RFC Gateway Security, Part 2 - Reginfo ACL - SAP Blogs

10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
Community
Ask a Question Write a Blog Post Login
Technical Articles
Johannes Goerlich
January 27, 2021 | 6 minute read
RFC Gateway security, part 2 – reginfo

ACL
 2  6  1,696
Follow
From my experience the RFC Gateway security is for many SAP Administrators still a
 Like not well understood topic. As a result many SAP systems lack for example of proper
defined ACLs to prevent malicious use.
 RSS Feed After an attack vector was published in the talk “SAP Gateway to Heaven” from
Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai
(https://github.com/gelim/sap_ms) the RFC Gateway security is even more
important than ever. This publication got considerable public attention as
10KBLAZE.
With this blogpost series i try to give a comprehensive explanation of the RFC
Gateway Security:
Part 1: General questions about the RFC Gateway and RFC Gateway security.
Part 2: reginfo ACL in detail.
Part 3: secinfo ACL in detail.
Part 4: prxyinfo ACL in detail.
Part 5: ACLs and the RFC Gateway security.
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 1/10
Part 6: RFC Gateway Logging.
Updates:
2021-03-17: Rephrased some sections to be more precise. Updated images.
reginfo ACL
Please make sure you have read at least part 1 of this series to be familiar with the
basics of the RFC Gateway and the terms i use to describe things.
What exactly is defined in the rules in the reginfo ACL?

The reginfo ACL contains rules related to ‘Registered external RFC Servers’.
Every line corresponds one rule. A rule defines
if it specifies a permit or a deny. This is defined by the letter P or Dat the

beginning of a rule.
which servers are allowed to register which program aliases as a ‘Registered
external RFC Server’. This is defined in HOST=.
Please note: In most cases the registered program name differs from the
actual name of the executable program on OS level. The related program
alias also known as ‘TP Name’ is used to register a program at the RFC
Gateway.
which RFC clients are allowed to talk to the ‘Registered Server Program’. This
is defined in ACCESS=.
which servers are allowed to cancel or de-register the ‘Registered Server
Program’. This is defined in CANCEL=.
how many ‘Registered Server Programs’ with the same name can be
registered. This could be defined in NO=.
What are the common use cases?

Registering external programs by and accessing them from the local
application server
On SAP NetWeaver AS ABAP there exist use cases where registering and
accessing of ‘Registered Server Programs’ by the local application server is
necessary. In other words the same host running the ABAP system is also
running the SAP IGS, for example the integrated IGS (as part of SAP NW AS
ABAP) may be started on the application server’s host during the start
procedure of the ABAP system. It registers itself with the program alias ‘IGS.
<SID>’ at the RFC Gateway of the same application server. Its functions are
then used by the ABAP system on the same host.
We can identify these use cases by going to transaction SMGW -> “Goto” ->
“Logged on Clients” and looking for lines with ‘System Type = Registered
Server’ and ‘Gateway Host = 127.0.0.1’ (in some cases this may be any other IP
address or hostname of any application server of the same system). The
related program alias can be found in column ‘TP Name’:
We can verify if the functionality of these Registered RFC Server Programs is

accessible from the AS ABAP by looking for a TCP/IP connection in
transaction SM59 with “Technical Settings” – “Activation Type = Registered
Server Program” the corresponding ‘Program ID’ and either no ‘Gateway
Options’ or connection details to any of the RFC Gateways belonging to the
same system set:
SAP introduced an internal rule in the reginfo ACL to cover these cases:
P TP=* HOST=internal,local ACCESS=internal,local

CANCEL=internal,local
This rule is generated when gw/acl_mode = 1 is set but no custom reginfo was
defined.
It is common to define this rule also in a custom reginfo file as the last rule.
Registering external programs by remote servers and accessing them from the
local application server
On SAP NetWeaver AS ABAP registering ‘Registered Server Programs’
by remote servers may be used to integrate 3rd party technologies. In other
words the host running the ABAP system differs from the host running the
Registered Server Program, for example the SAP TREX server will register the
program alias ‘Trex_<SID>_<timestamp>’ at the RFC Gateway of an

application server.
We can identify these use cases by going to transaction SMGW -> “Goto” ->
“Logged on Clients” and looking for programs listed with ‘System Type =
Registered Server’ and ‘Gateway Host’ set to any IP address or hostname not
belonging to any application server of the same system. The related program
alias can be found in column ‘TP Name’:
We can verify if the functionality of these Registered RFC Server programs is

accessible from the AS ABAP by looking for a TCP/IP connection in
transaction SM59 with “Technical Settings” – “Activation Type = Registered
Server Program” the corresponding ‘Program ID’ and either no ‘Gateway
Options’ or connection details to any of the RFC Gateways belonging to the
same system set:
Please note: If the AS ABAP system has more than one application servers
and therefore also more than one RFC Gateways there may be scenarios in
which the ‘Registered Server Program’ is registered at one specific RFC
Gateway only. In this case the ‘Gateway Options’ must point to exactly this
RFC Gateway host. If the ‘Gateway Options’ are not specified the AS will try
to connect to the RFC Gateway running on the same host.
When a remote server of a ‘Registered Server Program’ is going to be

shutdown due to maintenance it may de-register its program from the RFC
Gateway to avoid errors. In some cases any application server of the same
system may also need to de-register a ‘Registered Server Program’, for
example if the reginfo ACL was adjusted for the same ‘Registered Server
Program’ or if the remote server crashed.
For this scenario a custom rule in the reginfo ACL would be necessary, e.g.,
P TP=<TP-Name> HOST=<rfc-server> ACCESS=internal,local

