Skip to Content
Technical Articles
Author's profile photo Vinod Patil

SAP Gateway ACL (secinfo, reginfo) Generator (10KBlaze fix)

In April 2019, SAP Gateway and Message server security became talk of the town. Malicious cyber actors can attack and compromise SAP unsecure systems (Systems without proper message server and Gateway ACLs and required parameters) with publicly available exploit tools, termed “10KBLAZE”. Read

I tried this released Python program and I was able to get SIDADM authorizations within a minute without any credentials. It is quite unnerving.

To secure SAP systems from this vulnerability, we need to follow steps mentioned in notes 821875, 1421005 and 1408081.

Message server ACLs are normally straightforward to maintain but it is quite overwhelming to write Gateway ACL files- secinfo and reginfo. It could impact operations if we deny access to legitimate programs/servers.

I developed Java program which helps analyze Gateway logs (gw_log*) and automatically generates secinfo and reginfo files making SAP system administrator’s life easy.

Java program is available as open source at


Follow below steps to utilize this Java program.

  1. Turn on Gateway simulation using profile parameter gw/sim_mode =1
  2. Update profile parameter gw/reg_no_conn_info value as per Note 1444282. Higher the better.
  3. Change profile parameter gw/acl_mode=1
  4. Use centralized ACL files by setting below profile parameters:



You may want to have separate ACL per application server (instead of centralized ACLs) due to         some business reasons. In this case note standard file locations.

5. Turn on GW logging (refer note 2527689).Maintain this in profile as well. Change Parameter                gw/logging=ACTION=SsPZ LOGFILE=gw_log-%y-%m-%d SWITCHTF=day

Note that gateway security is still in simulation mode. System will now start generating logs in work directory. Daily log file could be 100s of lines based on system configuration.

After couple of weeks, copy all log files to say c:\gwlog directory.

Run this Java program and provide logs directory path(c:\gwlog). The program will analyze all logs and generate secinfo and reginfo files.

Now follow last 2 steps:

6. Analyze the entries in these files (update if required) and then keep these files at  $(DIR_GLOBAL) path.

7. Finally turn off simulation mode changing profile parameter gw/sim_mode =0.

Kindly use these instructions with caution and keep systems safe !!

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Isaias Freitas
      Isaias Freitas

      Hello Vinod, all

      Just wanted to let you know that, depending on the SAP NetWeaver (SAP_BASIS component) release and Support Package (SP) level, there is already an option to generate an initial reginfo/secinfo file within SAP itself.

      Go to the transaction SMGW, menu Goto -> Expert functions -> External security -> Maintain ACL files. Then, under each tab (Secinfo File; Reginfo File) there is a "log analysis" button.

      This will analyze the Gateway logging (step #5, above) and suggest the corresponding rules.

      Best regards,


      Author's profile photo Vinod Patil
      Vinod Patil
      Blog Post Author

      Hello Isaías,

      Yes that's right. Unfortunately our client system is still on NW 7.01 hence this tool was missing.

      I actually tested this new tool in demo NW 7.5 system and it looks like it proposes secinfo and reginfo based on connection rejections:)

      Thank you for your comment.



      Vinod Patil

      Author's profile photo Isaias Freitas
      Isaias Freitas


      Author's profile photo Manoj Somkuwar
      Manoj Somkuwar

      Hi Isaías,

      Could you please let me know what happens after clicking highlighted button "Generate ACL Proposal (F9)".



      Manoj Somkuwar

      Author's profile photo Isaias Freitas
      Isaias Freitas

      Hello Manoj,

      SMGW will parse the selected log files and propose what could be the rules to allow the connections found on the logs.

      You can (or should) review the rules to confirm that they represent what you really want to allow.

      In any case, you can always edit the rules through this newer interface, in SMGW.

      You can "play around with it" at non-production systems first ;-).



      Author's profile photo Kannan Kannappan
      Kannan Kannappan

      Dear SAP Masters,

      Below is our requirement and not working for our environments - any suggestions will be greatly appreciated.

      We have multiple SAP Linux and windows servers(ECC, CRM,BW,PI, BOBJ, CLICK, OpenText, MWM, Solman, Redwood,CUA etc).

      Our auditors want to enable/activate gw/acl_mode to 1, maintain secinfo/recinfo files and do not permit all connections is our requirements.

      Our challenge now is what connections to allow? How to identify the connections to be allowed in secinfo and reginfo files?

      We tried below steps and did not work for us

      1. Maintain below parameters - gw/acl_mode =1, gw/sim_mode=1, gw/logging=ACTION=TCOERSZMPXV LOGFILE=gw_log_HostName-%y-%m-%d-%h-%t SWITCHTF=hour MAXSIZEKB=10000  on all servers
      2. Restart all applications and servers
      3. Asked application team owners to execute few transactions that initiate connections between different servers
      4. Executed few transports
      5. Executed few batch jobs that initiate connections from redwood to SAP systems
      6. Executed Logging analysis using SMGW-->Goto-->Expert Functions-->External Security-->Maintain ACL files --> Logging Analysis --> select systemwide search --> Execute --> select all files --> generate report
      7. Our report shows only tmsadm and couple of entries from Solution manager - no other connection details shows.


      1. Why no other connection details shows on above logging analysis

      2. How to identify the connection details and place it in secinfo and/or reginfo files?


      Your help will be much appreciated

      thanks and best regards,

      Kannan Kannappan