`
shz2008bj
  • 浏览: 489601 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

Gateway Access Control Lists

 
阅读更多

Source:http://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists

 

Purpose

Help with the understanding of the Gateway ACLs (Access Control Lists) and the Simulation Mode, in order to help prepare production systems to have these security features enabled without disruptions.

Overview

This page contains information about the Gateway ACLs (reginfo and secinfo files), the Simulation Mode, as well as the workflow showing how the Gateway works with regards to the ACLs versus the Simulation Mode.

Observation: in emergency situations, follow these steps in order to disable the gateway security.

Gateway ACLs (reginfo and secinfo)

This section contains information about the Gateway ACLs, and examples of landscapes and rules.

The reginfo file have ALCs (rules) related to the registration of external programs (systems) to the local SAP instance. For example: an SAP SLD system registering the SLD_UC and SLD_NUC programs at an ABAP system.

The secinfo file has rules related to the start of programs by the local SAP instance. In other words, the SAP instance would run an operating system level command. For example: the RFC destination (transaction SM59) “CALL_TP_<operating system>” starts the “tp” program, which is used by the SAP Transport System (transaction STMS).

Before jumping to the ACLs themselves, here are a few general tips:
 

  • The very first line of the reginfo/secinfo file must be "#VERSION=2";
  • Each line must be a complete rule (you cannot break the rule into two or more lines);
  • The gateway will apply the rules in the same order as they appear in the file, and only the first matching rule will be used (similar to the behavior of a network firewall). All subsequent rules are not even checked. This means that the order of the rules is very important, especially when general definitions are being used (“TP=*”);
  • Each instance should have its own security files, with their own rules, as the rules are applied by the Gateway process of the local instance. However, if in your scenario the same rules apply to all instances of the system, you can use a central file (see the SAP note 1425765);
  • The first letter of the rule can be either P (for Permit) or D (for Deny). You don’t need to define a “deny all” rule at the end, as this is already implicit (if there is no matching Permit rule, and the Gateway already checked all the rules, the result will be Deny – except when the Simulation Mode is active, see below).

    The syntax of the rules is documented at the SAP note 1408081. There are other SAP notes that help to understand the syntax (refer to the “Related notes” section below).
     

A general reginfo rule definition would be (note that the rule was split into multiple lines for explanation purposes, so it is more easily understood):
 

P TP=<program name>
  HOST=<comma separated list of hosts that can register the program>
  ACCESS=<comma separated list of hosts that can communicate with the program>
  CANCEL=<comma separated list of hosts that can cancel this registration>

 

Usually, ACCESS is a list with at least all SAP servers from this SAP system. This can be replaced by the keyword "internal" (see examples below). It might be needed to add additional servers from other systems (for an SLD program – SLD_UC, SLD_NUC, for example).


CANCEL is usually a list with all SAP servers from this system (or the keyword "internal"), and also the same servers as in HOSTS (as you must allow the program to de-register itself).


A general secinfo rule definition would be (note that the rule was split into multiple lines for explanation purposes, so it is more easily understood):

 

P USER=<username that is allowed to start the program>
/* read the explanation for USER at the SAP note 614971 for more details */
  USER-HOST=<comma separated list of hosts from where the users can start the program>
  HOST=<comma separated list of hosts where the program can be started>
  TP=<program name>


Reginfo – Landscape and Example

You have a Solution Manager system (dual-stack) that you will use as the SLD system. The Solution Manager (“SolMan”) system has only one instance, running at the host “sapsmci”.

You have configured the SLD at the Java-stack of the SolMan system, using the Gateway of the SolMan’s ABAP-stack.

There is an SAP PI system that needs to communicate with the SLD. The PI system has one Central Instance (CI) running at the server “sappici”, and one application instance (running at the server “sappiapp1”). The RFC destination “SLD_UC” looks like the following, at the PI system:

 

 

No reginfo file from the PI system is relevant. Since the SLD programs are being registered at the SolMan’s CI, only the reginfo file from the SolMan’s CI is relevant, and it would look like the following:
 

#VERSION=2
P TP=SLD_UC HOST=local ACCESS=internal,sappici,sappiapp1 CANCEL=local
(…OTHER REGINFO RULES…)
# This must always be the last rule on the file – see SAP note 1408081
P TP=* HOST=internal CANCEL=internal ACCESS=internal

 

The keyword “local” means “the local server”. The keyword “internal” means “all servers that are part of this SAP system” (in this case, the SolMan system).

