5 Tips for Securing Communication Between SAP Systems and External Programs

  • by Kehinde Eseyin, Security Architect
  • July 2, 2010
Learn how to prevent the illegal and malicious starting of external programs in your SAP environment.
Key Concept
The SAP gateway is a service that allows SAP systems to communicate with each other and more importantly with external programs. External programs in this case are unrestricted operating system commands that are neither predefined nor restricted by SAP authorization concepts. Hence, the starting of external programs and its communication interface with SAP systems is of a high security interest and priority to SAP system administrators and security experts.

One of the mandatory technical and architectural components of any SAP system is the SAP instance. Every SAP instance has a gateway process. The SAP gateway provides the frontier for communication between not only different SAP systems but also external programs. In a typical SAP environment, there is always a need to run external programs (such as sapftp and saphttp) to achieve specific business and technical requirements. As a matter of fact, the aforementioned external programs (sapftp and saphttp) are available by default in every ABAP installation.

The need to take appropriate security and protective steps to prevent malicious execution of external programs is therefore crucial. External programs are started at the operating system level via the sapxpg middleware program based on the authorization of the standard SAP system operating system user. Although there are different ways to address security issues in the SAP system, a commonplace approach is using authorization concepts. However, authorization concepts are not effective as it relates to starting external programs. This is because SAP authorization concepts do not perform explicit authorization checks when starting external programs unlike how they do for ABAP programs.

As a result, you need to have security measures and strategies in place to protect the SAP gateway. In this article, I discuss these five tips:

  • Restrict unauthorized access to external programs by configuring the secinfo file
  • Control the registration of external programs in the SAP gateway by properly configuring the reginfo file
  • Configure Secure Network Communication (SNC) support via appropriate parameterization
  • Configure and protect side information tables
  • Activate gateway logging

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.