Professional Documents
Culture Documents
RFC Gateway Security, Part 2 - Reginfo ACL - SAP Blogs
RFC Gateway Security, Part 2 - Reginfo ACL - SAP Blogs
RFC Gateway Security, Part 2 - Reginfo ACL - SAP Blogs
Community
Technical Articles
Johannes Goerlich
January 27, 2021 | 6 minute read
From my experience the RFC Gateway security is for many SAP Administrators still a
Like not well understood topic. As a result many SAP systems lack for example of proper
defined ACLs to prevent malicious use.
RSS Feed After an attack vector was published in the talk “SAP Gateway to Heaven” from
Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai
(https://github.com/gelim/sap_ms) the RFC Gateway security is even more
important than ever. This publication got considerable public attention as
10KBLAZE.
With this blogpost series i try to give a comprehensive explanation of the RFC
Gateway Security:
Part 1: General questions about the RFC Gateway and RFC Gateway security.
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 1/10
10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
Updates:
2021-03-17: Rephrased some sections to be more precise. Updated images.
reginfo ACL
Please make sure you have read at least part 1 of this series to be familiar with the
basics of the RFC Gateway and the terms i use to describe things.
Please note: In most cases the registered program name differs from the
actual name of the executable program on OS level. The related program
alias also known as ‘TP Name’ is used to register a program at the RFC
Gateway.
which RFC clients are allowed to talk to the ‘Registered Server Program’. This
is defined in ACCESS=.
which servers are allowed to cancel or de-register the ‘Registered Server
Program’. This is defined in CANCEL=.
how many ‘Registered Server Programs’ with the same name can be
registered. This could be defined in NO=.
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 2/10
10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
procedure of the ABAP system. It registers itself with the program alias ‘IGS.
<SID>’ at the RFC Gateway of the same application server. Its functions are
then used by the ABAP system on the same host.
We can identify these use cases by going to transaction SMGW -> “Goto” ->
“Logged on Clients” and looking for lines with ‘System Type = Registered
Server’ and ‘Gateway Host = 127.0.0.1’ (in some cases this may be any other IP
address or hostname of any application server of the same system). The
related program alias can be found in column ‘TP Name’:
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 3/10
10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
SAP introduced an internal rule in the reginfo ACL to cover these cases:
This rule is generated when gw/acl_mode = 1 is set but no custom reginfo was
defined.
It is common to define this rule also in a custom reginfo file as the last rule.
Registering external programs by remote servers and accessing them from the
local application server
On SAP NetWeaver AS ABAP registering ‘Registered Server Programs’
by remote servers may be used to integrate 3rd party technologies. In other
words the host running the ABAP system differs from the host running the
Registered Server Program, for example the SAP TREX server will register the
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 4/10
10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
We can identify these use cases by going to transaction SMGW -> “Goto” ->
“Logged on Clients” and looking for programs listed with ‘System Type =
Registered Server’ and ‘Gateway Host’ set to any IP address or hostname not
belonging to any application server of the same system. The related program
alias can be found in column ‘TP Name’:
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 5/10
10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
Please note: If the AS ABAP system has more than one application servers
and therefore also more than one RFC Gateways there may be scenarios in
which the ‘Registered Server Program’ is registered at one specific RFC
Gateway only. In this case the ‘Gateway Options’ must point to exactly this
RFC Gateway host. If the ‘Gateway Options’ are not specified the AS will try
to connect to the RFC Gateway running on the same host.
For this scenario a custom rule in the reginfo ACL would be necessary, e.g.,
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 6/10
10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
We can look for programs listed with ‘Type = REGISTER_TP’ and field ‘ADDR’
set to any IP address or hostname not belonging to any application server of
the same system. The related program alias can be found in column ‘TP’:
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 7/10
10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
For this scenario a custom rule in the reginfo ACL would be necessary, e.g.,
<–Previous
Next –>
Alert Moderator
Assigned tags
Security
RFC Gateway
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 8/10
10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
Related Questions
Gateway not connected to local R/3
By souradeep ghosal Aug 10, 2021
Coffee Corner
Join the new Coffee Corner Discussion Group.
2 Comments
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 9/10
10/21/21, 1:13 PM RFC Gateway security, part 2 – reginfo ACL | SAP Blogs
Venkateshwar Pulugam
January 28, 2021 at 8:46 am
Please update links for all parts (currently only 1 &2 are working)
Like 0 | Share
Hello Venkateshwar, thank you for your comment. The other parts are not finished, yet. Please follow
me to get a notification once i publish the next part of the series.
Like 0 | Share
Find us on
Newsletter Support
https://blogs.sap.com/2021/01/27/rfc-gateway-security-part-2-reginfo-acl/ 10/10