cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Gateway and Message Server Security as in EWA: Please help me on this

former_member190251
Participant

on ‎12-10-2013 7:48 PM

0 Kudos

Hello All

I would like to know what is the use of the below parameters . I want to ocnvey this to customer. Please help me on this.

If the parameter not set what will be the impact to the system.

Regards

S.Subramani

9.1.4 Gateway and Message Server Security

9.1.4.1 Gateway Security

Gateway Security Properties

The parameter GW/REG_NO_CONN_INFO controls the activation of certain security properties of the SAP gateway. It is defined as a bit mask with one bit per property.

SAP Note 1298433 “Bypassing security in reginfo & secinfo” is not activated in your system. The bit mask value for bit 1 is not set.

Recommendation: Enable the missing property by adding the bitmask value to the current value of GW/REG_NO_CONN_INFO. For more information about GW/REG_NO_CONN_INFO, see SAP Note 1444282.

Gateway Access Control Lists

PARAMETERS: GW/SEC_INFO GW/REG_INFO

Rating    Instance    Error Condition

     All instances    gw/reg_info and gw/sec_info are defined

REG_INFO

Rating    Instance    Error Condition    File does not exist (default)

     All instances    File reg_info does not exist (delivery status)    

SEC_INFO

Rating    Instance    Error Condition    File does not exist (default)

     All instances    File sec_info does not exist (delivery status)

P TP=* USER=* HOST=*    

Recommendation: The profile parameters gw/sec_info and gw/reg_info provide the file names of the corresponding access control lists. These access control lists are critical to controlling RFC access to your system, including connections to RFC servers. You should create and maintain both access control lists, which you can do using transaction SMGW. For more information, see SAP Note 1425765.

9.1.4.2 Message Server Security

Separation of Internal and External Message Server Communication

PARAMETERS: RDISP/MSSERV RDISP/MSSERV_INTERNAL

Rating    Instance    Error Condition    Value of rdisp/msserv    Value of rdisp/msserv_internal

     skp9_PS2_00    rdisp/msserv_internal is not defined    sapmsPS2    

Recommendation: Communication with the message server should be separated into SAP system internal communication (TCP/IP port defined by rdisp/msserv_internal) and communication from user SAPGUIs to the system (TCP/IP port defined by rdisp/msserv), for example. Network firewalls should block access to the port specified in rdisp/msserv_internal from outside the SAP system.

Set parameter rdisp/msserv_internal to a TCP/IP port number different to the port number specified in rdisp/msserv and additionally protect access to the internal message server port by appropriate firewalls. For more information, see SAP Note 821875.

Message Server Access Control List

PARAMETER: MS/ACL_INFO

Rating    Instance    Error Condition

     skp9_PS2_00    ms/acl_info is not defined or empty

Recommendation: The profile parameter ms/acl_info provides the file name of the message server's access control list. This list controls which application servers are allowed to log on to the message server.

SAP recommends defining and properly maintaining this list to prevent rogue application servers from accessing the system. For more information, see SAP Note 821875.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

bxiv
Active Contributor
‎12-10-2013 9:15 PM
0 Kudos

The information is letting you know that anything or everyone can access the system, items like 'ms/acl_info' is a way to authorize those things or people to access the system.  If left wide open, then you are just making it easier for malicious people to brute force or DDoS the system and attempt to gain access to it.

Security is best served in layers.

Show replies
Show replies
Ask a Question