Search This Blog

Thursday, March 10, 2011

SAP Note 821875 - Security settings in the message server

Note 821875 - Security settings in the message server



Symptom
You want to increase the security setting of the message server. To do this, you can make the following settings:

    1. set whether external monitors such as the "msmon" monitoring program are allowed to connect to the message server;
    2. set the separation of the internal and external communication
    3. set the use of an ACL list (Access Control List) for the message server

In the Solution, you can see the details for the points listed above

A further symptom is that no events can be triggered via sapevt. The following trace entries appear in the trace of the message server:


[Thr 3936] *** ERROR => MsSClientHandle: client 212.190.195.45 (212.190.
              0.195.45) is EXTERNAL, access denied [msxxserv.c   4843]


Other terms

Security
Message server
sapevt
MsSLoginClient
MSEACCESSDENIED
MsSClientHandle
Access denied.

Reason and Prerequisites
.
Solution
    1. Administration With the "ms/monitor" parameter, you can restrict the access of the external "msmon" monitoring program. The parameter can have the following values:
      a) 0: Only application servers may change the internal memory of the message server and execute monitor functions (default setting).
      b) 1: External (monitoring) programs may also make changes. With the parameter ms/admin_port = (the default value is 0), you can open and close TCP ports on the message server for administration. An external client can use the port to connect to the message server to administer it. By default, the administration with external programs is deactivated. To activate it for specific programs, you can open a special port for administration. Clients that log on to the message server using this port can perform all administration tasks. Possible values: You can change the parameter in a dynamic way, and the administration port is closed again with a value of 0 or lower. A value greater than 0 specifies the port number. You can open and close the administration port by using transaction SMMS (SMMS -> Go to -> Security Settings).
    2. Separation of internal and external communication To prevent unwanted clients appearing on the message server as the application server, you can use the parameter rdisp/msserv_internal = (default = 0) . A different data channel is then used for internal communication than for external communication, for which the external clients have read-only access to the information. In addition to the sapms<SID> (rdisp/msserv) port, the message server opens another port that is only used for the internal communication with the application servers. If an application server tries to log on to the 'old' port, or if it is not listed in the ACL file, the following error message is logged in the trace file: MsSLoginClient: client sapprod_PRD_00 (a.b.c.d) is EXTERNAL, access denied The port number should be higher than 1024 since otherwise, you will need additional operating system rights to open the port. Select a port that is not used by any other application on your host. Application servers must also log on using this port. Application servers the log on with the sapms<SID> port are rejected with error (MSEACCESSDENIED). If you want to use this parameter, you must define it centrally. It must have the same value on all application servers. You can then only execute regular queries on the normal sapms<SID> port. This does not affect the load distribution or the retrieval of application server lists and logon groups. In an SCS instance, you can set the value of the parameter rdisp/msserv = 0. The Message Server will then not open an external port, because it is not used. If the values for rdisp/msserv and/or rdisp/msserv_internal are changed, then both the message server and the application server must be restarted so that these changes come into effect. Changes with the sapevt program: The sapevt program must attach to the internal port, otherwise no events can be triggered in the system. If sapevt connects through the external port and then tries to trigger events, the program terminates with the return code -20 (MSEACCESSDENIED). You will find this error message in the dev_evt trace file. You will find details on the correct use of sapevt in Note 826779. Return code -20 (MSEACCESSDENIED) with other programs. The return code -20 (MSEACCESSDENIED) can also be reported with other programs that log on to the Message Server through the external port (sapms<SID>) and try to start actions that are now no longer allowed. To ensure that these programs work correctly, you must log on to the internal port.
    3. ACL list The "ms/acl_info" parameter specifies a file (default: /usr/sap/<SID>/SYS/global/ms_acl_info) with access rights to the message server. If the file exists, it must contain all machine names, domains, IP addresses and/or subnet masks for the application servers that are allowed to log on to the message server. You can either list the names or enter each name in a separate line. This file does not affect external clients that only want to retrieve information from the message server. This is always possible. The entries must have the following syntax: HOST=[*| ip_adr | host_name | Subnet_mask | Domain ] [, ...] Examples for valid entries are: HOST = * (all hosts are allowed) HOST=host1,host2 (Logons allowed from host1 and host2) HOST=*.sap.com (all hosts in the sap.com domain can log on) HOST=147.45.56.32 (hosts with this IP address can log on) HOST=147.45.56.* (hosts with this subnet can log on) Set the access authorizations for the file to a value that prevents unwanted modifications. You can activate reading of the file in transaction SMMS which means that you can add, change and/or delete dynamic entries (SMMS -> Goto -> Security Settings).
Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_BASIS
60
640
640
 
SAP_BASIS
70
700
701
 
SAP_BASIS
71
710
720
 

1 comment:

  1. Sap Basis And Security: Sap Note 821875 - Security Settings In The Message Server >>>>> Download Now

    >>>>> Download Full

    Sap Basis And Security: Sap Note 821875 - Security Settings In The Message Server >>>>> Download LINK

    >>>>> Download Now

    Sap Basis And Security: Sap Note 821875 - Security Settings In The Message Server >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete