Scribd Logo
Upload

Welcome to Scribd!

  • SAP ABAP Central - RFC Gateway Security, Part 2 - Reginfo ACL

    Uploaded by

    Fahri Batur
    21 views6 pages

    Original Title

    SAP ABAP Central_ RFC Gateway security, part 2 – reginfo ACL

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views6 pages

    SAP ABAP Central - RFC Gateway Security, Part 2 - Reginfo ACL

    Uploaded by

    Fahri Batur

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 2 – reginfo ACL

    More

    SAP ABAP Central


    Home SAP ABAP Tutorials Interview Q&A Job Certifications Books

    Saturday, 20 February 2021

    RFC Gateway security, part 2 – reginfo ACL


    With this blogpost series i try to give a comprehensive explanation of the RFC
    Gateway Security:

    Part 1: General questions about the RFC Gateway and RFC Gateway security.

    reginfo ACL

    Please make sure you have read at least part 1 of this series to be familiar with
    the basics of the RFC Gateway and the terms i use to describe things.

    What exactly is defined in the rules in the reginfo ACL?

    The reginfo ACL contains rules related to ‘Registered external RFC Servers’.

    Every line corresponds one rule. A rule defines

    ◉ if it specifies a permit or a deny. This is specified by the letter P or Dat the


    beginning of a rule.

    ◉ which servers are allowed to register which program aliases as a ‘Registered


    external RFC Server’. This is specified in HOST=.

    Please note: In most cases the registered program name differs from the actual
    name of the executable program on OS level. The related program alias also
    known as ‘TP Name’ is used to register a program at the RFC Gateway.

    ◉ which RFC clients are allowed to talk to the ‘Registered Server Program’. This is
    specified in ACCESS=.

    ◉ which servers are allowed to cancel or de-register the ‘Registered Server


    Program’. This is specified in CANCEL=.
    Search This Blog
    ◉ how many ‘Registered Server Programs’ with the same name can be
    registered. This would be specified in NO=. Search

    What are the common use-cases?


    sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-2-reginfo-acl.html 1/6
    10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 2 – reginfo ACL
    Registering external programs by and accessing them from the local Blog Archive
    application server
    ▼ 2021 (145)
    On SAP NetWeaver AS ABAP there typically exist use-cases where registering and ► October (11)
    accessing of ‘Registered Server Programs’ by the local application server is
    necessary. For example the SAP IGS (as part of SAP NW AS ABAP) may be ► September (16)
    started on the application servers host during the start procedure of the SAP ► August (13)
    system. It registers itself with the program alias ‘IGS.<SID>’ at the RFC Gateway
    ► July (20)
    of the same application server. Its functions are then used by the application
    server. ► June (15)
    ► May (8)
    ► April (13)
    ► March (20)
    ▼ February (14)
    Adding Languages to SAP
    ABAP Platform 1909,
    Develo...
    Replication of Cost Centers
    to Employee Central wi...
    Get latest version of ABAP
    trial using BTP
    RFC Gateway security, part
    2 – reginfo ACL
    Pass by value or pass by
    reference?
    Simple way to generate a
    pdf of adobe form and
    sav...
    Ten concepts of interface
    and integration in SAP-
    f...
    RFC Gateway security, part
    1 – basic understanding
    Complete process to create
    Change Document in
    ABAP...
    Printing Slowness
    My experience during a
    SAP technical upgrade
    (Pre-...
    PPM Financial Planning –
    Update FIN_PLAN Values
    us...
    We can identify these use-cases by going to transaction SMGW -> Goto -> Printing to ABAP Console
    ‘Logged on Clients’ and looking for lines with ‘System Type = Registered Server’
    Simple isn’t easy – ABAP
    and ‘Gateway Host = 127.0.0.1’ (in some cases this may be any other ip-address
    composition (Chunk it
    belonging to or the hostname of the same server). The related program alias can up)
    be found in column ‘TP Name’:
    ► January (15)

    ► 2020 (177)
    ► 2019 (182)
    ► 2018 (155)
    ► 2017 (199)
    ► 2016 (71)
    ► 2015 (5)
    ► 2014 (2)
    If its functionality is accessible from the AS ABAP we can verify by looking for a
    ► 2013 (4)
    TCP/IP connection in transaction SM59 with Technical Settings – Activation Type
    ‘Registered Server Program’ the corresponding ‘Program ID’ and either no ► 2012 (3)
    ‘Gateway Options’ set or any of the RFC Gateway belonging to the same system:

    sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-2-reginfo-acl.html 2/6
    10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 2 – reginfo ACL

    Popular Posts

    External REST api


    integration in SAP using
    REST handlers
    I have been not blogging
    for quite sometime and I
    was looking for some interesting use-
    case related to SAP Gateway which
    could be of some h...

    FOR expression in ABAP


    7.40 – Best case scenarios
    As we all know, the In-line
    declarations, operators
    and expressions available
    in 7.4 SP02 onward are taking the
    abap world by storm for las...

    Excel file (*.xlsx)


    Export/Import
    In this Blog-post I’d like to
    give a few insights on how
    we process XLSX file by
    using latest ABAP, which might be
    quite different than in ...

