Skip to Content
Technical Articles

RFC Gateway security, part 2 – reginfo ACL

From my experience the RFC Gateway security is for many SAP Administrators still a not well understood topic. As a result many SAP systems lack for example of proper defined ACLs to prevent malicious use.

After an attack vector was published in the talk “SAP Gateway to Heaven” from Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai (https://github.com/gelim/sap_ms) the RFC Gateway security is even more important than ever. This publication got considerable public attention as 10KBLAZE.

With this blogpost series i try to give a comprehensive explanation of the RFC Gateway Security:

Part 1: General questions about the RFC Gateway and RFC Gateway security.

Part 2: reginfo ACL in detail.

Part 3: secinfo ACL in detail.

Part 4: prxyinfo ACL in detail.

Part 5: ACLs and the RFC Gateway security.

Part 6: RFC Gateway Logging.

 


reginfo ACL

 

Please make sure you have read at least part 1 of this series to be familiar with the basics of the RFC Gateway and the terms i use to describe things.

What exactly is defined in the rules in the reginfo ACL?

The reginfo ACL contains rules related to ‘Registered external RFC Servers’.

Every line corresponds one rule. A rule defines

    • if it specifies a permit or a deny. This is specified by the letter P or Dat the beginning of a rule.
    • which servers are allowed to register which program aliases as a ‘Registered external RFC Server’. This is specified in HOST=.

      Please note: In most cases the registered program name differs from the actual name of the executable program on OS level. The related program alias also known as ‘TP Name’ is used to register a program at the RFC Gateway.

    • which RFC clients are allowed to talk to the ‘Registered Server Program’. This is specified in ACCESS=.
    • which servers are allowed to cancel or de-register the ‘Registered Server Program’. This is specified in CANCEL=.
    • how many ‘Registered Server Programs’ with the same name can be registered. This would be specified in NO=.

What are the common use-cases?

Registering external programs by and accessing them from the local application server

On SAP NetWeaver AS ABAP there typically exist use-cases where registering and accessing of ‘Registered Server Programs’ by the local application server is necessary. For example the SAP IGS (as part of SAP NW AS ABAP) may be started on the application servers host during the start procedure of the SAP system. It registers itself with the program alias ‘IGS.<SID>’ at the RFC Gateway of the same application server. Its functions are then used by the application server.

We can identify these use-cases by going to transaction SMGW -> Goto -> ‘Logged on Clients’ and looking for lines with ‘System Type = Registered Server’ and ‘Gateway Host = 127.0.0.1’ (in some cases this may be any other ip-address belonging to or the hostname of the same server). The related program alias can be found in column ‘TP Name’:

If its functionality is accessible from the AS ABAP we can verify by looking for a TCP/IP connection in transaction SM59 with Technical Settings – Activation Type ‘Registered Server Program’ the corresponding ‘Program ID’ and either no ‘Gateway Options’ set or any of the RFC Gateway belonging to the same system:

 

To cover these cases SAP introduced a internal rule in the reginfo ACL which is sufficient in most cases:

P TP=* HOST=internal,local ACCESS=internal,local CANCEL=internal,local

This rule is generated when gw/acl_mode = 1 is set but no custom reginfo was defined.

It is common to define this rule also in a custom reginfo as the last rule. With security in mind we should think about adjusting the rule to reduce it to the necessary program aliases in TP=.

Please note: In some cases the program alias is generated with a random string. In this case we can look if it is generated using a fixed prefix and use this as a pattern, e.g., TP=Trex_<SID>_*, which would still be better than TP=*`.

 

Registering external programs by remote servers and accessing them from the local application server

On SAP NetWeaver AS ABAP registering ‘Registered Server Programs’ by remote servers may be used to integrate 3rd party technologies. For example the SAP TREX server will register the program alias ‘Trex_<SID>_<timestamp>’ at the RFC Gateway of an application server.

We can identify these use-cases by going to transaction SMGW -> Goto -> ‘Logged on Clients’ and looking for programs listed with ‘System Type = Registered Server’ and ‘Gateway Host’ set to any ip-address or hostname not belonging to the same server. The related program alias can be found in column ‘TP Name’:

If its functionality is accessible from the AS ABAP we can verify by looking for a TCP/IP connection in transaction SM59 with Technical Settings – Activation Type ‘Registered Server Program’ the corresponding ‘Program ID’ and either no ‘Gatway Options’ set or any of the RFC Gateway belonging to the same system:

Please note: If the SAP NW AS ABAP has more than one application servers and therefore also more than one RFC Gateway there may be scenarios in which the ‘Registered Server Program’ is registered at one specific RFC Gateway only. In this case the ‘Gateway Options’ must point to exactly this RFC Gateway host. If the ‘Gateway Options’ are not specified the AS will try to connect to the RFC Gateway running on the same host.

When a remote server of a ‘Registered Server Program’ is going to be shutdown due to maintenance it may de-register its program from the RFC Gateway to avoid errors. But also in some cases the RFC Gateway itself may need to de-register a ‘Registered Server Program’, for example if the reginfo ACL was adjusted for the same ‘Registered Server Program’ or if the remote server crashed.

For this scenario we would specify the following custom rule in the reginfo ACL, e.g.,

P TP=<TP-Name> HOST=<remote-server> ACCESS=internal,local CANCEL=internal,local,<remote-server>

 

 

Registering external programs by remote servers and accessing them from various RFC clients

‘Registered Server Programs’ by remote servers may also be used to integrate 3rd party technologies. An example could be the integration of a TAX software.

On AS ABAP we can identify these use-cases just as before by going to transaction SMGW -> Goto -> ‘Logged on Clients’ and looking for programs listed with ‘System Type = Registered Server’ and ‘Gateway Host’ set to any ip-address or hostname not belonging to the same server. The related program alias can be found in column ‘TP Name’.

For a RFC Gateway of AS Java or a stand-alone RFC Gateway this can be determined with the commandline tool gwmon by running the commandgwmon nr=<InstNo> pf=<profile> then going to the menu by typing m and displaying the client table by typing 3.

We look for programs listed with ‘Type = REGISTER_TP’ and ‘ADDR’ set to any ip-address or hostname not belonging to the same server. The related program alias can be found in column ‘TP’:

When ‘Registered Server Programs’ are going to be consumed by any RFC clients we can find the relevant information about the RFC clients in question in the gateway log.

Again when a remote server of a ‘Registered Server Program’ is going to be shutdown due to maintenance it may de-register its program from the RFC Gateway to avoid errors. But also in some cases the RFC Gateway itself may need to de-register a ‘Registered Server Program’, for example if the reginfo ACL was adjusted for the same ‘Registered Server Program’ or if the remote server crashed.

For this scenario we would specify the following custom rule in the reginfo ACL, e.g.,

P TP=<TP-Name> HOST=<remote-server> ACCESS=internal,local,<rfc-client-host-1>,<rfc-client-host-2> CANCEL=internal,local,<remote-server>

 


<–Previous

Next –>

2 Comments
You must be Logged on to comment or reply to a post.