Another example: you have a non-SAP tax system that will register a program at the CI of an SAP ECC system. The name of the registered program will be “TAXSYS”. The tax system is running on the server “taxserver”. The reginfo rule from the ECC’s CI would be:

P TP=TAXSYS HOST=taxserver ACCESS=internal CANCEL=local,taxserver

 

The rule above allows any instance from the ECC system to communicate with the tax system. If other SAP systems also need to communicate with it, using the ECC system, the rule need to be adjusted, adding the hostnames from the other systems to the ACCESS option. For example:

 

P TP=TAXSYS HOST=taxserver ACCESS=internal,host1,host2 CANCEL=local,taxserver

 

The SAP KBAs 1850230 and 2075799 might be helpful. They also have a video (the same video on both KBAs) illustrating how the reginfo rules work.

Secinfo – Landscape and Example

You have a non-SAP tax system that needs to be integrated with SAP. Such third party system is to be started on demand by the SAP system.

Only the (SAP level) user IDs “BOB” and “JOHN” can start this program, and they will be logged on to one of the instances from this SAP system.

You have an RFC destination named “TAX_SYSTEM”. It is configured to start the tax calculation program at the CI of the SAP system, as the tax system is installed only there. The RFC destination would look like:

 

 

The secinfo files from the application instances are not relevant. Only the secinfo from the CI is applicable, as it is the Gateway from the CI that will be used to start the program (check the “Gateway Options” at the screenshot above).
 

Note: depending on the system’s settings, it will not be the Gateway itself that will start the program. However, the Gateway would still be involved, and it would still be the process to enforce the security rules.
 

The secinfo file from the CI would look like the below:

#VERSION=2
P USER=BOB USER-HOST=internal HOST=local TP=/usr/taxsys/taxcalc
P USER=JOHN USER-HOST=internal HOST=local TP=/usr/taxsys/taxcalc
(…OTHER SECINFO RULES…)
# These must always be the last rules on the file – see SAP note 1408081
P USER=* USER-HOST=local  HOST=local  TP=*
P USER=* USER-HOST=internal HOST=internal TP=*



In case you don’t want to use the keywords “local” and “internal”, you’ll have to manually specify the hostnames. For example: the system has the CI (hostname “sapci”) and two application instances (hostnames “appsrv1” and “appsrv2”). The rules would be:

 

P USER=BOB USER-HOST=sapci,appsrv1,appsrv2 HOST=sapci TP=/usr/taxsys/taxcalc
P USER=JOHN USER-HOST=sapci,appsrv1,appsrv2 HOST=sapci TP=/usr/taxsys/taxcalc


Another example: let’s say that the tax system is installed / available on all servers from this SAP system, the RFC destination is set to “Start on application server”, and the “Gateway options” are blank. This way, each instance will use the locally available tax system.

In this case, the secinfo from all instances is relevant as the system will use the local Gateway of the instance the user is logged on to start the tax program. The secinfo file would look like:
 

#VERSION=2
P USER=BOB USER-HOST=local HOST=local TP=/usr/taxsys/taxcalc
P USER=JOHN USER-HOST=local HOST=local TP=/usr/taxsys/taxcalc
(…OTHER SECINFO RULES…)
# These must always be the last rules on the file – see SAP note 1408081
P USER=* USER-HOST=local  HOST=local  TP=*
P USER=* USER-HOST=internal HOST=internal TP=*

 

The usage of the keyword “local” helps to copy the rule to all secinfo files, as it means “the local server”. In case you don’t want to use the keyword, each instance would need a specific rule. Here are some examples:
 

  • At the application server #1, with hostname “appsrv1”:

    P USER=BOB USER-HOST=appsrv1 HOST= appsrv1 TP=/usr/taxsys/taxcalc
    P USER=JOHN USER-HOST=appsrv1 HOST= appsrv1 TP=/usr/taxsys/taxcalc
  • At the application server #2, with hostname “appsrv2”:

    P USER=BOB USER-HOST=appsrv2 HOST= appsrv2 TP=/usr/taxsys/taxcalc
    P USER=JOHN USER-HOST=appsrv2 HOST= appsrv2 TP=/usr/taxsys/taxcalc

The SAP KBA 2145145 has a video illustrating how the secinfo rules work.

