Professional Documents
Culture Documents
RFC Gateway Security, Part 3 - Secinfo ACL - SAP Blogs
RFC Gateway Security, Part 3 - Secinfo ACL - SAP Blogs
Community
Technical Articles
Johannes Goerlich
January 29, 2021 | 4 minute read
From my experience the RFC Gateway security is for many SAP Administrators still a
Like not well understood topic. As a result many SAP systems lack for example of proper
defined ACLs to prevent malicious use.
RSS Feed After an attack vector was published in the talk “SAP Gateway to Heaven” from
Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai
(https://github.com/gelim/sap_ms) the RFC Gateway security is even more
important than ever. This publication got considerable public attention as
10KBLAZE.
With this blogpost series i try to give a comprehensive explanation of the RFC
Gateway Security:
Part 1: General questions about the RFC Gateway and RFC Gateway security.
https://blogs.sap.com/2021/01/29/rfc-gateway-security-part-3-secinfo-acl/ 1/9
10/21/21, 1:13 PM RFC Gateway security, part 3 – secinfo ACL | SAP Blogs
Updates:
2021-03-17: Rephrased some sections to be more precise.
secinfo ACL
Please make sure you have read at least part 1 of this series to be familiar with the
basics of the RFC Gateway and the terms i use to describe things.
from which RFC client can this be initiated. This is specified in USER-HOST=.
the remote host on which the executable is to be started. This is defined in
HOST=.
the executable which will be executed on the OS level with the permissions of
either the OS user running the RFC Gateway process or the credentials of an
SAP user. This is defined in TP= based on the executable name or its fullpath
(e.g., if it is not in $PATH).
https://blogs.sap.com/2021/01/29/rfc-gateway-security-part-3-secinfo-acl/ 2/9
10/21/21, 1:13 PM RFC Gateway security, part 3 – secinfo ACL | SAP Blogs
To identify this use case we can look for TCP/IP connections with “Technical
Setting” – “Activation Type = Start on Application Server”:
https://blogs.sap.com/2021/01/29/rfc-gateway-security-part-3-secinfo-acl/ 3/9
10/21/21, 1:13 PM RFC Gateway security, part 3 – secinfo ACL | SAP Blogs
We can verify this during runtime by going to transaction SMGW and look for
the active connections:
or by going to “Logged on Clients” and looking for lines with “System Type =
External Client” and “Gateway Host = 127.0.0.1” (in some cases this may be
any other IP address or hostname of a server of the same system). The related
program name can be found in column ‘TP Name’:
https://blogs.sap.com/2021/01/29/rfc-gateway-security-part-3-secinfo-acl/ 4/9
10/21/21, 1:13 PM RFC Gateway security, part 3 – secinfo ACL | SAP Blogs
Since these programs are shown only during their execution it would be a
better approach to look into the log files of the RFC Gateway and search for
‘secinfo accepted:’ or ‘secinfo denied:’ to identify which programs have been
called in the past, e.g.,:
SAP introduced an internal rule in the secinfo ACL to allow the starting of any
programs on the same server :
This rule is generated when gw/acl_mode = 1 is set but no custom secinfo ACL
was defined.
It is common to define this rule also in a custom reginfo file as the last rule.
To identify this use case we can look for TCP/IP connections with “Technical
Setting” – “Activation Type = Start on Explicit Host” and a “Target Host”
different from hosts of the application servers of the same system.
https://blogs.sap.com/2021/01/29/rfc-gateway-security-part-3-secinfo-acl/ 5/9
10/21/21, 1:13 PM RFC Gateway security, part 3 – secinfo ACL | SAP Blogs
For this scenario a custom rule in the secinfo ACL would be necessary, e.g.,
To identify use cases for starting external programs via remote RFC Gateways
from our AS ABAP we can look for TCP/IP connections with “Technical
Setting” – “Activation Type = Start on Explicit Host” and a “Target Host” as
well as “Gateway Host” different from the IP address or hostname of any
application server of the same system.
https://blogs.sap.com/2021/01/29/rfc-gateway-security-part-3-secinfo-acl/ 6/9
10/21/21, 1:13 PM RFC Gateway security, part 3 – secinfo ACL | SAP Blogs
For this scenario acustom rule in the secinfo ACL of the remote RFC Gateway
would be necessary, e.g.,
<–Previous
Next –>
Alert Moderator
Assigned tags
Security
RFC Gateway
https://blogs.sap.com/2021/01/29/rfc-gateway-security-part-3-secinfo-acl/ 7/9
10/21/21, 1:13 PM RFC Gateway security, part 3 – secinfo ACL | SAP Blogs
Related Questions
Gateway not connected to local R/3
By souradeep ghosal Aug 10, 2021
CRM Customer Data not reflect into R/3 tcode IW52 business partner data using rfc
By Dhaval Raval Nov 18, 2016
Coffee Corner
Join the new Coffee Corner Discussion Group.
Find us on
https://blogs.sap.com/2021/01/29/rfc-gateway-security-part-3-secinfo-acl/ 8/9
10/21/21, 1:13 PM RFC Gateway security, part 3 – secinfo ACL | SAP Blogs
Newsletter Support
https://blogs.sap.com/2021/01/29/rfc-gateway-security-part-3-secinfo-acl/ 9/9