How to maintain GW security on SAP JAVA

Leave a Comment / SAP BASIS / By

When using a Java system, or a Standalone Gateway running on Central Services application server (ASCS/SCS), you will need to use ‘gwmon‘ tool in order to monitor and perform actions over Gateway functionality.
For ABAP system we can use SMGW transaction.

Where is gwmon stored ?

gwmon exists under below mentioned path:

UNIX: /usr/sap/<SID>/SCS<instance no.>/exe
Windows: SAPMNT drive/usr/sap/<SID>/SCS<instance no.>/exe

gwmon.exe

What is the command to start gwmon tool ?

Command to start gwmon tool:  

gwmon pf=<path_to_GW_profile>

for example:

gwmon pf=/usr/sap/<SID>/SYS/profile/<SID>_ASCS$$_<hostname>

gwmon pf=<path_to_GW_profile>

press m to get the complete menu

Enter m to display the menu

Now if you want to see the connected clients on GW, select option 3 (display client table).

Display client table

Now suppose, we want to see in more details, then note down the corresponding “NO”
For eg. We want to see more details for NO= 547
Then press m –> enter 10 (Expert Functions) –> enter 11(dump client table)

Expert functions --> dump client table

Enter table index number. In this case, we enter 547 and gwmon will provide all the details of that particular connection.

Enter table index number

Changes to the reginfo rules are not immediately effective, even after having reloaded the file (transaction SMGW, menu Goto -> Expert functions -> External security -> Reread / Read again).

After reloading the file, it is necessary to de-register all registrations of the affected program, and re-register it again. This is required because the Gateway copies the related rule to the memory area of the specific registration. If you have a program registered twice, and you restart only one of the registrations, one of the registrations will continue to run with the old rule (the one that was not restarted after the changes), and another will be running with the current rule (the recently restarted registration). This would cause “odd behaviors” with regards to the particular RFC destination.

How to solve “Access to registered program denied” error?

For example: you have changed to the rule related to the SLD_UC program in your reginfo file, allowing a new server to communicate with it (you added the new server to the ACCESS option). You have already reloaded the reginfo file. However, you still receive the “Access to registered program denied” / “return code 748” error. The solution is to stop the SLD program, and start it again (in other words, de-register the program, and re-register it).

We can de-register using gwmon by following below steps:

  1. Press ‘m’ –> 21 (Cancel registered programs)
  2. Enter the TP name of the program
  3. After this, try again to connect the RFC using SM59 from the source system. It will re-register itself if reginfo file has been maintained correctly.
21: cancel registered programs

How to reload reginfo file using gwmon ?

  1. Press m to display the menu.
  2. Enter 9 (security information)
  3. Enter 4 (refresh security)

This will re-load the reginfo and secinfo files.

Enter m --> 9 (security information) --> 4 (refresh security)

Press 3  to display the re-loaded reg-info file.

Refer:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=491913782
https://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top