Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Denied message for ACCESS to registered program SLD

former_member587964
Explorer

‎04-15-2016 9:38 AM

0 Kudos

Hello,

since a couple of months we are building up the reginfos for all our SAP systems in simulation mode. Now I have an issue with the program SLD on our PI system:

Everytime when a certain host tries to connect to the registered program SLD on our PI this request is denied although we eplicitely allowed the ACESS for all hosts. Currently the relevant entries in our reginfo are:

P TP=SAPSLDAPI_SID HOST=PI_hostname CANCEL=* ACCESS=*

P TP=* HOST=local,internal  CANCEL=local,internal ACCESS=local,internal

Nevertheless we get this denied message:

reginfo denied  client: TP=SAPSLDAPI_SID, ACCESS=other_hostname

Since the reginfo is loaded by the registered program only during the registration I deleted the client-connections after changing  the reginfo in SMGW to ensure that the new rules are really available in SAPSLDAPI_SID.
Has anybody an idea what's wrong with this reginfo? Maybe deleting the client Connections with SMGW does not force the registered program to reread the reginfo?

Many Thanks in advance

Michael

6 REPLIES 6

Former Member

‎04-15-2016 10:01 AM

0 Kudos

What is the value of your gw/reg_no_conn_info parameter and what is your OS you are on (this can have an influence on the tabulator)?

Is the alternate host name a server which is known to you? Possibly SOLMAN where SLD once before had been running or also is running? Or an older PI system before you installed PO?

Cheers,

Julius

former_member587964
Explorer
In response to Former Member

‎04-15-2016 10:15 AM

0 Kudos

Hi Julius,

gw/reg_no_conn_info has the value 1. To be honest we ignored this Parameter more  or less since we never really understood the purpose of it, at least not for our current releases.

The alternate hostname is well known - there are only two hosts which cause this denied message, no other access is reported as denied in the logfiles.
I'm not very familiar with SLD but I understood that we have it on our Solman and PI must be periodically updated with Information from SLD. We soon will Change to PO, the current System is PI.

Michael

Former Member
In response to Former Member

‎04-15-2016 10:22 AM

0 Kudos

PS: also check whether there is any explicit Deny entry in the reginfo. Even with simulation mode the Deny entries are active and will deny the registration of a program or access to a registered program. Consequently, once you have completed simulation, you should add a "deny all" at the end of the file.

PPS: If you generated the reginfo automatically from the SMGW reading the TCP/IP connections then you should also check there whether the ABAP system is itself starting the SLDAPI somewhere on a remote gateway and that is having a conversation back with your gateway.

Cheers,

Julius

Former Member
In response to Former Member

‎04-15-2016 10:30 AM

0 Kudos

See my post below (in the meantime I added that after-thought). I suspect a Deny entry in the file above the Permit entry?

Your seperators (comma) are also suspect and have caused problems for me on Linux systems in the past. Rather split them into individual entries per host, local, internal as these entries are ignored in some cases if anything is not read correctly.

Before restricting the secinfo and reginfo it makes sense to read through the SAP notes on the gw/no_reg_conn_info. Earlywatch will require at least an uneven number and my personal recommendation is 127 before you start restricting the files, otherwise you might need to do it (simulation / testing) again.

Cheers,

Julius

former_member587964
Explorer
In response to Former Member

‎04-15-2016 11:24 AM

0 Kudos

Meanwhile I found the Problem: the first specific entry in the reginfo contained only the hostname and the IP of the physical host but not the alias which is usually used. Therefore the first specific rule did not match the request and then finally the last entry was checked and since in this rule ACCESS is only allowed for local, internal the request was rejected.

However many Thanks for your Support and have a nice Weekend!

Michael

former_member587964
Explorer
In response to Former Member

‎04-15-2016 4:04 PM

0 Kudos

Hello Julius,

thanks for the recommendation for gw/reg_no_conn_info. Since I already read all the notes but could not make up my mind which value to set and finally was completely confused I will set the value to 127.

Cheers

Michael

Message was edited by: Michael Schulte Although this single Problem is solved now two further questions related to this topic arouse. First I'll explain the Situation what I'm talking about:     - all Systems are running in Simulation mode (!)     - Registered program=reg_prog is installed on reg_host     - Reg_prog registers at host_a of System A     - The registered program is configured in SM59 on System B with gateway of host_a We defined this rule in the reginfo on host_a: P TP=reg_prog  HOST=reg_host  CANCEL=local,internal ACCESS=host_b local,internal Question 1: With this rule the acess was denied. We had to add "local,internal" to the parameter HOST (-> HOST=local,internal,reg_host)  although the registration is only done from host_reg. This seems to be a little bit strange, however, is this conclusion correct? Question 2: Now we have the case that we initially do not know if there are remote Systems which want to use the registered program. Per Default we define the rule  for the Gateway on host_a like this:     P TP=reg_prog  HOST=reg_host  CANCEL=local,internal ACCESS=local,internal When we did so we received this denied  message:     reginfo denied client: TP=reg_prog, ACCESS=localhost (127.0.0.1) And now we have no idea who tries to execute reg_prog through the Gateway on host_a.