Professional Documents
Culture Documents
E - 20231023 Access Control Lists (ACL)
E - 20231023 Access Control Lists (ACL)
Symptom
You want to restrict access to the server ports of an SAP system.
Other Terms
Access Control List (ACL)
Solution
You can use an Access Control List (ACL) to filter the access to a server port.
The client network must not be able to reach the following server ports and they must be
protected using an ACL.
Enqueue server: See the parameter "enque/server/acl_file".
Start service: See the parameters "service/http/acl_file" and "service/https/acl_file".
Internal message server port: See the parameter "ms/acl_info".
You can also restrict the access to additional ports:
Dispatcher: See the parameter "rdisp/acl_file".
The parameter rdisp/acl_file specifies the file that the (ABAP) dispatcher uses as an
Access Control List for the access authorizations in connections with the SAP GUI. If the
profile parameter is set, the file must exist and be syntactically correct. If this is
not the case, the (ABAP) dispatcher closes again.
Message server external post, messager server HTTP port: See the parameters
"ms/acl_file_admin", "ms/acl_file_ext", "ms/acl_file_extbnd", and "ms/acl_file_int".
ICM ports: See the parameter "icm/server_port".
Gateway ports: See the parameter "gw/acl_file".
For more information about the parameters, see transaction RZ11. The syntax of the ACL file
is also described there.
<ip address> The IP address must be an IPv4 address or IPv6 address of the following form:
IPv4: 4 byte, decimal, '.' separated, for example 10.11.12.13
IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported
<mask> If a mask is specified, then it must be a subnet prefix mask:
IPv4: 4 byte, decimal, '.' separated, for example 10.11.12.13
IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported
<tracelevel> is the trace level with which the hits (correspondence of addresses while
considering the subnet mask) of the ACL are written in the relevant trace file (default
value 2).
The file may contain blank lines.
A general ban is inserted automatically as a last rule. For clarity, you should still enter
an explicit 'deny' as the last rule.
The rules are checked in sequence starting from the top ("top down"). The first applicable
rule determines the result ("first match").
Sample file:
permit 10.1.2.0/24 # permit client network
permit 192.168.7.0/24 # permit server network
permit 10.0.0.0/8 1 # screening rule (learning mode, trace-level 1)
deny 0.0.0.0/0 # deny the rest
Caution: If the ASCS and ABAP Dialog instance(s) are started on the same UNIX host, the
communication from the dispatcher to the message server takes place using the UNIX domain
socket (UDS). For the message server, the incoming UDS connection is the same as a local
connection, so a "localhost" entry (or IP address 127.0.0.1 or ::1) should be maintained in
the message server ACL file.
Manual Activities
Software Components
Software Component And subsequent
KRNL32NUC
KRNL32NUC
KRNL32NUC
KRNL32NUC
KRNL32NUC
KRNL32UC
KRNL32UC
KRNL32UC
KRNL32UC
KRNL32UC
KRNL64NUC
KRNL64NUC
KRNL64NUC
KRNL64NUC
KRNL64NUC
KRNL64NUC
KRNL64NUC
KRNL64UC
KRNL64UC
KRNL64UC
KRNL64UC
KRNL64UC
KRNL64UC
KRNL64UC
KERNEL
KERNEL
KERNEL
KERNEL
KERNEL X
3020989 SWPM stuck in step "The message server does not allow connections to its internal port from this host" while
installing an Additional Application Server Instance