Simulation Mode

To avoid disruptions when applying the ACLs on production systems, the Gateway has a Simulation Mode. The SAP note 1689663 has the information about this topic.

In summary, if the Simulation Mode is deactivated (parameter “gw/sim_mode = 0”; default value), the last implicit rule from the gateway will be “Deny all” as mentioned above, at the “Gateway ACLs (reginfo and secinfo)” section.

If the Simulation Mode is active (parameter “gw/sim_mode = 1”), the last implicit rule will be changed to “Allow all”. In addition, the Gateway logging (see the SAP note 910919) can be used to log that an external program was registered, but no “Permit” rule existed.

It is important to mention that the Simulation Mode applies to the registration action only. After the external program was registered, the ACCESS and CANCEL options will be followed as defined in the rule, if a rule existed.

In addition, the existing rules on the reginfo/secinfo file will be applied, even on Simulation Mode. Thus, if an explicit Deny rule exists and it matches the request being analyzed by the Gateway, the Gateway will deny the request.

Gateway behavior versus Gateway parameters

There are two parameters that control the behavior of the gateway with regards to the security rules. They are:

  • gw/acl_mode: this parameter controls the value of the default internal rules that the Gateway will use, in case the reginfo/secinfo file is not maintained. In case the files are maintained, the value of this parameter is irrelevant;
  • gw/sim_mode: activates/deactivates the simulation mode (see the previous section of this WIKI page).

The diagram below shows the workflow of how the Gateway works with the security rules and the involved parameters, like the Simulation Mode.

 

 

Changes to the reginfo rules

Changes to the reginfo rules are not immediately effective, even after having reloaded the file (transaction SMGW, menu Goto -> Expert functions -> External security -> Reread / Read again).

After reloading the file, it is necessary to de-register all registrations of the affected program, and re-register it again. This is required because the Gateway copies the related rule to the memory area of the specific registration. If you have a program registered twice, and you restart only one of the registrations, one of the registrations will continue to run with the old rule (the one that was not restarted after the changes), and another will be running with the current rule (the recently restarted registration). This would cause "odd behaviors" with regards to the particular RFC destination.

For example: you have changed to the rule related to the SLD_UC program, allowing a new server to communicate with it (you added the new server to the ACCESS option). You have already reloaded the reginfo file. However, you still receive the "Access to registered program denied" / "return code 748" error. The solution is to stop the SLD program, and start it again (in other words, de-register the program, and re-register it). 

分享到:
评论

相关推荐

    cisco_ios_access_lists.pdf

    of using access lists and routes with BGP, the Border Gateway Protocol. Chapter 7, concludes the book with some case studies of how different types and applications of access lists are used together...

    CISCO路由器命令集.pdf

    ACL(Access Control Lists,访问控制列表)是用来定义数据包过滤规则的指令序列,它允许或拒绝数据包根据特定规则通过路由器。ACL通常分为标准和扩展两种类型,标准ACL根据源IP地址过滤流量,而扩展ACL根据源和目的...

    CCIE实验指南V5

    网络安全也是重要一环,包括ACL(Access Control Lists)、NAT(Network Address Translation)、IPS(Intrusion Prevention Systems)等技术的应用。 对于CCIE实验室考试,本书提供了详尽的模拟实验,涵盖了实验室...

    CCNP实验手册 旧版实验

    实验可能涉及IP路由协议如OSPF(Open Shortest Path First)和EIGRP(Enhanced Interior Gateway Routing Protocol)的学习与配置,静态路由的设置,NAT(Network Address Translation)技术以解决IP地址短缺问题,...

    routing tcp/ip volume 1

    《Routing TCP/IP Volume 1》也提供了大量关于Cisco路由器的配置实例,包括静态路由、动态路由的设置,以及如何进行路由策略的控制,如访问控制列表(Access Control Lists, ACLs)的使用。 最后,书中的内容还可能...

    ccnp全套标准试验

    CCNP的安全内容将涉及AAA(Authentication, Authorization, and Accounting)、ACLs(Access Control Lists)、IPS(Intrusion Prevention Systems)和各种加密技术,如WPA2、TLS等,以确保网络和数据的安全。...

