Skip to Content
0
Aug 26, 2014 at 05:50 AM

Gateway Security: reginfo, secinfo, gw/acl_mode - how to set?

6138 Views

Hello,

our EWA complained Gateway Security Settings.

Gateway Access Control List (reg_info/sec_info) contains trivial entries

Parameter gw/acl_mode can be set to 1. SAP recommends setting gw/acl_mode to 1


So we set parameter gw/acl_mode to 1 which had the effect that default for files reginfo and secinfo got more restricted.


If gw/acl_mode=0 default is:

reginfo:

P TP=*

secinfo:

P TP=* USER=* USER-HOST=* HOST=*


If gw_acl_mode=1 default is:

reginfo:

P TP=* HOST=local

P TP=* HOST=internal

secinfo:

P TP=* USER=* USER-HOST=local HOST=local

P TP=* USER=* USER-HOST=internal HOST=internal


With these settings all is rejected so that created own files, that are less restrictive:

reginfo:

P TP=* HOST=local ACCESS=local,x.xx.*.*,%%RFCSERVER%%

P TP=* HOST=internal ACCESS=local,x.xx.*.*,%%RFCSERVER%%

secinfo:

P TP=* USER=* HOST=local,x.xx.*.*,%%RFCSERVER%% USER-HOST=local,x.xx.*.*,%%RFCSERVER%%

P TP=* USER=* HOST=internal,x.xx.*.*,%%RFCSERVER%% USER-HOST=internal,x.xx.*.*,%%RFCSERVER%%

All hosts from our network should have access.

But still we get reject messages in gateway log:

V Mon Aug 25 2014 20:01:17:721 created convid=52867721 (conn=11, act=23)

C Mon Aug 25 2014 20:01:17:721 client INIT (convid=52867721, lu=hostname.domain, tp=sapgw00, type=R3_CLIENT)

O Mon Aug 25 2014 20:01:17:721 open client connection (lu=%%RFCSERVER%%, tp=IGS.SID, type=R3_CLIENT)

R Mon Aug 25 2014 20:01:17:721 reject client: TP=IGS.SID not registered

Or:

V Fri Aug 22 2014 16:34:50:803 created convid=73395803 (conn=2, act=3)

C Fri Aug 22 2014 16:34:50:803 client INIT (convid=73395803, lu=hostname.domain, tp=sapgw00, type=R3_CLIENT)

O Fri Aug 22 2014 16:34:50:803 open client connection (lu=%%RFCSERVER%%, tp=WEBADMIN, type=R3_CLIENT)

R Fri Aug 22 2014 16:34:50:803 reject client: TP=WEBADMIN not registered

O Fri Aug 22 2014 16:34:50:803 open client connection (lu=hostname.domain, addr=x.xx.xxx.xxxx, tp=sapgw00, type=R3_CLIENT)

C Fri Aug 22 2014 16:34:50:803 STATISTIC (convid=73395803), bytes sent 0

C Fri Aug 22 2014 16:34:50:803 STATISTIC (convid=73395803), client sent 0 bytes in 0 packages

C Fri Aug 22 2014 16:34:50:803 STATISTIC (convid=73395803), server sent 0 bytes in 0 packages

V Fri Aug 22 2014 16:34:50:803 removed convid=73395803 (conn=2, act=2)

What does this mean? I maintained both files and added "%%RFCSERVER%%", but this didn't help.

Typically access works like this:

V Mon Aug 25 2014 20:01:17:453 created convid=52865453 (conn=23, act=22)

C Mon Aug 25 2014 20:01:17:453 client INIT (convid=52865453, lu=hostname.domain, tp=sapgw00, type=R3_CLIENT)

O Mon Aug 25 2014 20:01:17:453 open client connection (lu=hostname, addr=x.xx.xxx.xxxx, tp=sapdp00, type=R3_CLIENT)

C Mon Aug 25 2014 20:01:17:453 client ALLC (convid=52865453)

C Mon Aug 25 2014 20:01:17:453 client SEND (convid=52865453, length=28000)

C Mon Aug 25 2014 20:01:17:453 client SEND (convid=52865453, length=28000)

C Mon Aug 25 2014 20:01:17:453 send data to server (convid=52865453, length=28000, req_length=32000)

O Mon Aug 25 2014 20:01:17:453 open server connection (lu=hostname, addr=x.xx.xxx.xxxx, tp=sapdp00, type=R3_CLIENT)

But in rejected case there comes no "addr=...", just lu.

How do I have to maintain reginfo and secinfo to get this work?

Regards,

Julia