on 01-14-2014 7:58 AM
Hello gurus,
SAP gateway is an SAP component which is responsible for handling client requests and redirecting them to appropriate SAP services for execution. Due to missing access control
settings, an attacker on the network can execute operating system commands on
any system that the SAP gateway manages.
To avoid this, I need to setup 2 parameters:
gw/reg_info -> /usr/sap/SID/instance_profile/data/reginfo
gw/sec_info -> /usr/sap/SID/instance_profile/data/secinfo
The strange thing is that I can see them in SMGW transaction -> Go to -> Parameters -> Display, and they seem to be set correctly.
But I am curious, aren't these parameters supposed to be visible also in rz11 or rz10 in the instance profile ?
Should I also add them over there ? Or it's enough that they are present in SMGW and it means they are already active ?
Thanks in advance for advising,
Cheers,
J.
Hi,
you can see these file in the gateway SMGW--- Goto...
for these setting you need the below note.
If you set the parameter gw/acl_mode to 0 then there is no restriction for starting or registering external programs |
If you set the parameter gw/acl_mode to 1 then the system will restrict you unless you maintain reg_info and sec_info files. |
Refer to these notes as well |
1408081 - Basic settings for reg_info and sec_info |
1069911 - GW: Changes to the ACL list of the gateway (reginfo) |
1305851 - Overview note: reg_info and sec_info |
Thanks
Rishi Abrol
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rishi,
The output is:
# file /usr/sap/SID/D06/data/secinfo not found, use internal default
#
P TP=* USER=* USER-HOST=* HOST=*
.....
# file /usr/sap/SID/D06/data/reginfo not found, use internal default
--------------
I guess that the message not found, it means that they are not active in the system, right ?
Even though they appear in the parameter list.
It's a bit confusing ...
Tx all
Hi,
Yes if the parameters gw/acl_mode to 1 in that case you need to maintain these two files...
As of 720 kernel, registration of external server program is controlled by profile parameters gw/acl_mode, gw_reg_info and gw/sec_info.
For security reasons, SAP has made it mandatory to use gw/reg_info and gw/sec_info to allow any external program to get registered on host.
So, entries of the host wanting to register program in gateway, has to be maintained in the file reg_info and sec_info.
Location of these files is maintained using gw/reg_info and gw/sec_info profile parameter.
If the files are created without any entries, then no external server is allowed to register external programs. If files are created then entries for the servers has to be maintained.
If the files are not created, then parameter gw/acl_mode can be used to control registration of external programs on the system.
gw/acl_mode = 0 will allow registration of external server program
gw/acl_mode = 1 will not allow registration of external server programs and you need to maintain reg_info and sec_info files.
So from the above message it is clear that reginfo file is not maintained...
Thanks
Rishi Abrol
Good Day
Are you able to see the parameters gw/reg_info and gw/sec_info in Tx RZ11 ?
Are these parameters set in the system profiles ?
If you are able to see these parameters in the profile then they are not set.
You can see the parameters using the Tx SMGW and that doesn't mean they are set.
Regards
RB
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Reagan,
No, the parameters are not set in any profile, I cannot see them in rz11.
I can see them in in SMGW, but as you and Rishi mentioned, it does not mean they are set.
I understand that only authorized programs should be listed in both configuration files, but I have no idea how to get that list, or where can I find it ... This is going to be interesting
Cheers
Hello Jordan,
yes, these are the default parameters, the trick is the content of the files.
You may find more information here: SAP NetWeaver Application Server ABAP Security Guide - SAP Library.
Regards
Tamás
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.