SAP Note

1495075 - Access control lists (ACL)

Component: BC-CST (Client/Server Technology), Version: 8, Released On: 24.09.2019

Symptom
You want to restrict access to the server ports of an SAP system.

Other Terms
Access Control List (ACL)

Reason and Prerequisites

It should be possible to access server ports of an SAP system only from certain address
areas. For permitted accesses, this should ensure that the connection is set up correctly at
the level of the application log. Forbidden accesses should be rejected. You can meet both
requirements with a firewall. In a setup without a firewall, the relevant function can also
be provided by the application server. This note describes the relevant functions and the
required configuration.

Solution
You can use an Access Control List (ACL) to filter the access to a server port.

The client network must not be able to reach the following server ports and they must be
protected using an ACL.
Enqueue server: See the parameter "enque/server/acl_file".
Start service: See the parameters "service/http/acl_file" and "service/https/acl_file".
Internal message server port: See the parameter "ms/acl_info".
You can also restrict the access to additional ports:
Dispatcher: See the parameter "rdisp/acl_file".
The parameter rdisp/acl_file specifies the file that the (ABAP) dispatcher uses as an
Access Control List for the access authorizations in connections with the SAP GUI. If the
profile parameter is set, the file must exist and be syntactically correct. If this is
not the case, the (ABAP) dispatcher closes again.
Message server external post, messager server HTTP port: See the parameters
"ms/acl_file_admin", "ms/acl_file_ext", "ms/acl_file_extbnd", and "ms/acl_file_int".
ICM ports: See the parameter "icm/server_port".
Gateway ports: See the parameter "gw/acl_file".

For more information about the parameters, see transaction RZ11. The syntax of the ACL file
is also described there.

Syntax of the ACL file

An ACL file can be specified with the following parameters : enque/server/acl_file,
service/http/acl_file, service/https/acl_file, rdisp/acl_file, ms/acl_file_admin,
ms/acl_file_ext, ms/acl_file_extbnd, ms/acl_file_int, icm/server_port, and gw/acl_file.
A line of the ACL must correspond to the following syntax:
<permit deny> <ip-address[/mask]> [tracelevel] [# comment]

<ip address> The IP address must be an IPv4 address or IPv6 address of the following form:
IPv4: 4 byte, decimal, '.' separated, for example 10.11.12.13
IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported
<mask> If a mask is specified, then it must be a subnet prefix mask:
IPv4: 4 byte, decimal, '.' separated, for example 10.11.12.13
IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported
<tracelevel> is the trace level with which the hits (correspondence of addresses while
considering the subnet mask) of the ACL are written in the relevant trace file (default
value 2).
The file may contain blank lines.

<# comment> Comment lines start with a hash sign '#'.

A general ban is inserted automatically as a last rule. For clarity, you should still enter
an explicit 'deny' as the last rule.
The rules are checked in sequence starting from the top ("top down"). The first applicable
rule determines the result ("first match").

Sample file:
permit 10.1.2.0/24 # permit client network
permit 192.168.7.0/24 # permit server network
permit 10.0.0.0/8 1 # screening rule (learning mode, trace-level 1)
deny 0.0.0.0/0 # deny the rest

Message server ACL info

The message server ACL info file (parameter ms/acl_info) describes the computers from which
application servers can log on to the message server. This enables you to prevent servers
from logging on to the message server as application servers from any computer. This file
uses a different syntax than the above ACL file:

HOST=[*| ip_adr | host_name | Subnet_mask | Domain ] [, ...]

For more information about the ACL info file and secure configuration of the message server,
refer to SAP Note 821875.

Caution: If the ASCS and ABAP Dialog instance(s) are started on the same UNIX host, the
communication from the dispatcher to the message server takes place using the UNIX domain
socket (UDS). For the message server, the incoming UDS connection is the same as a local
connection, so a "localhost" entry (or IP address 127.0.0.1 or ::1) should be maintained in
the message server ACL file.

Manual Activities

Software Components
Software Component And subsequent

KRNL32NUC

KRNL32NUC

KRNL32NUC

KRNL32NUC

KRNL32NUC

KRNL32UC

KRNL32UC

KRNL32UC

KRNL32UC

KRNL32UC

KRNL64NUC

KRNL64NUC

KRNL64NUC

KRNL64NUC

KRNL64NUC

KRNL64NUC
KRNL64NUC

KRNL64UC

KRNL64UC

KRNL64UC

KRNL64UC

KRNL64UC

KRNL64UC

KRNL64UC

KERNEL

KERNEL

KERNEL

KERNEL

KERNEL X

This document refers to

SAP Note/KBA Title

821875 Security settings in the message server

1879601 Secure setup of the standalone enqueue server

This document is referenced by

SAP Title
Note/KBA

3328993 Disable undesired HTTP methods on ports 5xx13 and 5xx14

3238772 Java system does not start when "ms/acl_file_int" is configured

3028932 sapcontrol returns NIECONN_REFUSED for a remote instance

3020989 SWPM stuck in step "The message server does not allow connections to its internal port from this host" while
installing an Additional Application Server Instance

2588975 Communication between sapstartsrv processes denied due to ACL restrictions

3147509 Dynamic IPs for hostnames in SAProuter route permission table

3096678 Allow ACL entries with trace level 0

2040644 Secure Internal Server Communication