Security Settings for the SAP Message Server

Use

You can make the following settings to increase the security when the SAP message server is in operation.

You can set:

·        Whether external monitors like the Monitoring Program msmon are allowed to connect to the message server.

·        Whether and how the message server can be administered using the browser.

·        An ACL list to be used for the message server.

Features

Administration Using Profile Parameters

ms/monitor

With parameterms/monitor you can set that an application server can change or delete the internal memory of the message server. The external Monitoring Program msmon tehn has olny restricted access. The parameter can have the following values:

·        0: Only application servers are allowed to change the internal memory of the message server and perform monitoring functions (default).

·        1: External (monitoring ) programs are also allowed to do this.   

ms/admin_port

With parameter ms/admin_port = <nr>   (Default 0). You can open and close TCP ports of the message server for administration. An external client can connect to the message server through this port to carry out administration tasks on the message server. By default is administration by external programs deactivated (ms/monitor=0). To enable this for individual programs, a special administration port can be opened. Clients that log on the message server through this port are allowed to carry out all administration tasks.

The parameter can be changed dynamically. A value smaller or equal to 0 closes the admin port again. You can see this parameter in the list of parameters if you have administrator authorization.

To open, change, or close the admin port in productive operation, in the message server monitor choose Goto ® Security Settings ® Admin Port (transaction SMMS).

Separate Internal and External MS Communication

To prevent unwanted clients pretending to the message server to be application servers, you can use parameter  rdisp/msserv_internal = <no.>(default 0).

For internal communication another data channel is used to the one used for external communication, to which external clients have only read-only access.

The message server opens another port  <no.>, in addition to its port sapms<SID> (rdisp/msserv), which is used for internal communication with the application servers. This port must be used to log on to an application server. Clients that log on through the 'normal' port sapms<SID>  are denied access (MSEACCESSDENIED).

If you want to use this parameter, you must define it on the central system and it must have the same value on all application servers.

The normal sapms<SID> port can still be used for queries. Load distribution functions and the retrieval of application server lists and logon groups are not affected.

Access Control List (ACL)

With parameter ms/acl_info you can specify a file with access authorizations to the message server. If this file exists, it must include all host names, domains, IP addresses and/or subnetwork masks from which application servers are allowed to log on to the message server.

The names can be either put in a list or written in separate lines.

This file has no affect on external client who want only to get information from the message server. This is possible in any case.

The entries must have the following syntax:

HOST=[*| ip-adr | hostname | subnetwork mask | domain ] [, ...]   

You create the file at operating system level. You can then display and reload the file in the message server monitor (SMMS). To do so, choose Goto ® Security Settings ® Access Control.

HOST = sapapp1, sappapp2 means that only logons from hosts sapapp1 and sapapp2 are permitted.

HOST = *.sap.com means that all host names are allowed from domain sap.com.

HOST = 157.23.45.56, 157.23.45.57 means that only hosts with these IP addresses are allowed.

HOST = 157.23.45.*  means that all hosts from this subnetwork are allowed.