Control the Registration of External Programs in the Gateway

Published: 03/May/2011

Reading time: 3 mins

Tip Doctor, Insider Learning Network.

This tip was taken from “5 Tips for Securing Communication Between SAP Systems and External Programs” by Kehinde Eseyin, which was posted to the GRC Expert knowledgebase in July 2010.

You can protect external programs from registration in the gateway by appropriately configuring the reginfo file. The reginfo file is an access control list that not only prevents authorized registration of external programs, but also cancels registered programs.

You need to correctly set the profile parameter gw/reg_info to point to the specific location (/usr/sap//data/reginfo [where SID is the SAP system name]) of the reginfo file in the SAP system.

The syntax for the entries in this file is as follows:
TP= [HOST=,…] [NO=] [ACCESS=] [CANCEL=]

TP is the registration identifier of the external program. Examples of permitted TP names includes: sap* (start of name), sap (TP name), and * (unrestricted name).
HOST defines the host name from which registered external programs are permitted to log on. Examples of permitted host names include: 10.116.219.* (Subnet mask address), *.kite.com.ng (domain
), 10.116.219.3 (IP address), SCD (host name), and * (unrestricted).
NO defines the number of registrations allowed
ACCESS allows you to define an access list, which is the host name permitted to use the registered program. The exception here is that it cannot take a wildcard (*) as a value. If you do not specify any access list, the implication therefore is that the program can be used from any client.
CANCEL allows you to define a cancel list, which determines whether or not other clients can stop or log off the registered program

Examples of valid entries in the reginfo file are as follows:

TP=* (All registrations are allowed)
HOST=* .kite.com.ng TP=* (This means that all registrations from *.kite.com.ng domain are permitted)
HOST=* TP=sapken NO=1 (This means that only a program with the name sapken is allowed to register)
HOST=* TP=sapken ACCESS=*kite.com.ng (This means that the program sapken can be accessed by hosts that belong to only the *kite.com.ng domain)
HOST=* TP=sapken CANCEL=*pro.com.ng (This means that program sapken can be ended by clients that are logged on from only the *pro.com.ng domain)

Aside from the conventional (old) file format for reginfo just discussed above, the SAP system supports a new format that allows you to define an additional permit (P) or deny (D) parameters in the file.

The structure of the new file format is a bit different from the old format. In the new file format, the first line must start with #VERSION=2 and followed by the lines in the old format, but with a P or D prefix. Note that the P or D must be in upper case and it should be followed by a space or blank character.

The syntax is as follows:
#VERSION=2
P|D TP= [HOST=,…] [NO=] [ACCESS=] [CANCEL=]

An example of a typical entry for the new reginfo file is as follows:
#VERSION=2
P HOST=SMG TP=sapken

This means that the registration of the program sapken is allowed (permitted) if it came from host SMG. If the P in the syntax above is replaced by D, it means that the registration of the program sapken is not allowed (denied).
The reginfo file is read whenever the gateway is started. However, you can activate the changes to the reginfo file (at the operating system level) dynamically (no need to restart) by using transaction SMGW (gateway monitor) and following menu path Goto > Expert Functions External Security > Reread.

Kehinde covered another angle of SAP security in the article “Follow a Reliable Project Management Framework for Your SAP Archiving Process.”