Secure SAP message server Introduction:
The purpose of this blog post is to share the info on how to secure SAP Message Server. It also includes troubleshooting tips which may be useful for a successful implementation. At the end it includes the links and SAP Notes for each section and parameter.
To prevent from remote and complex attacks. It is very important to secure SAP Message Server.
We can secure SAP Message Server by setting the parameter ms/acl_info and creating ms_acl_info file by allowing only restricted hosts. This file can include internal application servers, DB server, cluster nodes and any other 3rd party system which you want to connect directly to MS server.
A typical audience of this blog post will be basis administrators. I am writing this blog post to help and share my experience to secure the Message Server and to place all things at one place instead of searching the forums which may help many admins and save their valuable time.
1) Identify all the FQDN those are allowed to connect Message Server, typically internal application servers, DB server, cluster nodes and any other 3rd party system which you want to allow.
2) Identify IP address of these allowed servers
1) Build MS ACL file using FQDN and acl_file_int using IP address
2) Allow all the internal application servers, DB, Cluster nodes, ASCS/ERS and 3rd Party Host those you need to allow to connect Message Server
3) Reload the configuration using SMMS
4) Restart application servers and flip the cluster resources. No DB restart
– ABAP Systems:
Configure profile parameters and ACL files.
1. Configure the MS ACL:
ms/acl_info: Restrict Message Server ACL file
– Search parameter “ms/acl_info” and find out the file location using RZ11
– Execute transaction SMMS. Go to menu item -> Go To -> Security Settings -> Access Control -> Reload
Example – ms_acl_info
HOST=Host-name #Primary Cluster
HOST=Host-name #Secondary Cluster
HOST=Host-name #Application Server 1
HOST=Host-name #Application Server 2
HOST=Host-name #DB 1
HOST=Host-name #DB 2
HOST=Host-name #Any 3rd Party System
Note: Do not add any space in this file as that is syntax error and you will face issue while starting SAP and Dispatcher. Further if you check dev_ms and dev_disp log files you can see error MSEACCESSDENIED – for more information check SAP Note – 2275275
2. ms/acl_file_int: Restrict server internal port.
– This ACL file must include every server IP address as per below format:
permit <Host IP address>
It must include IP address 127.0.0.1
Example – ms_acl_int file
permit IP-Address of ASCS
permit IP-Address of ERS
permit IP-Address of Primary Cluster
permit IP-Address of Secondary Cluster
permit IP-Address of Application Server 1
permit IP-Address of Application Server 2
permit IP-Address of DB 1
permit IP-Address of DB 2
3. ms/admin_port: The “admin port” should not be used, because there is no access restriction applied to this port. If it is necessary to use this port then limit the access via network level.
– Modify the value of the ms/admin_port if needed
– rdisp/msserv_internal: Enable Message Server internal port
Set parameter rdisp/msserv_internal = 39XX where XX is instance number.
– JAVA Systems:
set parameter ms/acl_info = /usr/sap/<SID>/SYS/global/ms_acl_info in DEFAULT.PFL and follow the same steps as ABAP.
Conclusion: It is very import to secure the SAP Message Server to prevent the attacks. Message Server vulnerable may result entire SAP Landscape compromise. By following above recommendations we allow only limited Hosts to connect Message Server. This gives us better control and prevent from attacks.
1. After ACL configuration make sure to reload the files using SMMS, Click on menu item “Go To -> Security Settings -> Access Control -> Reload”.
2. ACL file has limitation of 1024 bytes each row and 256 rows in file
3. Take complete system restart (Flip the cluster and restart application server. No DB restart)