Skip to Content
avatar image
Former Member

Gateway and Message Server Security as in EWA: Please help me on this

Hello All

I would like to know what is the use of the below parameters . I want to ocnvey this to customer. Please help me on this.

If the parameter not set what will be the impact to the system.

Regards

S.Subramani

9.1.4 Gateway and Message Server Security

9.1.4.1 Gateway Security

Gateway Security Properties

The parameter GW/REG_NO_CONN_INFO controls the activation of certain security properties of the SAP gateway. It is defined as a bit mask with one bit per property.

SAP Note 1298433 “Bypassing security in reginfo & secinfo” is not activated in your system. The bit mask value for bit 1 is not set.

Recommendation: Enable the missing property by adding the bitmask value to the current value of GW/REG_NO_CONN_INFO. For more information about GW/REG_NO_CONN_INFO, see SAP Note 1444282.

Gateway Access Control Lists

PARAMETERS: GW/SEC_INFO GW/REG_INFO

Rating Instance Error Condition

All instances gw/reg_info and gw/sec_info are defined

REG_INFO

Rating Instance Error Condition File does not exist (default)

All instances File reg_info does not exist (delivery status) 

SEC_INFO

Rating Instance Error Condition File does not exist (default)

All instances File sec_info does not exist (delivery status)

P TP=* USER=* HOST=* 

Recommendation: The profile parameters gw/sec_info and gw/reg_info provide the file names of the corresponding access control lists. These access control lists are critical to controlling RFC access to your system, including connections to RFC servers. You should create and maintain both access control lists, which you can do using transaction SMGW. For more information, see SAP Note 1425765.

9.1.4.2 Message Server Security

Separation of Internal and External Message Server Communication

PARAMETERS: RDISP/MSSERV RDISP/MSSERV_INTERNAL

Rating Instance Error Condition Value of rdisp/msserv Value of rdisp/msserv_internal

skp9_PS2_00 rdisp/msserv_internal is not defined sapmsPS2

Recommendation: Communication with the message server should be separated into SAP system internal communication (TCP/IP port defined by rdisp/msserv_internal) and communication from user SAPGUIs to the system (TCP/IP port defined by rdisp/msserv), for example. Network firewalls should block access to the port specified in rdisp/msserv_internal from outside the SAP system.

Set parameter rdisp/msserv_internal to a TCP/IP port number different to the port number specified in rdisp/msserv and additionally protect access to the internal message server port by appropriate firewalls. For more information, see SAP Note 821875.

Message Server Access Control List

PARAMETER: MS/ACL_INFO

Rating Instance Error Condition

skp9_PS2_00 ms/acl_info is not defined or empty

Recommendation: The profile parameter ms/acl_info provides the file name of the message server's access control list. This list controls which application servers are allowed to log on to the message server.

SAP recommends defining and properly maintaining this list to prevent rogue application servers from accessing the system. For more information, see SAP Note 821875.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • Dec 10, 2013 at 09:15 PM

    The information is letting you know that anything or everyone can access the system, items like 'ms/acl_info' is a way to authorize those things or people to access the system. If left wide open, then you are just making it easier for malicious people to brute force or DDoS the system and attempt to gain access to it.

    Security is best served in layers.

    Add comment
    10|10000 characters needed characters exceeded