Technical Articles
SAP Gateway ACL (secinfo, reginfo) Generator (10KBlaze fix)
In April 2019, SAP Gateway and Message server security became talk of the town. Malicious cyber actors can attack and compromise SAP unsecure systems (Systems without proper message server and Gateway ACLs and required parameters) with publicly available exploit tools, termed “10KBLAZE”. Read https://www.us-cert.gov/ncas/alerts/AA19-122A
I tried this released Python program and I was able to get SIDADM authorizations within a minute without any credentials. It is quite unnerving.
To secure SAP systems from this vulnerability, we need to follow steps mentioned in notes 821875, 1421005 and 1408081.
Message server ACLs are normally straightforward to maintain but it is quite overwhelming to write Gateway ACL files- secinfo and reginfo. It could impact operations if we deny access to legitimate programs/servers.
I developed Java program which helps analyze Gateway logs (gw_log*) and automatically generates secinfo and reginfo files making SAP system administrator’s life easy.
Java program is available as open source at https://github.com/vinodpats/gwlogsanalyzer10KBlaze
Follow below steps to utilize this Java program.
- Turn on Gateway simulation using profile parameter gw/sim_mode =1
- Update profile parameter gw/reg_no_conn_info value as per Note 1444282. Higher the better.
- Change profile parameter gw/acl_mode=1
- Use centralized ACL files by setting below profile parameters:
gw/sec_info=$(DIR_GLOBAL)/secinfo
gw/reg_info=$(DIR_GLOBAL)/reginfo
You may want to have separate ACL per application server (instead of centralized ACLs) due to some business reasons. In this case note standard file locations.
5. Turn on GW logging (refer note 2527689).Maintain this in profile as well. Change Parameter gw/logging=ACTION=SsPZ LOGFILE=gw_log-%y-%m-%d SWITCHTF=day
Note that gateway security is still in simulation mode. System will now start generating logs in work directory. Daily log file could be 100s of lines based on system configuration.
After couple of weeks, copy all log files to say c:\gwlog directory.
Run this Java program and provide logs directory path(c:\gwlog). The program will analyze all logs and generate secinfo and reginfo files.
Now follow last 2 steps:
6. Analyze the entries in these files (update if required) and then keep these files at $(DIR_GLOBAL) path.
7. Finally turn off simulation mode changing profile parameter gw/sim_mode =0.
Kindly use these instructions with caution and keep systems safe !!
Hello Vinod, all
Just wanted to let you know that, depending on the SAP NetWeaver (SAP_BASIS component) release and Support Package (SP) level, there is already an option to generate an initial reginfo/secinfo file within SAP itself.
Go to the transaction SMGW, menu Goto -> Expert functions -> External security -> Maintain ACL files. Then, under each tab (Secinfo File; Reginfo File) there is a "log analysis" button.
This will analyze the Gateway logging (step #5, above) and suggest the corresponding rules.
Best regards,
Isaías
Hello Isaías,
Yes that's right. Unfortunately our client system is still on NW 7.01 hence this tool was missing.
I actually tested this new tool in demo NW 7.5 system and it looks like it proposes secinfo and reginfo based on connection rejections:)
Thank you for your comment.
Regards,
Vinod Patil
🙂
Hi Isaías,
Could you please let me know what happens after clicking highlighted button "Generate ACL Proposal (F9)".
Regards,
Manoj Somkuwar
Hello Manoj,
SMGW will parse the selected log files and propose what could be the rules to allow the connections found on the logs.
You can (or should) review the rules to confirm that they represent what you really want to allow.
In any case, you can always edit the rules through this newer interface, in SMGW.
You can "play around with it" at non-production systems first ;-).
Regards,
Isaías
Dear SAP Masters,
Below is our requirement and not working for our environments - any suggestions will be greatly appreciated.
We have multiple SAP Linux and windows servers(ECC, CRM,BW,PI, BOBJ, CLICK, OpenText, MWM, Solman, Redwood,CUA etc).
Our auditors want to enable/activate gw/acl_mode to 1, maintain secinfo/recinfo files and do not permit all connections is our requirements.
Our challenge now is what connections to allow? How to identify the connections to be allowed in secinfo and reginfo files?
We tried below steps and did not work for us
Questions:
1. Why no other connection details shows on above logging analysis
2. How to identify the connection details and place it in secinfo and/or reginfo files?
Your help will be much appreciated
thanks and best regards,
Kannan Kannappan