Scribd
Upload
83 views

RFC Gateway Security, Part 1 - Basic Understanding - SAP Blogs

This document provides an overview of RFC Gateway security. It explains that the RFC Gateway enables communication between SAP systems and external programs. It acts as a middleware that allows RFC clients to access functions from registered external servers. The document outlines different usage types of the RFC Gateway, including registered external servers, started external servers, and RFC destinations. It notes that the RFC Gateway security is an important topic to understand in order to properly configure access controls and prevent unauthorized use.

Uploaded by

Fahri Batur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
83 views

RFC Gateway Security, Part 1 - Basic Understanding - SAP Blogs

This document provides an overview of RFC Gateway security. It explains that the RFC Gateway enables communication between SAP systems and external programs. It acts as a middleware that allows RFC clients to access functions from registered external servers. The document outlines different usage types of the RFC Gateway, including registered external servers, started external servers, and RFC destinations. It notes that the RFC Gateway security is an important topic to understand in order to properly configure access controls and prevent unauthorized use.

Uploaded by

Fahri Batur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

10/21/21, 1:13 PM RFC Gateway security, part 1 – basic understanding | SAP Blogs

Community

Ask a Question Write a Blog Post Login

Technical Articles

Johannes Goerlich
January 26, 2021 | 5 minute read

RFC Gateway security, part 1 – basic


understanding
 0  18  2,859
Follow

From my experience the RFC Gateway security is for many SAP Administrators still a
 Like not well understood topic. As a result many SAP systems lack for example of proper
defined ACLs to prevent malicious use of the RFC Gateway.

 RSS Feed After an attack vector was published in the talk “SAP Gateway to Heaven” from
Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai
(https://github.com/gelim/sap_ms) the RFC Gateway security is even more
important than ever. This publication got considerable public attention as
10KBLAZE.

With this blogpost series i try to give a comprehensive explanation of the RFC
Gateway Security:

Part 1: General questions about the RFC Gateway and RFC Gateway security.

Part 2: reginfo ACL in detail.

Part 3: secinfo ACL in detail.

Part 4: prxyinfo ACL in detail.

Part 5: Security considerations related to these ACLs.

https://blogs.sap.com/2021/01/26/rfc-gateway-security-part-1-basic-understanding/ 1/9
10/21/21, 1:13 PM RFC Gateway security, part 1 – basic understanding | SAP Blogs

Part 6: RFC Gateway Logging.

Basic understanding

In the following i will do the question and answer game to develop a basic
understanding of the RFC Gateway, the RFC Gateway security and its related terms.

What is the RFC Gateway?


The RFC Gateway can be seen as a communication middleware. The RFC
Gateway act as an RFC Server which enables RFC function modules to be used
by RFC clients. It also enables communication between work or server
processes of SAP NetWeaver AS and external programs.

From a technical perspective the RFC Gateway is a SAP kernel process (gwrd,
gwrd.exe) running on OS level as user <sapsid>adm.

Where can we find the RFC Gateway?


There are three places where we can find an RFC Gateway:

In SAP NetWeaver Application Server ABAP: Every Application Server has a


built-in RFC Gateway.

https://blogs.sap.com/2021/01/26/rfc-gateway-security-part-1-basic-understanding/ 2/9
10/21/21, 1:13 PM RFC Gateway security, part 1 – basic understanding | SAP Blogs

In SAP NetWeaver Application Server Java: The SCS instance has a built-in
RFC Gateway.

The Stand-alone RFC Gateway: As a dedicated RFC Gateway serving for


various RFC clients or as an additional component which may be used to
extend a SAP NW AS ABAP or AS Java system.

Who can access the RFC Gateway in general


The RFC Gateway is by default reachable via the services ‘sapgw<InstNo>’ and
‘sapgw<InstNo>s’ which can be mapped to the ports ’33<InstNo>’ and
’48<InstNo>’. Access to this ports is typically restricted on network level.

There may also be an ACL in place which controls access on application level.
The location of this ACL can be defined by parameter ‘gw/acl_info’.

Which usage types are there?

https://blogs.sap.com/2021/01/26/rfc-gateway-security-part-1-basic-understanding/ 3/9
10/21/21, 1:13 PM RFC Gateway security, part 1 – basic understanding | SAP Blogs

This diagram shows all use-cases except `Proxy to other RFC Gateways´. The
subsequent blogs of will describe each individually.

‘Registered external RFC Servers’

The RFC Gateway allows ‘external RFC Server programs’ (also known as
‘Registered Server’ or ‘Registered Server Program’) to register to itself and
allows RFC clients to consume the functions offered by these programs.

An example would be ‘Trex_<SID>_<timestamp>’ registered at the RFC


Gateway of the SAP NW AS ABAP from the server running SAP TREX and
consumed by the same AS ABAP as an RFC client.

Another example would be ‘IGS.<SID>’ of SAP IGS registered at the RFC


Gateway of the SAP NW AS ABAP from the same server as AS ABAP (since it is
also part of it) and consumed by the same AS ABAP as an RFC client.

‘Started external RFC Servers’

The RFC Gateway is capable to start programs on the OS level.

Common examples are the program ‘tp’ for transport management via STMS
started on the RFC Gateway host of AS ABAP or the program ‘gnetx.exe’ for

https://blogs.sap.com/2021/01/26/rfc-gateway-security-part-1-basic-understanding/ 4/9
10/21/21, 1:13 PM RFC Gateway security, part 1 – basic understanding | SAP Blogs

the graphical screen painter started on the SAP GUI client host.

