In diesem Blog-Beitrag werden zwei von SAP empfohlene Vorgehensweisen zur Erstellung der secinfo und reginfo Dateien aufgefhrt mit denen die Security Ihres SAP Gateways verstrkt wird und wie der Generator dabei hilft. In the slides of the talk SAP Gateway to Heaven for example a scenario is outlined in which a SAProuter installed on the same server as the RFC Gateway could be utilized to proxy a connection to local. Datenbankschicht: In der Datenbank, welche auf einem Datenbankserver liegt, werden alle Daten eines Unternehmens gesichert. This diagram shows all use-cases except `Proxy to other RFC Gateways. If other SAP systems also need to communicate with it, using the ECC system, the rule need to be adjusted, adding the hostnames from the other systems to the ACCESS option. Please note: SNC User ACL is not a feature of the RFC Gateway itself. Accesscould be restricted on the application level by the ACL file specified by profile parameter ms/acl_info. For example: The SAP KBAs1850230and2075799might be helpful. Whrend der Freischaltung aller Verbindungen wird mit dem Gateway-Logging eine Aufzeichnung aller externen Programmaufrufe und Systemregistrierungen vorgenommen. Alerting is not available for unauthorized users, Right click and copy the link to share this comment. The Gateway uses the rules in the same order in which they are displayed in the file. For example: an SAP SLD system registering the SLD_UC and SLD_NUC programs at an ABAP system. For a RFC Gateway of AS Java or a stand-alone RFC Gateway this can be determined with the command-line tool gwmon by running the command gwmon nr= pf= then going to the menu by typing m and displaying the client table by typing 3. Falls Sie danach noch immer keine Anwendungen / Registerkarten sehen, liegt es daran, dass der Gruppe / dem Benutzer das allgemeine Anzeigenrecht auf der obersten Ebene der jeweiligen Registerkarte fehlt. Sobald dieses Recht vergeben wurde, taucht die Registerkarte auch auf der CMC-Startseite wieder auf. Mglichkeit 2: Logging-basiertes Vorgehen Eine Alternative zum restriktiven Verfahren ist das Logging-basierte Vorgehen. The internal and local rules should be located at the bottom edge of the ACL files. Each instance can have its own security files with its own rules. The wildcard * should not be used at all. After an attack vector was published in the talk SAP Gateway to Heaven from Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai (https://github.com/gelim/sap_ms) the RFC Gateway security is even more important than ever. Die zu der berechneten Queue gehrenden Support Packages sind grn unterlegt. Each line must be a complete rule (rules cannot be broken up over two or more lines). This is because the rules used are from the Gateway process of the local instance. Environment. Here, activating Gateway logging and evaluating the log file over an appropriate period (e.g. Program cpict4 is not permitted to be started. This list is gathered from the Message Server every 5 minutes by the report RSMONGWY_SEND_NILIST. This could be defined in. You can define the file path using profile parameters gw/sec_infoand gw/reg_info. For this scenario a custom rule in the reginfo ACL would be necessary, e.g., P TP= HOST= ACCESS=internal,local CANCEL=internal,local,. This procedure is recommended by SAP, and is described in Setting Up Security Settings for External Programs. As soon as a program has registered in the gateway, the attributes of the retrieved entry (specifically ACCESS) are passed on to the registered program. If you have a program registered twice, and you restart only one of the registrations, one of the registrations will continue to run with the old rule (the one that was not restarted after the changes), and another will be running with the current rule (the recently restarted registration). Somit knnen keine externe Programme genutzt werden. On SAP NetWeaver AS ABAP registering Registered Server Programs byremote servers may be used to integrate 3rd party technologies. Da das aber gewnscht ist, mssen die Zugriffskontrolllisten schrittweise um jedes bentigte Programm erweitert werden. Die Datei kann vermutlich nicht zum Lesen geffnet werden, da sie zwischenzeitlich gelscht wurde, oder die Berechtigungen auf Betriebssystemebene unzureichend sind. P means that the program is permitted to be registered (the same as a line with the old syntax). Hufig ist man verpflichtet eine Migration durchzufhren. The very first line of the reginfo/secinfo file must be "#VERSION=2"; Each line must be a complete rule (you cannot break the rule into two or more lines); The RFC Gateway will apply the rules in the same order as they appear in the file, and only the first matching rule will be used (similar to the behavior of a network firewall). 