    工大瑞普CCNP实验手册WORD版

    4. **网络安全**:实验手册会涵盖基本的网络安全概念,如ACL(Access Control Lists)用于过滤网络流量,IPS(Intrusion Prevention System)和IDS(Intrusion Detection System)的配置和应用,以及如何实施基本的...

    思科路由器常用配置命令大全(A-X).rar_思科_路由器_路由器 修改

    3. **访问控制列表**(Access Control Lists, ACLs):如`access-list`用于设置流量过滤规则,保护网络资源。 4. **安全配置**(Security):包括`enable password`和`line vty`密码设置,以及SSH(Secure Shell)...

    BGP过滤器指南_SCSS_代码_相关文件_下载

    3. **访问控制列表(Access Control Lists, ACLs)**:类似于防火墙规则,用于控制路由信息的流入和流出。通过SCSS,可以创建可读性强且易于管理的ACL。 4. **团体属性列表(Community Lists)**:用于过滤具有特定...

    Cisco官方新版CCNP教程

    3. **路由策略和路由选择**:理解如何使用访问控制列表(Access Control Lists,ACLs)、路由映射(Route Maps)、策略路由(Policy-Based Routing)来实现路由的精细化控制。 4. **IPv6**:学习IPv6的基础概念、...

    cisco路由器模拟软件

    在Cisco路由器模拟软件中,你还可以接触到访问控制列表(Access Control Lists, ACLs),这是网络管理员用来过滤流量的重要工具。通过ACL,你可以控制哪些数据包可以进出网络,从而实现安全策略。此外,你还可以学习...

    路由 交换机 学习ccna

    CCNA涵盖了基本的网络安全概念,如ACL(Access Control Lists)用于过滤网络流量,以及密码策略和设备安全配置,确保网络资源不被未授权访问。 五、故障排查 掌握网络故障排查技巧是CCNA学习的重要部分。通过了解和...

    AWSNetworkingFundamentals.pdf

    7. **Network Access Control Lists (ACLs)**:网络访问控制列表提供更为精细的网络级访问控制,可以设置在子网级别,控制流入和流出子网的流量。 8. **Direct Connect**:AWS Direct Connect允许用户通过专用网络...

    [Cisco官方出品CCIE.R&S系列教材].Cisco.Press.CCIE.Professional.Development.Large-Scale.IP.Network.Solutions.1999

    同时,书中也会讨论如何部署和管理DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)、DNS(Domain Name System,域名系统)等核心服务,以及如何通过访问控制列表(Access Control Lists,ACLs)来...

    BGP应用策略.zip

    5. **路由策略工具**: 包括路由映射(Route Maps)、访问列表(Access Control Lists)、前缀列表(Prefix Lists)、社区列表(Community Lists)等,它们是实施路由策略的重要手段。 6. **BGP路由通告**:BGP通过...

    网络实验-NA路由综合实验

    8. 安全性考虑:了解如何设置访问控制列表(Access Control Lists, ACLs)来限制网络流量,保护网络资源不受非法访问。 通过这个实验,学生不仅能够巩固理论知识,还能提升网络配置和故障排查的实际技能,为未来...

    CCNP实验手册(17个实验,17篇文档)

    7. **安全与排错**:可能包括配置ACLs(Access Control Lists)进行网络安全控制,以及如何使用各种工具诊断和解决问题,例如使用show和debug命令。 8. **网络设计与优化**:实验可能包含网络性能评估、故障恢复...

    Cisco IOS 基本命令集

    Access Control Lists (ACLs) - **Create ACLs:** `access-list &lt;acl-number&gt; permit/deny &lt;protocol&gt; &lt;source-ip&gt; &lt;source-wildcard&gt; &lt;destination-ip&gt; &lt;destination-wildcard&gt;`定义访问控制列表规则。 - **Apply...

    CCNP 里面的几个题库

    3. **IP服务**:包括NAT(Network Address Translation)、ACL(Access Control Lists)和QoS(Quality of Service)策略的配置与应用。 4. **网络安全**:涵盖AAA(Authentication, Authorization, and Accounting...

    CCNA涉及到的30个实验 教程 价值100元

    5. **网络安全**:学习基本的网络防护措施,如访问控制列表(Access Control Lists,ACLs)的设置,以及如何实现端口安全。 6. **WAN(Wide Area Network)技术**:了解不同类型的广域网连接方式,如PPP(Point-to-...

Global site tag (gtag.js) - Google Analytics