Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Secure use of JCO

stephen_kneale
Explorer

‎11-10-2009 11:05 PM

0 Kudos

Whatu2019s SAPu2019s u201Cbest practiceu201D in utilizing JCO? A hacker only needs to know SAP host, system number, and the program ID. Then he can stand up a JCO server instance and start intercepting outbound calls. Any suggestions to make it more secure?

Not sure which forum to post this on, we are running 4.6C, so not using NetWeaver.

4 REPLIES 4

Former Member

‎11-11-2009 1:44 PM

0 Kudos

> Not sure which forum to post this on, we are running 4.6C, so not using NetWeaver.

So have you actually tried what you have described above, or is it a prediction you are making back into the future?

If you get into the server network and can install software there, then you can get up to a lot of tricks...

Cheers,

Julius

stephen_kneale
Explorer
In response to Former Member

‎11-11-2009 2:13 PM

0 Kudos

Yes we have tried it. And if you attempt to diplay the target system in SM59, it displays first one server then at the next display it will show the other server, maybe at random.

We saw similar results when running the outbound RFC function module.

Former Member
In response to Former Member

‎11-14-2009 9:10 PM

0 Kudos

> Yes we have tried it. And if you attempt to diplay the target system in SM59, it displays first one server then at the next display it will show the other server, maybe at random.

Have you made any entries in your secinfo and reginfo files for the RFC gateway? Within the server network, you can control inbound and outbound connections this way - forcing inbound calls to the local SAP system context (USER_HOST parameter) and outbound to specific hosts (HOST parameter).

> We saw similar results when running the outbound RFC function module.

Are you using DNS name lists, maintaining the host name in Sm59?

That your ABAP function module (you are already on the inside, and have access to SM59, SE37, SA38, can install software on a server, etc - but I know that is not the point you are wanting to make about the credentials presented...) is randomly attempting a connection is most likely some performance consideration, probably controlled via the message server.

Have you looked into any config possibilities there? Have you tried this from "the outside"? How does the message server react? (tip: try to flood the message server with requests).

Also, can I assume that this is within your server network? I think in this case you can mitigate the risk to some large extent by only allowing trusted admins into that zone...

Cheers,

Julius

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎11-23-2009 8:50 PM

0 Kudos

The gateway allows to control from which host a registration request for a particular registration ID will be accepted (keyword: reginfo).

And it's also possible to setup an ACL which limits the usage of registered servers (secinfo).

See: [Online Help|http://help.sap.com/saphelp_nw04s/Helpdata/en/0a/64861a386e481c90400401e6f20bba/content.htm], [SAP Note 1105897|https://service.sap.com/sap/support/notes/1105897] and [SAP Note 910919|https://service.sap.com/sap/support/notes/910919].