EXPERT TEAM LEAD (ETL)
General
Many companies are struggling with the introduction and use of secinfo and reginfo files to secure SAP RFC gateways. We have developed a generator that supports the creation of the files. This blog post lists two SAP best practices for creating the secinfo and reginfo files to enhance the security of your SAP gateway and how the generator helps you do this. secinfo and reginfo Request generator Option 1: Restrictive procedure In the case of the restrictive solution approach, only in-system programmes are allowed. Therefore, external programmes cannot be used. However, since this is desired, the access control lists must be gradually expanded to include each programme required. Although this procedure is very restrictive, which speaks for safety, it has the very great disadvantage that, in the creation phase, links which are actually desired are always blocked. In addition, the permanent manual activation of individual connections represents a continuous effort. For large system landscapes, this procedure is very complex. Option 2: Logging-based approach An alternative to the restrictive procedure is the logging-based approach. To do this, all connections must be allowed first by the secinfo file containing the content USER=* HOST=* TP=* and the reginfo file contains the content TP=*. During the activation of all connections, a recording of all external programme calls and system registrations is made with the gateway logging. The generated log files can then be evaluated and the access control lists created. However, there is also a great deal of work involved here. Especially with large system landscapes, many external programmes are registered and executed, which can result in very large log files. Revising them and creating access control lists can be an unmanageable task. However, this process does not block any intentional connections during the compilation phase, which ensures the system will run non-disruptively.
Maintaining the availability of critical business processes not only requires a high-quality infrastructure, but also places equally high demands on the management and operation of the underlying SAP NetWeaver and SAP HANA platforms due to their high complexity. These platforms are often referred to as SAP Basis.
Use digitally signed SAP hints by installing Note 2408073
The SAP Basis Plug-In is backward compatible and follows the release and maintenance strategy of the SAP R/3 Plug-In. SAP delivers it together with the SAP R/3 Plug-In. For more information, see SAP Service Marketplace at basis-plug-in → SAP Plug-In → SAP Basis Plug-In → Releases.
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
For example, many customer ABAP programs work by uploading or downloading data. There are potentially large security gaps here that allow access to server data. In addition, the widespread direct invocation of operating system commands that are not covered by a self-programmed authorization check is a major problem. Even though classic SQL injection, i.e., the entry of extended SQL commands, is a potential security vulnerability, it occurs rather rarely in SAP systems. More widespread is the unintentional dynamization of SQL calls because input parameters are not sufficiently checked. The need to check all in-house developments internally for such security vulnerabilities before they are delivered in SAP's own code has led to the development of the SAP Code Vulnerability Analyzer tool.
Tools such as "Shortcut for SAP Systems" complement missing functions in the SAP basis area.
The so-called SAP message server also belongs to the application layer.
Innovation without IT is unimaginable.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.