Internet Graphics Service Security

The Internet Graphics Service

Introduction

The IGS (Internet Graphics Service) consists of several elements linked to one another and, for example, to SAP System by means of network connections. The IGS uses incoming data to generate graphics, which the user can then access as required.

 

Why Is Security Necessary?

Graphics do not generally represent a security risk. However, data used to create graphics may be relevant to security. The graphics generated may also represent sensitive information (for example, salaries, sums of money agreed in contracts).

 

Network Security and Communication Security

The graphic below shows the elements of the IGS architecture. SAP systems can send either RFC or HTTP requests to the IGS. Non-SAP systems send HTTP requests.

RFC requests are handled by the RFC listener. HTTP requests are handled by the HTTP listener. The requests are then sent to the multiplexer. The multiplexer communicates with the portwatchers using TCP/IP.

 

 

The IGS can be installed either all on one machine or distributed across several machines. Data is sent using TCP/IP in both cases.

The multiplexer is itself assigned a port number and its HTTP listener also has a port number.

The portwatchers also have their own port number. Note that different ports are specified for each portwatcher and they must not clash with the multiplexer or the listeners or with any other components installed on the system.

The RFC also occupied ports. First of all it checks whether there is a corresponding entry for the gateway used (for example, sapgw32) in the file \etc\services. If there is an entry then this entry is used. If not, then ports are used according to the pattern 33XX or 48XX for SNC.

This information is stored in the configuration file igs.xml. Below is an example of a configuration file:

 

 

A precondition for using the IGS from an SAP system is that the SAP system knows the IGS. To achieve this an RFC destination must be maintained both in the SAP System and also in the IGS.

The RFC destination is maintained in the SAP System in transaction SM59. There are two predefined destinations:

  • IGS_RFC_DEST
    This is the standard destination.
  • GFW_ITS_RFC_DEST
    This destination is used for the Graphical Framework.

Other Information Relevant for Security

You should only use interpreters from sources you trust because they give users full access to the machine on which they are running.