on 12-17-2013 6:32 PM
Hello Gurus,
The recommended value for the parameter gw/acl_mode in production systems is "1".
What can be the impacts or risks if I still keep it as "0"?
Regards,
Nivin
Hi navin,
Do one thing,,,,,maintain reginfo.DAT and secinfo.DAT in each app server and CI server in location \usr\sap\<SID>\D000\data,
reginfo.DAT = P TP=*
secinfo.DAT = P TP=* USER=* USER-HOST=* HOST=*
and check the parameter also gw/reg_info and gw/sec_info .....with the value \usr\sap\<SID>\D000\data\reginfo.DAT and \usr\sap\<SID>\D000/data\secinfo.DAT ,,,,,
Then only maintain gw/acl_mode = 1 ,,,,,Hope in early watch early value will be green ,,
Cheers
Rableen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rableen/Gurus,
Current state of the system:
gw/reg_no_conn_info = 1
gw/acl_mode = 0
gw/reg_info = \usr\sap\<SID>\D000\data\reginfo
gw/sec_info = \usr\sap\<SID>\D000\data\secinfo
The reginfo & secinfo files are not available in the said location though.
If I create the files what are the entries that I should add, will it create any impacts to the preset state of the system? How should I proceed?
P.S : Actually i'm not clear with the terms "allow registration of external server program" regarding the gw/acl_mode parameter.
Thanks,
Nivin
Hi,
Please check below link for more information on this topic.
http://wiki.scn.sap.com/wiki/display/Security/Gateway+Access+Control+Lists
Hello,
We have moved this WIKI to another WIKI space.
Tip: always use the WIKI "tiny link" to share it .
New link to the WIKI:
Gateway Access Control Lists - Application Server Infrastructure - SCN Wiki
Regards,
Isaías
Hello Nivin,
It's important to stress that the profile parameter "gw/acl_mode = 0" is taken into consideration ONLY if the "secinfo" file under "/usr/sap/<sid>/<instance>/data" does not exist. In case of any file named "secinfo" (disregarding it's actual contents), it has use priority.
Hope it helps,
Cheers!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
As per the below note
See the documentation of the parameter. The parameter with value 1 should ensure an initial security after installation. Deactivating the parameter is not recommended. For security reasons, it is instead suggested that you maintain the files
1843782 - GW: Installation changes default from gw/acl_mode to 1
Related to the early watch report.
In this section, the profile parameters gw/reg_no_conn_info, gw/acl_mode, gw/sec_info, and gw/reg_info are checked. The highest possible rating of this section is yellow. For additional information, refer to SAP Notes 1444282, 1480644, and 1425765.
863362 - Security checks in the SAP EarlyWatch Alert
Thanks
Rishi Abrol
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello
Please read these
1480644 - gw/acl_mode versus gw/reg_no_conn_info
SAP NetWeaver Application Server ABAP Security Guide - SAP Library
If you set the parameter gw/acl_mode to 0 then there is no restriction for starting or registering external programs
If you set the parameter gw/acl_mode to 1 then the system will restrict you unless you maintain reg_info and sec_info files.
Refer to these notes as well
1408081 - Basic settings for reg_info and sec_info
1069911 - GW: Changes to the ACL list of the gateway (reginfo)
1850230 - GW: "Registration of tp <program ID> not allowed"
1305851 - Overview note: reg_info and sec_info
Regards
RB
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Reagan,
We have set the parameters as per the suggestion from the above notes
BElow is the output of secinfo
====================================
#VERSION=2
#
# created by HP1 at 20150309
#
# local access should be allowed by default
# P TP=* USER=* USER-HOST=local HOST=local
#
# internal (server from the same SID) access should be allowed by default
# P TP=* USER=* USER-HOST=internal HOST=internal
#
# list of external programs form SM59 which must be explicitly defined
#
P TP=* USER=* USER-HOST=* HOST=*
===================================
and reginfo
#VERSION=2
#
# created by HP1 at 20150309
#
# local access should be allowed by default
# P TP=* HOST=local
#
# internal (server from the same SID) access should be allowed by default
# P TP=* HOST=internal
#
# list of registered programs form SM59 which must be explicitly defined
#
#
# the following row should be the last row in file, see SAP note 2075799!
# die folgenden Zeile sollte die LETZTE in der reginfo sein, siehe Hinweis 2075799!
#
P TP=*
We have maintained the profile parameter for the path of secinfo and reginfo .
Still registering the RFC server program doesnot work.
and we are on 721 kernel patch level 413 .
Please help.
User | Count |
---|---|
86 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.