Show TOC

Function documentationSecurity Parameters of the SAP Gateway Locate this document in the navigation structure

 

The parameters described below are used to configure the gateway to ensure secure connections.

Integration

Refer also to Security Settings in the SAP Gateway.

Prerequisites

Your system must be configured for using the SNC interface.

Features

gw/acl_file

This parameter specifies the name of an access control list (ACL) file. With an ACL you can configure who is permitted to connect to the gateway.

Note Note

  • The same ACL file is used for the standard port and for the SNC port of the gateway.

  • If the specified ACL file does not exist or is erroneous, the gateway immediately closes.

End of the note.

Caution Caution

If the parameter is not set, access control is not valid.

End of the caution.

Default Setting

Empty (no ACL file is used)

Dynamic

No

For more information, see: Configuring Network-Based Access Control Lists (ACL)

gw/acl_mode

The parameter defines the behavior of the gateway, if no ACL file (gw/sec_info or gw/reg_info) exists.

The following values are permitted:

  • 0 : There is no restriction with starting external servers or registering servers.

    Recommendation Recommendation

    This setting should not be used in production operation.

    End of the recommendation.

  • 1 : External and registered servers are only permitted within the system (application servers of the same system). All other servers are rejected or have to be maintained in the respective files.

Default Setting

1

Dynamic

Yes
gw/logging

With this parameter you can configure gateway logging. You can specify whether the gateway writes its actions to a log file, which types of actions are logged, and how the file is renamed. You have the options to define a maximum size for the file, and to specify whether old files are overwritten.

Recommendation Recommendation

If the gateway is running in an AS ABAP instance, we recommend you make settings for gateway logging in the gateway monitor (transaction SMGW). If you want to make permanent logging settings so that it works again after the instance has been restarted, you have to set this parameter in the profile.

End of the recommendation.

You must set the parameter as follows:

Syntax Syntax

  1. gw/logging = LOGFILE=<name> ACTION=[TERSMPXVCO] 
[MAXSIZEKB=n] [SWITCHTF=t] [FILEWRAP=on]
End of the code.

The meaning of the individual elements is as follows:

  • LOGFILE: File name of the log file

  • ACTION: The character sequence (subset from TERSMPXVCO) specifies the actions to log.

  • MAXSIZEKB (optional): Maximum file size. As soon as the file exceeds this size, a new file is opened, whereby the new file name can change if special characters are used. This is a the case unless a condition was specified for SWITCHTF that applies first.

  • SWITCHTF (optional): Opens a new file after a specific time period, unless a condition was specified for MAXSIZEKB that applies first.

    The following values can be specified:

    • year: After one year a new file is opened

    • month: After one month

    • week: After one week

    • day: After one day

    • hour: After one hour

  • FILEWRAP (optional): Reuse file. This parameter can only have value ON. If this value is set, no new file is written, but the one already open is reset and rewritten to. The values for parameter LOGFILE are only used the first time the file is opened.

gw/monitor

This parameter specifies how the SAP gateway handles monitor commands.

The following values are possible:

  • 0: No monitor commands are accepted

  • 1: Only commands from the local SAP gateway monitor are accepted

  • 2: Commands from local SAP gateway monitors and external SAP gateway monitors are accepted.

Default Setting

1

Dynamic

Yes

(Though only in the direction of more security, that is, from 1 to 2, and not from 2 to 1)

Dynamic yes

gw/sec_info

File with the security information.

Any unauthorized starting of external programs can be prevented by maintaining the file secinfo in the data directory of the gateway instance.

Default Setting

<Data Directory>/secinfo

Dynamic

No

(Values cannot be changed dynamically, but you can completely reload the file when the gateway is running)

For more information, see: Making Security Settings for External Programs

gw/reg_info

File with the security information for registered programs.

Unauthorized registration of programs can be prevented by maintaining the file reginfo in the data directory of the gateway instance.

If the file exists, the system searches for valid registration entries in this list. If there are none, the system searches, as up to now too, in the gw/sec_info file.

Default Setting

<Data directory>/reg info

Dynamic

No

(Values cannot be changed dynamically, but you can completely reload the file when the system is running)

For more information, see: Making Security Settings for External Programs

SNC Parameters

There are a number of additional parameters that control the behavior of the SAP Gateway in conjunction with SNC (Secure Network Communication).

Parameter

Meaning

Default Value

Dynamic

snc/enable

This parameter specifies whether the gateway accepts connections that protect the data via SNC.

0

No

snc/permit_insecure_comm

This parameter specifies whether the gateway accepts connections without SNC.

0

No

snc/permit_insecure_start

This parameter specifies whether the gateway may establish connections with programs that communicate without SNC.

0

No

snc/permit_common_name

This parameter specifies whether the gateway can use a default SNC name specified by the parameter snc/identity/as, if an SNC name for the connection cannot be read from secinfo.

0

No

snc/gssapi_lib

Path for the shared library of the security system in use.

""

No

snc/identity/as

Identity of the gateway application server

""

No

More Information