto Expert Functions External Security Display (secinfo) or Display (reginfo).
To enable system-internal communication, the files must contain the following entries.
- secinfo
  P TP=* USER=* USER-HOST=local HOST=local
  
  P TP=* USER=* USER-HOST=internal HOST=internal
  
  This means that programs on the gateway host can be started by the gateway host, and that programs within the system can be started from the system.
- reginfo
  P TP=* HOST=local CANCEL=local ACCESS=*
  
  P TP=* HOST=internal CANCEL=internal ACCESS=*
  
  This means that programs from the gateway host can register, and that programs within the system can register.
  
  Recommendation
  This recommendation applies to existing systems. If a new system has been installed, we recommend the restrictive setting
  
  P TP=* HOST=local CANCEL=local ACCESS=local
  
  P TP=* HOST=internal CANCEL=internal ACCESS=internal
  
  End of the recommendation.
If the files do not exist, the system behaves as if these entries were available.
Extend these files as required. Enable the configured RFC destinations (transaction SM59) as required by making the relevant entries in the secinfo file.
To do this, proceed as follows:
1. Look at the current secinfo file. In the gateway monitor (transaction SMGW) choose Goto Expert Functions External Security Display (secinfo) . Here you can check whether the file complies with your requirements.
2. To add further entries to the file, choose Goto Expert Functions External Security Create (secinfo) .
3. In the following dialog box select the relevant entries, and choose (Save Selected Entries in File).
  The lines in the file appear in a new dialog box.
4. Choose (Save Entries in File).
  If the file already exists, you can decide whether you want to replace this file with the selected entries, or whether to add the selected entries to this file.
  
  Note
  The system always adds the lines referred to in step 1 to the file automatically, otherwise system operation will be affected.
  
  End of the note.
5. Decide whether the changes are to be activated immediately or not. If not, you can activate them at any time by choosing Goto Expert Functions External Security Reread .
6. Check your secinfo file.
  Choose (Display ACL File).
  
  Note
  Here you can see the configuration that is currently active in the SAP gateway. If the content of the file has been changed, but the file has not been reread, you can view the message not identical to the content of the file in the file browser (transaction AL11).
  
  End of the note.

You can maintain the secinfo file at operating system level too, and reread it in transaction SMGW ( Goto Expert Functions External Security Reread ).

More Information

SAP Gateway Security Files secinfo and reginfo.
Security Parameters of the SAP Gateway
Setting Up SAP Gateway Logging.
Evaluating the SAP Gateway Log File
Logging-Based Configuration of SAP Gateway
Checking the Security Configuration of SAP Gateway.
SAP Note 1408081 describes the configuration of the security files for SAP systems for current and older releases.