2.20) is taken into account only if every comma-separated entry can be resolved into an IP address. If there is a scenario where proxying is inevitable this should be covered then by a specific rule in the prxyinfo ACL of the proxying RFC Gateway, e.g.,: P SOURCE= DEST=internal,local. TP is a mandatory field in the secinfo and reginfo files. With this rule applied you should properly secure access to the OS (e.g., verify if all existing OS users are indeed necessary, SSH with public key instead of user+pw). This allows default values to be determined for the security control files of the SAP Gateway (Reginfo; Secinfo; Proxyinfo) based on statistical data in the Gateway log. Please note: The proxying RFC Gateway will additionally check its reginfo and secinfo ACL if the request is permitted. Besttigen Sie den auftauchenden Hinweis und vergeben Sie fr die gewnschten Gruppen zumindest das folgende Recht: Allgemein --> Allgemein --> Objekte Anzeigen. Die erstellten Log-Dateien knnen im Anschluss begutachtet und daraufhin die Zugriffskontrolllisten erstellt werden. Only the first matching rule is used (similarly to how a network firewall behaves). In other words, the SAP instance would run an operating system level command. In addition to proper network separation, access to all message server ports can be controlled on network level by the ACL file specified by profile parameter ms/acl_file or more specific to the internal port by the ACL file specified by profile parameter ms/acl_file_int. The local gateway where the program is registered can always cancel the program. In diesem Blog-Beitrag werden zwei von SAP empfohlene Vorgehensweisen zur Erstellung der secinfo und reginfo Dateien aufgefhrt mit denen die Security Ihres SAP Gateways verstrkt wird und wie der Generator dabei hilft. To overcome this issue the RFC enabled program SAPXPG can be used as a wrapper to call any OS command. Part 5: Security considerations related to these ACLs. This would cause "odd behaviors" with regards to the particular RFC destination. When using SNC to secure logon for RFC Clients or Registered Server Programs the so called SNC User ACL, also known as User Authentication, is introduced and must be maintained accordingly. The Gateway is a central communication component of an SAP system. Part 6: RFC Gateway Logging. In the previous parts we had a look at the different ACLs and the scenarios in which they are applied. The Stand-alone RFC Gateway: As a dedicated RFC Gateway serving for various RFC clients or as an additional component which may be used to extend a SAP NW AS ABAP or AS Java system. Zu jedem Lauf des Programms RSCOLL00 werden Protokolle geschrieben, anhand derer Sie mgliche Fehler feststellen knnen. Of course the local application server is allowed access. Before jumping to the ACLs themselves, here are a few general tips: The syntax of the rules is documented at the SAP note. Additional ACLs are discussed at this WIKI page. three months) is necessary to ensure the most precise data possible for the connections used. At time of writing this can not be influenced by any profile parameter. Part 7: Secure communication This can be replaced by the keyword "internal" (see examples below, at the "reginfo" section). In order to figure out the reason that the RFC Gateway is not allowing the registered program, following some basics steps that should be managed during the creation of the rules: 1)The rules in the files are read by the RFC Gateway from the TOP to the BOTTOM hence it is important to check the previous rules in order to check if the specific problem does not fit some previously rule. If you want to use this syntax, the whole file must be structured accordingly and the first line must contain the entry #VERSION=2 (written precisely in this format). The wildcard * should be strongly avoided. Part 8: OS command execution using sapxpg. Hint: Besides the syntax check, it also provides a feature supporting rule creation by predicting rules out of an automated gateway log analysis. CANCEL is usually a list with all SAP servers from this system (or the keyword "internal"), and also the same servers as in HOSTS (as you must allow the program to de-register itself). In the gateway monitor (SMGW) choose Goto Logged On Clients , use the cursor to select the registered program, and choose Goto Logged On Clients Delete Client . With this blogpost series i try to give a comprehensive explanation of the RFC Gateway Security: Part 1: General questions about the RFC Gateway and RFC Gateway