CANCEL=internal,local,<rfc-server>
Registering external programs at a standalone RFC Gateway by remote servers

and accessing them from various RFC clients
‘Registered Server Programs’ at a standalone RFC Gateway may be used to
integrate 3rd party technologies. An example could be the integration of a TAX
software.
For a RFC Gateway of AS Java or a stand-alone RFC Gateway this can be

determined with the command-line tool gwmon by running the command gwmon
nr=<InstNo> pf=<profile> then going to the menu by typing m and
displaying the client table by typing 3.
We can look for programs listed with ‘Type = REGISTER_TP’ and field ‘ADDR’
set to any IP address or hostname not belonging to any application server of
the same system. The related program alias can be found in column ‘TP’:
We can identify RFC clients which consume these ‘Registered Server

Programs’ by corresponding entries in the gateway log.
Again when a remote server of a ‘Registered Server Program’ is going to be

shutdown due to maintenance it may de-register its program from the RFC
Gateway to avoid errors. But also in some cases the RFC Gateway itself may
need to de-register a ‘Registered Server Program’, for example if the reginfo
ACL was adjusted for the same ‘Registered Server Program’ or if the remote
server crashed.
For this scenario a custom rule in the reginfo ACL would be necessary, e.g.,
P TP=<TP-Name> HOST=<rfc-server> ACCESS=<rfc-client-1>,<rfc-

client-2>,<rfc-client-3> CANCEL=<rfc-server>,local
<–Previous
Next –>
Alert Moderator
Assigned tags
SAP NetWeaver Application Server for ABAP
NW Client/Server Technology (CST)
SAP NetWeaver Application Server for Java
Security
RFC Gateway
Similar Blog Posts 

RFC Gateway security, part 5 - ACLs and the RFC Gateway security
By Johannes Goerlich Feb 03, 2021
RFC Gateway security, part 6 – Logging

By Johannes Goerlich Feb 05, 2021
RFC Gateway security, part 1 - basic understanding

By Johannes Goerlich Jan 26, 2021
Related Questions 
Gateway not connected to local R/3
By souradeep ghosal Aug 10, 2021
How to register an external program on gateway

By Former Member Sep 13, 2017
Connection could not be established to local gateway: Error STMS, SMGW

By Desiree Cardenas Nov 22, 2017
Join the Conversation 

SAP TechEd
Tune in for tech talk. Stay for inspiration. Upskill your future.
Coffee Corner
Join the new Coffee Corner Discussion Group.
2 Comments
You must be Logged on to comment or reply to a post.
Venkateshwar Pulugam
January 28, 2021 at 8:46 am
Please update links for all parts (currently only 1 &2 are working)
Like 0 | Share
Johannes Goerlich | Blog Post Author

January 28, 2021 at 9:16 am
Hello Venkateshwar, thank you for your comment. The other parts are not finished, yet. Please follow
me to get a notification once i publish the next part of the series.
Like 0 | Share
Find us on
Privacy Terms of Use
Legal Disclosure Copyright
Trademark Cookie Preferences
Newsletter Support

RFC Gateway Security, Part 2 - Reginfo ACL - SAP Blogs

Uploaded by

Copyright:

Available Formats

You might also like

RFC Gateway Security, Part 2 - Reginfo ACL - SAP Blogs

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RFC Gateway Security, Part 2 - Reginfo ACL - SAP Blogs

Uploaded by

Copyright:

Available Formats

10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs

Ask a Question Write a Blog Post Login

RFC Gateway security, part 2 – reginfo

Part 2: reginfo ACL in detail.

Part 3: secinfo ACL in detail.

Part 4: prxyinfo ACL in detail.

Part 5: ACLs and the RFC Gateway security.

Part 6: RFC Gateway Logging.

What exactly is defined in the rules in the reginfo ACL?

Every line corresponds one rule. A rule defines

if it specifies a permit or a deny. This is defined by the letter P or Dat the

What are the common use cases?

We can verify if the functionality of these Registered RFC Server Programs is

P TP=* HOST=internal,local ACCESS=internal,local

program alias ‘Trex_<SID>_<timestamp>’ at the RFC Gateway of an

We can verify if the functionality of these Registered RFC Server programs is

When a remote server of a ‘Registered Server Program’ is going to be

P TP=<TP-Name> HOST=<rfc-server> ACCESS=internal,local

Registering external programs at a standalone RFC Gateway by remote servers

For a RFC Gateway of AS Java or a stand-alone RFC Gateway this can be

We can identify RFC clients which consume these ‘Registered Server

Again when a remote server of a ‘Registered Server Program’ is going to be

P TP=<TP-Name> HOST=<rfc-server> ACCESS=<rfc-client-1>,<rfc-

SAP NetWeaver Application Server for ABAP

NW Client/Server Technology (CST)

SAP NetWeaver Application Server for Java

Similar Blog Posts 

RFC Gateway security, part 6 – Logging

RFC Gateway security, part 1 - basic understanding

How to register an external program on gateway

Connection could not be established to local gateway: Error STMS, SMGW

Join the Conversation 

You must be Logged on to comment or reply to a post.

Johannes Goerlich | Blog Post Author

Privacy Terms of Use

Legal Disclosure Copyright

Trademark Cookie Preferences

You might also like