cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

parameter gw/acl_mode in production

Go to solution
Former Member

on ‎12-17-2013 6:32 PM

0 Kudos

Hello Gurus,

The recommended value for the parameter gw/acl_mode in production systems is "1".

What can be the impacts or risks if I still keep it as "0"?

Regards,

Nivin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-20-2013 4:22 AM
0 Kudos

Hi navin,

Do one thing,,,,,maintain reginfo.DAT and secinfo.DAT in each app server and CI server in location \usr\sap\<SID>\D000\data,

reginfo.DAT = P TP=*

secinfo.DAT = P TP=* USER=* USER-HOST=* HOST=*

and check the parameter also gw/reg_info and gw/sec_info .....with the value \usr\sap\<SID>\D000\data\reginfo.DAT and \usr\sap\<SID>\D000/data\secinfo.DAT ,,,,,

Then only maintain gw/acl_mode = 1 ,,,,,Hope in early watch early value will be green ,,

Cheers

Rableen

Show replies
Show replies
Former Member
‎03-07-2014 1:05 PM
0 Kudos

Hi Rableen/Gurus,

Current state of the system:

gw/reg_no_conn_info = 1

gw/acl_mode            = 0

gw/reg_info               = \usr\sap\<SID>\D000\data\reginfo

gw/sec_info              = \usr\sap\<SID>\D000\data\secinfo

The reginfo & secinfo files are not available in the said location though.

If I create the files what are the entries that I should add, will it create any impacts to the preset state of the system? How should I proceed?

P.S : Actually i'm not clear with the terms "allow registration of external server program" regarding the gw/acl_mode parameter.

Thanks,

Nivin

koteswararao_davuluri2
Explorer
‎06-19-2014 9:25 PM
0 Kudos

Hi,

Please check below link for more information on this topic.

http://wiki.scn.sap.com/wiki/display/Security/Gateway+Access+Control+Lists

isaias_freitas
Advisor
Advisor
‎05-21-2015 12:37 AM
0 Kudos

Hello,

We have moved this WIKI to another WIKI space.

Tip: always use the WIKI "tiny link" to share it .

New link to the WIKI:

Gateway Access Control Lists - Application Server Infrastructure - SCN Wiki

Regards,

Isaías

Answers (3)

Answers (3)

IanSegobio
Advisor
Advisor
‎12-18-2013 11:01 AM
0 Kudos

Hello Nivin,

It's important to stress that the profile parameter "gw/acl_mode = 0" is taken into consideration ONLY if the "secinfo" file under  "/usr/sap/<sid>/<instance>/data" does not exist. In case of any file named "secinfo" (disregarding it's actual contents), it has use priority.

Hope it helps,

Cheers!

Show replies
Show replies
Former Member
‎12-18-2013 4:48 AM
0 Kudos

Hi,

As per the below note

See the documentation of the parameter. The parameter with value 1 should ensure an initial security after installation. Deactivating the parameter is not recommended. For security reasons, it is instead suggested that you maintain the files

1843782 - GW: Installation changes default from gw/acl_mode to 1


Related to the early watch report.


    • Gateway Security

                    In this section, the profile parameters gw/reg_no_conn_info, gw/acl_mode, gw/sec_info, and gw/reg_info are checked. The highest possible rating of this section is yellow. For additional information, refer to SAP Notes 1444282, 1480644, and 1425765.

863362 - Security checks in the SAP EarlyWatch Alert

Thanks

Rishi Abrol

Show replies
Show replies
Reagan
Advisor
Advisor
‎12-17-2013 7:27 PM
0 Kudos

Hello

Please read these

1480644 - gw/acl_mode versus gw/reg_no_conn_info

SAP NetWeaver Application Server ABAP Security Guide - SAP Library

If you set the parameter gw/acl_mode to 0 then there is no restriction for starting or registering external programs

If you set the parameter gw/acl_mode to 1 then the system will restrict you unless you maintain reg_info and sec_info files.

Refer to these notes as well

1408081 - Basic settings for reg_info and sec_info

1069911 - GW: Changes to the ACL list of the gateway (reginfo)

1850230 - GW: "Registration of tp <program ID> not allowed"

1305851 - Overview note: reg_info and sec_info

Regards

RB

Show replies
Show replies
Former Member
‎04-14-2015 11:54 AM
0 Kudos

Hello Reagan,

We have set the parameters as per the suggestion from the above notes

BElow is the output of secinfo

====================================

#VERSION=2

#

# created by HP1 at 20150309

#

# local access should be allowed by default

# P TP=* USER=* USER-HOST=local HOST=local

#

# internal (server from the same SID) access should be allowed by default

# P TP=* USER=* USER-HOST=internal HOST=internal

#

# list of external programs form SM59 which must be explicitly defined

#

P TP=* USER=* USER-HOST=* HOST=*

===================================

and reginfo

#VERSION=2

#

# created by HP1 at 20150309

#

# local access should be allowed by default

# P TP=* HOST=local

#

# internal (server from the same SID) access should be allowed by default

# P TP=* HOST=internal

#

# list of registered programs form SM59 which must be explicitly defined

#

#

# the following row should be the last row in file, see SAP note  2075799!

# die folgenden Zeile sollte die LETZTE in der reginfo sein, siehe Hinweis  2075799!

#

P TP=*

We have maintained the profile parameter for the path of secinfo and reginfo .

Still registering the RFC server program doesnot work.

and we are on 721 kernel patch level 413 .

Please help.

former_member185954
Active Contributor
‎04-14-2015 2:54 PM
0 Kudos

Hello Sowmya,

Create a new thread please.

Regards,

Siddhesh

Former Member
‎04-14-2015 3:09 PM
0 Kudos

ok.thanks 🙂

Reagan
Advisor
Advisor
‎04-15-2015 1:16 AM
0 Kudos

Hello Sowmya

What is the error you get?

Former Member
‎04-15-2015 6:06 AM
0 Kudos

Hello Benjamin,

Thanks for your reply 🙂 .

It got resolved. It was because of corrupted rfcexec.sec file.

Thanks,

Sowmya

Ask a Question