security. RFC had issue in getting registered on DI. To permit registered servers to be used by local application servers only, the file must contain the following entry. Part 8: OS command execution using sapxpg. There are two different syntax versions that you can use (not together). There are two different versions of the syntax for both files: Syntax version 1 does not enable programs to be explicitly forbidden from being started or registered. Example Example 1: As separators you can use commas or spaces. Auch hier ist jedoch ein sehr groer Arbeitsaufwand vorhanden. Refer to the SAP Notes 2379350 and2575406 for the details. The default configuration of an ASCS has no Gateway. Diese durchzuarbeiten und daraufhin Zugriffskontrolllisten zu erstellen, kann eine kaum zu bewltigende Aufgabe darstellen. The RFC Gateway is capable to start programs on the OS level. Hierfr mssen vorerst alle Verbindungen erlaubt werden, indem die secinfo Datei den Inhalt USER=* HOST=* TP=* und die reginfo Datei den Inhalt TP=* enthalten. To set up the recommended secure SAP Gateway configuration, proceed as follows:. Part 5: ACLs and the RFC Gateway security. In addition, the existing rules on the reginfo/secinfo file will be applied, even on Simulation Mode. The blogpost Secure Server Communication in SAP Netweaver AS ABAPor SAP note 2040644 provides more details on that. Durch einen Doppelklick auf eine Zeile erhalten Sie detaillierte Informationen ber die Task- Typen auf den einzelnen Rechnern. Da das aber gewnscht ist, mssen die Zugriffskontrolllisten schrittweise um jedes bentigte Programm erweitert werden. Changes to the reginfo rules are not immediately effective, even afterhaving reloaded the file (transaction SMGW, menu Goto -> Expert functions -> External security -> Reread / Read again). It is strongly recommended to use syntax of Version 2, indicated by #VERSION=2in the first line of the files. Configuring Connections between SAP Gateway and External Programs Securely, SAP Gateway Security Files secinfo and reginfo, Setting Up Security Settings for External Programs. Part 2: reginfo ACL in detail. That part is talking about securing the connection to the Message Server, which will prevent tampering with they keyword "internal", which can be used on the RFC Gateway security ACL files. In summary, if the Simulation Mode is deactivated (parameter gw/sim_mode = 0; default value), the last implicit rule from the RFC Gateway will be Deny all as mentioned above, at the RFC Gateway ACLs (reginfo and secinfo) section. In this case the Gateway Options must point to exactly this RFC Gateway host. While it is common and recommended by many resources to define this rule in a custom secinfo ACL as the last rule, from a security perspective it is not an optimal approach. Access to this ports is typically restricted on network level. With this blogpost series i try to give a comprehensive explanation of the RFC Gateway Security: Part 1: General questions about the RFC Gateway and RFC Gateway security. Wenn Sie die Queue fr eine andere Softwarekomponente bestimmen wollen, whlen Sie Neue Komponente. Registered Server Programs at a standalone RFC Gateway may be used to integrate 3rd party technologies. All other programs starting with cpict4 are allowed to be started (on every host and by every user). Giving more details is not possible, unfortunately, due to security reasons. Another example would be IGS. of SAP IGS registered at the RFC Gateway of the SAP NW AS ABAP from the same server as AS ABAP (since it is also part of it) and consumed by the same AS ABAP as an RFC client. It is common to define this rule also in a custom reginfo file as the last rule. A rule defines. Hello Venkateshwar, thank you for your comment. The RFC Gateway can be used to proxy requests to other RFC Gateways. Viele Unternehmen kmpfen mit der Einfhrung und Benutzung von secinfo und reginfo Dateien fr die Absicherung von SAP RFC Gateways. The reginfo file have ACLs (rules) related to the registration of external programs (systems) to the local SAP instance. Hinweis: Whlen Sie ber den Button und nicht das Dropdown-Men Gewhren aus! The RFC Gateway does not perform any additional security checks. The related program alias can be found in column TP Name: We can verify if the functionality of these Registered RFC Server programs is accessible from the AS ABAP by looking for a TCP/IP connection in transaction SM59 with Technical Settings Activation Type = Registered Server Program the corresponding Program ID and either no Gateway Options or connection details to any of the RFC Gateways belonging to the same system set: Please note: If the AS