    Building an SAP Query


    To cover these cases SAP introduced a internal rule in the reginfo ACL which is with ABAP Code
    sufficient in most cases: ABAP code is used with
    SAP query tool to enhance
    the query output. You can
    P TP=* HOST=internal,local ACCESS=internal,local CANCEL=internal,local write down the code under the Extras
    tab for the Infoset in th...
    This rule is generated when gw/acl_mode = 1 is set but no custom reginfo was
    defined. How to use
    BAPI_PRICES_CONDITION
    S to mass upload price
    It is common to define this rule also in a custom reginfo as the last rule. With conditions
    security in mind we should think about adjusting the rule to reduce it to the Brief overview of
    necessary program aliases in TP=. BAPI_PRICES_CONDITIONS: is the
    unreleased BAPI and deficient in many
    Please note: In some cases the program alias is generated with a random string. aspects as there is missing
    documentation and also...
    In this case we can look if it is generated using a fixed prefix and use this as a
    pattern, e.g., TP=Trex_<SID>_*, which would still be better than TP=*`.
    Facebook
    Registering external programs by remote servers and accessing them
    from the local application server

    On SAP NetWeaver AS ABAP registering ‘Registered Server Programs’ by remote


    servers may be used to integrate 3rd party technologies. For example the SAP
    Twitter
    TREX server will register the program alias ‘Trex_<SID>_<timestamp>’ at the
    RFC Gateway of an application server.
    Follow @Go_SAP_ABAP

    Total Pageviews

    888,495

    sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-2-reginfo-acl.html 3/6
    10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 2 – reginfo ACL
    We can identify these use-cases by going to transaction SMGW -> Goto ->
    ‘Logged on Clients’ and looking for programs listed with ‘System Type =
    Registered Server’ and ‘Gateway Host’ set to any ip-address or hostname not
    belonging to the same server. The related program alias can be found in column
    ‘TP Name’:

    If its functionality is accessible from the AS ABAP we can verify by looking for a
    TCP/IP connection in transaction SM59 with Technical Settings – Activation Type
    ‘Registered Server Program’ the corresponding ‘Program ID’ and either no
    ‘Gatway Options’ set or any of the RFC Gateway belonging to the same system:

    Please note: If the SAP NW AS ABAP has more than one application servers and
    therefore also more than one RFC Gateway there may be scenarios in which the
    ‘Registered Server Program’ is registered at one specific RFC Gateway only. In
    this case the ‘Gateway Options’ must point to exactly this RFC Gateway host. If
    the ‘Gateway Options’ are not specified the AS will try to connect to the RFC
    Gateway running on the same host.

    When a remote server of a ‘Registered Server Program’ is going to be shutdown


    due to maintenance it may de-register its program from the RFC Gateway to
    avoid errors. But also in some cases the RFC Gateway itself may need to de-
    register a ‘Registered Server Program’, for example if the reginfo ACL was
    adjusted for the same ‘Registered Server Program’ or if the remote server
    crashed.

    For this scenario we would specify the following custom rule in the reginfo ACL,
    e.g.,

    P TP=<TP-Name> HOST=<remote-server> ACCESS=internal,local


    CANCEL=internal,local,<remote-server>

    Registering external programs by remote servers and accessing them


    from various RFC clients

    sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-2-reginfo-acl.html 4/6
    10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 2 – reginfo ACL

    ‘Registered Server Programs’ by remote servers may also be used to integrate


    3rd party technologies. An example could be the integration of a TAX software.

    On AS ABAP we can identify these use-cases just as before by going to


    transaction SMGW -> Goto -> ‘Logged on Clients’ and looking for programs listed
    with ‘System Type = Registered Server’ and ‘Gateway Host’ set to any ip-address
    or hostname not belonging to the same server. The related program alias can be
    found in column ‘TP Name’.

    For a RFC Gateway of AS Java or a stand-alone RFC Gateway this can be


    determined with the commandline tool gwmon by running the commandgwmon
    nr=<InstNo> pf=<profile> then going to the menu by typing m and displaying
    the client table by typing 3.

    We look for programs listed with ‘Type = REGISTER_TP’ and ‘ADDR’ set to any ip-
    address or hostname not belonging to the same server. The related program alias
    can be found in column ‘TP’:

    When ‘Registered Server Programs’ are going to be consumed by any RFC clients
    we can find the relevant information about the RFC clients in question in the
    gateway log.

    Again when a remote server of a ‘Registered Server Program’ is going to be


    shutdown due to maintenance it may de-register its program from the RFC
    Gateway to avoid errors. But also in some cases the RFC Gateway itself may need
    to de-register a ‘Registered Server Program’, for example if the reginfo ACL was
    adjusted for the same ‘Registered Server Program’ or if the remote server
    crashed.

    For this scenario we would specify the following custom rule in the reginfo ACL,
    e.g.,

    P TP=<TP-Name> HOST=<remote-server> ACCESS=internal,local,<rfc-client-


    host-1>,<rfc-client-host-2> CANCEL=internal,local,<remote-server>

    sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-2-reginfo-acl.html 5/6
    10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 2 – reginfo ACL

    Posted by Sabrina Pinto at 16:24

    Labels: SAP NetWeaver, SAP NetWeaver Application Server for ABAP

    No comments:

    Post a Comment

    Enter your comment...

    Comment as: fahribatur77@ Sign out

    Publish Preview Notify me

    Newer Post Home Older Post

    Subscribe to: Post Comments (Atom)

    © 2016 sapabapcentral.com, All rights reserved. Simple template. Powered by Blogger.

    sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-2-reginfo-acl.html 6/6

    You might also like