While typically remote servers start the to-be-registered program on the OS


level by themselves, there may be cases where starting a program is used to
register a ‘Registered Server Program’ at the RFC Gateway. In these cases the
program started by the RFC Gateway may also be the program which tries to
register to the same RFC Gateway.

Please note: One should be aware that starting a program using the RFC
Gateway is an interactive task. This means the call of a program is
always waiting for an answer before it times out. If the called program is
not an RFC enabled program (compiled with the SAP RFC library) the
call will time out, but the program is still left running on the OS level!
To overcome this issue the RFC enabled program ‘SAPXPG’ can be used
as a wrapper to call any OS command. This is for example used by AS
ABAP when starting external commands using transaction
SM49/SM69.

‘RFC destinations’

Most common use-case is the SAP-to-SAP communication, in other words


communication via RFC connections between SAP NetWeaver AS systems, but
also communication from RFC clients using the SAP Java Connector (JCo) or
the SAP .NET Connector (NCo) to SAP NetWeaver systems.

The RFC Gateway hands over the request from the RFC client to the dispatcher
which assigns it to a work process (AS ABAP) or to a server process (AS Java).

‘Proxy to other RFC Gateways’

The RFC Gateway can be used to proxy requests to other RFC Gateways.

What about the reginfo ACL?


The reginfo file is holding rules controlling which remote servers (based on
their hostname/ip-address) are allowed to either register, access or cancel
which ‘Registered Server Programs’ (based on their program alias (also known
as ‘TP name’)).

Its location is defined by parameter ‘gw/reg_info’.


In case of AS ABAP for example it may be defined as
‘$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)data$(DIR_SEP)$(FN_REG_I
NFO)’ to make sure all RFC Gateways of the application servers of the same
system relay on the same configuration.

What about the secinfo ACL?


https://blogs.sap.com/2021/01/26/rfc-gateway-security-part-1-basic-understanding/ 5/9
10/21/21, 1:13 PM RFC Gateway security, part 1 – basic understanding | SAP Blogs

The secinfo file is holding rules controlling which programs (based on their
executable name or fullpath, if not in $PATH) can be started by which user
calling from which host(s) (based on its hostname/ip-address) on which RFC
Gateway server(s) (based on their hostname/ip-address).

Its location is defined by parameter ‘gw/sec_info’.


In case of AS ABAP for example it may be defined as
‘$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)data$(DIR_SEP)$(FN_SEC_I
NFO)’ to make sure all RFC Gateways of the application servers of the same
system relay on the same configuration.

How are reginfo and secinfo related?


As we learnt before the reginfo and secinfo are defining rules for very different
use-cases, so they are not related.

What about the prxyinfo ACL?


The prxyinfo file is holding rules controlling which source systems (based on
their hostname/ip-address) are allowed to talk to which destination systems
(based on their hostname/ip-address) over the current RFC Gateway.

Its location is defined by parameter ‘gw/prxy_info’.


In case of AS ABAP for example it may be defined as
‘$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)data$(DIR_SEP)$(FN_PRXY_
INFO)’ to make sure all RFC Gateways of the application servers of the same
system relay on the same configuration.

Wait! What about the SNC System ACL?


RFCs between two SAP NetWeaver AS ABAP systems or between RFC clients
using JCo/NCo and the AS ABAP are typically controlled on network level only.
The RFC Gateway does not perform any additional security checks.

When using SNC to secure RFC destinations on AS ABAP the so called ‘SNC
System ACL’, also known as ‘System Authentication’ – where imho the term
‘Authentication’ is misleading -, is introduced and must be maintained
accordingly.

This ACL is applied on the ABAP layer and is maintained in transaction SNC0.

Please note: ‘SNC System ACL’ is not a feature of the RFC Gateway itself.

Next –>

https://blogs.sap.com/2021/01/26/rfc-gateway-security-part-1-basic-understanding/ 6/9
10/21/21, 1:13 PM RFC Gateway security, part 1 – basic understanding | SAP Blogs

Alert Moderator

Assigned tags

SAP NetWeaver Application Server for ABAP

ABAP Connectivity

NW ABAP Remote Function Call (RFC)

NW Client/Server Technology (CST)

SAP Java Connector (JCo)

SAP NetWeaver Application Server for Java

Security

View more... 

Similar Blog Posts 


RFC Gateway security, part 6 – Logging
By Johannes Goerlich Feb 05, 2021

RFC Gateway security, part 5 - ACLs and the RFC Gateway security
By Johannes Goerlich Feb 03, 2021

RFC Gateway security, part 4 - prxyinfo ACL


By Johannes Goerlich Feb 01, 2021

https://blogs.sap.com/2021/01/26/rfc-gateway-security-part-1-basic-understanding/ 7/9
10/21/21, 1:13 PM RFC Gateway security, part 1 – basic understanding | SAP Blogs

Related Questions 
Gateway not connected to local R/3
By souradeep ghosal Aug 10, 2021

Approach/direction of an individual towards becoming a SAP Certified Consultant/Developer


By Former Member Nov 25, 2016

How to register an external program on gateway


By Former Member Sep 13, 2017

Join the Conversation 


SAP TechEd
Tune in for tech talk. Stay for inspiration. Upskill your future.

Coffee Corner
Join the new Coffee Corner Discussion Group.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Find us on

Privacy Terms of Use

Legal Disclosure Copyright

Trademark Cookie Preferences

https://blogs.sap.com/2021/01/26/rfc-gateway-security-part-1-basic-understanding/ 8/9
10/21/21, 1:13 PM RFC Gateway security, part 1 – basic understanding | SAP Blogs

Newsletter Support

https://blogs.sap.com/2021/01/26/rfc-gateway-security-part-1-basic-understanding/ 9/9

You might also like