ABAP system has more than one application servers and therefore also more than one RFC Gateways there may be scenarios in which the Registered Server Program is registered at one specific RFC Gateway only. For example: you have changed to the rule related to the SLD_UC program, allowing a new server to communicate with it (you added the new server to the ACCESS option). The local gateway where the program is registered always has access. Here are some examples: At the application server #1, with hostname appsrv1: At the application server #2, with hostname appsrv2: The SAP KBA2145145has a video illustrating how the secinfo rules work. Please pay special attention to this phase! Please make sure you have read at least part 1 of this series to be familiar with the basics of the RFC Gateway and the terms i use to describe things. Part 8: OS command execution using sapxpg. From my experience the RFC Gateway security is for many SAP Administrators still a not well understood topic. Ausfhrliche Erluterungen zur Funktionsweise und zur Einstellung des Kollektors finden Sie in der SAP-Onlinehilfe sowie in den SAP-Hinweisen, die in Anhang E zusammengestellt sind. Spielen Sie nun die in der Queue stehenden Support Packages ein [Seite 20]. As a result many SAP systems lack for example of proper defined ACLs to prevent malicious use. Part 7: Secure communication In some cases any application server of the same system may also need to de-register a Registered Server Program, for example if the reginfo ACL was adjusted for the same Registered Server Program or if the remote server crashed. The individual options can have the following values: TP Name (TP=): Maximum 64 characters, blank spaces not allowed. This is for clarity purposes. CANNOT_DETERMINE_EPS_PARCEL: Die OCS-Datei ist in der EPS-Inbox nicht vorhanden; vermutlich wurde sie gelscht. To use all capabilities it is necessary to set the profile parameter gw/reg_no_conn_info = 255. Part 5: ACLs and the RFC Gateway security. The related program alias also known as TP Name is used to register a program at the RFC Gateway. Notice that the keyword "internal" is available at a Standalone RFC Gateway (like the RFC Gateway process that runs at an SCS or ASCS instance) only after a certain SAP kernel version. For AS ABAP the ACLs should be maintained using the built-in ACL file editor of transaction SMGW (Goto Expert Functions External Security Maintain ACL Files). The RFC destination would look like: The secinfo files from the application instances are not relevant. Part 6: RFC Gateway Logging. After an attack vector was published in the talk SAP Gateway to Heaven from Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai (https://github.com/gelim/sap_ms) the RFC Gateway security is even more important than ever. In these cases the program started by the RFC Gateway may also be the program which tries to register to the same RFC Gateway. Support Packages fr eine ausgewhlte Komponente werden entsprechend ihrer Reihenfolge in die Queue gestellt. . You can define the file path using profile parameters gw/sec_info and gw/reg_info. Ergebnis Sie haben eine Queue definiert. As a result many SAP systems lack for example of proper defined ACLs to prevent malicious use of the RFC Gateway. A combination of these mitigations should be considered in general. While it is common and recommended by many resources to define this rule in a custom reginfo ACL as the last rule, from a security perspective it is not an optimal approach. The default value is: gw/sec_info = $(DIR_DATA)/secinfo gw/reg_info = $(DIR_DATA)/reginfo Accessing reginfo file from SMGW a pop is displayed that reginfo at file system and SAP level is different. We made a change in the location of Reginfo and Secinfo file location we moved it to SYS directory and updated the profile parameter accordingly (instance profile). Specifically, it helps create secure ACL files. I think you have a typo. Only the secinfo from the CI is applicable, as it is the RFC Gateway from the CI that will be used to start the program (check the Gateway Options at the screenshot above). Part 3: secinfo ACL in detail. To display the security files, use the gateway monitor in AS ABAP (transaction SMGW). In case the files are maintained, the value of this parameter is irrelevant; and with parmgw/reg_no_conn_info, all other sec-checks can be disabled =>SAP note1444282, obviously this parm default is set to 1 ( if not set in profile file ) in kernel-773, I wasted a whole day unsuccessfully trying to configure the (GW-Sec) in a new system, sorry for my bad mood. This section contains information about the RFC Gateway ACLs, and