cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Gateway without access control restrictions

Go to solution
Former Member

on ‎01-14-2014 7:58 AM

0 Kudos

Hello gurus,

SAP gateway is an SAP component which is responsible for handling client requests and redirecting them to appropriate SAP services for execution. Due to missing access control

settings, an attacker on the network can execute operating system commands on

any system that the SAP gateway manages.

To avoid this, I need to setup 2 parameters:

gw/reg_info -> /usr/sap/SID/instance_profile/data/reginfo

gw/sec_info -> /usr/sap/SID/instance_profile/data/secinfo

The strange thing is that I can see them in SMGW transaction -> Go to -> Parameters -> Display, and they seem to be set correctly.

But I am curious, aren't these parameters supposed to be visible also in rz11 or rz10 in the instance profile ?

Should I also add them over there ? Or it's enough that they are present in SMGW and it means they are already active ?

Thanks in advance for advising,

Cheers,

J.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-14-2014 8:33 AM
0 Kudos

Hi,

you can see these file in the gateway SMGW--- Goto...

for these setting you need the below note.

If you set the parameter gw/acl_mode to 0 then there is no restriction for starting or registering external programs
If you set the parameter gw/acl_mode to 1 then the system will restrict you unless you maintain reg_info and sec_info files.
Refer to these notes as well
1408081 - Basic settings for reg_info and sec_info
1069911 - GW: Changes to the ACL list of the gateway (reginfo)
1305851 - Overview note: reg_info and sec_info

Thanks

Rishi Abrol

Show replies
Show replies
Former Member
‎01-14-2014 9:07 AM
0 Kudos

Hi Rishi,

The output is:

# file /usr/sap/SID/D06/data/secinfo not found, use internal default

#

P TP=* USER=* USER-HOST=* HOST=*

.....

# file /usr/sap/SID/D06/data/reginfo not found, use internal default

--------------

I guess that the message not found, it means that they are not active in the system, right ?

Even though they appear in the parameter list.

It's a bit confusing ...

Tx all

Former Member
‎01-14-2014 9:18 AM
0 Kudos

Hi,

Yes if the parameters gw/acl_mode to 1 in that case you need to maintain these two files...

As of 720 kernel, registration of external server program is controlled by profile parameters gw/acl_mode, gw_reg_info and gw/sec_info.

For security reasons, SAP has made it mandatory to use gw/reg_info and gw/sec_info to allow any external program to get registered on host.

So, entries of the host wanting to register program in gateway, has to be maintained in the file reg_info and sec_info.

Location of these files is maintained using gw/reg_info and gw/sec_info profile parameter.

If the files are created without any entries, then no external server is allowed to register external programs. If files are created then entries for the servers has to be maintained.

If the files are not created, then parameter gw/acl_mode can be used to control registration of external programs on the system.

gw/acl_mode = 0 will allow registration of external server program

gw/acl_mode = 1 will not allow registration of external server programs and you need to maintain reg_info and sec_info files.

So from the above message it is clear that reginfo file is not maintained...

Thanks

Rishi Abrol

Answers (2)

Answers (2)

Reagan
Product and Topic Expert
Product and Topic Expert
‎01-14-2014 9:32 AM
0 Kudos

Good Day

Are you able to see the parameters gw/reg_info and gw/sec_info in Tx RZ11 ?

Are these parameters set in the system profiles ?

If you are able to see these parameters in the profile then they are not set.

You can see the parameters using the Tx SMGW and that doesn't mean they are set.

Regards

RB

Show replies
Show replies
Former Member
‎01-14-2014 9:42 AM
0 Kudos

Hi Reagan,

No, the parameters are not set in any profile, I cannot see them in rz11.

I can see them in in SMGW, but as you and Rishi mentioned, it  does not mean they are set.

I understand that only authorized programs should be listed in both configuration files, but I have no idea how to get that list, or where can I find it ... This is going to be interesting

Cheers

Former Member
‎01-14-2014 9:50 AM
0 Kudos

Hi,

it doesn't matter if they aren't set in the profile, the values you see are the default values ($(DIR_DATA)/secinfo, $(DIR_DATA)/reginfo). The link I've sent tells how to set up the files to authorize programs (with quite good examples).

Regards

Tamás

Reagan
Product and Topic Expert
Product and Topic Expert
‎01-14-2014 10:25 AM
0 Kudos

Hello Jordan

Please have a look at this SAP note

1425765 - Generating sec_info reg_info

Regards

RB

Former Member
‎01-14-2014 8:03 AM
0 Kudos

Hello Jordan,

yes, these are the default parameters, the trick is the content of the files.

You may find more information here: SAP NetWeaver Application Server ABAP Security Guide - SAP Library.

Regards

Tamás

Show replies
Show replies
Ask a Question