examples of landscapes and rules.The reginfo file have ACLs (rules) related to the registration of external programs (systems) to the local SAP instance. Then the file can be immediately activated by reloading the security files. secinfo: P TP=* USER=* USER-HOST=* HOST=*. Use host names instead of the IP address. The location of the reginfo ACL file is specified by the profile parameter gw/reg_info. Auch hier ist jedoch ein sehr groer Arbeitsaufwand vorhanden. The Solution Manager (SolMan) system has only one instance, running at the host sapsmci. Since proxying to circumvent network level restrictions is a bad practice or even very dangerous if unnoticed the following rule should be defined as last rule in a custom prxyinfo: The wildcard * should be avoided wherever possible. Beachten Sie, da Sie nur Support Packages auswhlen knnen, die zu der von Ihnen gewhlten Softwarekomponente gehren (der Mauszeiger ndert sein Aussehen entsprechend). To prevent the list of application servers from tampering we have to take care which servers are allowed to register themselves at the Message Server as an application server. P TP=cpict2 ACCESS=ld8060,localhost CANCEL=ld8060,localhost. Stattdessen bekommen Sie eine Fehlermeldung, in der Ihnen der Name des fehlenden FCS Support Package mitgeteilt wird. If this client does not match the criteria in the CANCEL list, then it is not able to cancel a registered program. Wir untersttzen Sie gerne bei Ihrer Entscheidungen. (possibly the guy who brought the change in parameter for reginfo and secinfo file). 1408081 - Basic settings for reg_info and sec_info 1702229 - Precalculation: Specify Program ID in sec_info and reg_info. If no cancel list is specified, any client can cancel the program. As a result many SAP systems lack for example of proper defined ACLs to prevent malicious use. RFCs between RFC clients using JCo/NCo or Registered Server Programs and the AS ABAP are typically controlled on network level only. This is defined by the letter, which servers are allowed to register which program aliases as a Registered external RFC Server. so for me it should only be a warning/info-message. In case of AS ABAP for example it may be defined as $(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)data$(DIR_SEP)$(FN_SEC_INFO) to make sure all RFC Gateways of the application servers of the same system relay on the same configuration. Program cpict4 is allowed to be registered if it arrives from the host with address 10.18.210.140. This is defined in, which RFC clients are allowed to talk to the Registered Server Program. Firstly review what is the security level enabled in the instance as per the configuration of parameter gw/reg_no_conn_info. We can look for programs listed with Type = REGISTER_TP and field ADDR set to any IP address or hostname not belonging to any application server of the same system. In these cases the program alias is generated with a random string. Part 3: secinfo ACL in detail. there are RED lines on secinfo or reginfo tabs, even if the rule syntax is correct. Sie knnen die Queue-Auswahl reduzieren. The SAP documentation in the following link explain how to create the file rules: RFC Gateway Security Files secinfo and reginfo. The message server port which accepts registrations is defined by profile parameter rdisp/msserv_internal. As we learned in part 3 SAP introduced the following internal rule in the in the secinfo ACL: We should pretend as if we would maintain the ACLs of a stand-alone RFC Gateway. Furthermore the means of some syntax and security checks have been changed or even fixed over time. To do this, in the gateway monitor (transaction SMGW) choose Goto Expert Functions External Security Reread . The secinfo security file is used to prevent unauthorized launching of external programs. As such, it is an attractive target for hacker attacks and should receive corresponding protections. The reginfo file have ACLs (rules) related to the registration of external programs (systems) to the local SAP instance. There is an SAP PI system that needs to communicate with the SLD. E.g "RegInfo" file entry, P TP=BIPREC* USER=* HOST=* NO=1 CANCEL=* ACCESS=* So TP=/usr/sap///exe/* or even TP=/usr/sap//* might not be a comprehensive solution for high security systems, but in combination with deny-rules for specific programs in this directory, still better than the default rules. We can identify these use cases by going to transaction SMGW -> Goto -> Logged on Clients and looking for programs listed with System Type = Registered Server and Gateway Host set to any IP address or hostname not belonging to any application server of the same system.