| SAP link is not allowed to register on the SAP gateway | 您所在的位置:网站首页 › registration not allowed › SAP link is not allowed to register on the SAP gateway |
SAP link is not allowed to register on the SAP gateway
|
Issue
Usable to sent messages from SAP to KCS due to enhanced security settings on SAP introduced with kernel 640. The following errors might be reported: When checking the status of these messages in SAP transaction /nSOST they will show up with error code: 751: "Message cannot currently be transferred to node TCLINKSC-Node due to connection Error"
The connection test in SAP Transaction /nSM59 also reports a connection error.
ERROR: timeout during allocate of registered program
The TC/LINK-SC reports an event log entry15026, that the registration is not allowed.
Type : Warning
Event : 15026
Description:
RFC Server connection error, RFC function: RfcListen RFC error string: KEY=RFC_IO5
STATUS=RFC DRV=??? ??? MESSAGE=CPIC-CALL: 'SAP_CMACCPTP : rc=20
LOCATION SAP-Gateway on host SAP-Gateway / sapgw00
ERROR registration of tp TCLINKSC.PROGID from host KCSServer not allowed
TIME Fri Feb 16 14:31:10 201
RELEASE 720
COMPONENT SAP- INTSTAT=IO HANDLE=22 DRV=??? LINE=2178 CODE=5 RFC connection
errors typically occur due to network problems. Check RFC error string, verify
network connection to SAP gateway and R/3 application server. Contact SAP System
Administrator on persistent RFC error.
Cause
Assuming the following configuration items are correct this is caused by enhanced security features introduced in SAP Kernal 640. RFC User, password, RFC Destination and RFC Node are setup correctly in SAP and on TC/LINK-SC side. Within KCS Monitor the TC/LINK-SC is shown as green and active.With SAP Kernel 640, SAP has improved their security settings, external programs like TC/LINK-SC are only allowed to register at the SAP Gateway if these applications are specifically listed in a file of allowed applications. SolutionAllowed applications are stored in the ACL list of the gateway, by default this gateway ACL check is now enabled. You can verify this as follows: Ask the SAP administrator to start the SAP transaction /nRZ10 (Edit profiles) You will get a selection box for the profile, which includes the Default profile, Instance profile and Start profile. Select the Instance profile In the Edit Profile selection box, choose Extended maintenance and press the Display button.
In the instance profile you will find the parameter gw/acl_mode and - if it is set to 1 - the ACL check is enabled.
You might set this gw/acl_mode parameter to 0 and restart the SAP gateway to disable the ACL checking, but this is not the method recommended by SAP.
If gw/acl_mode=1, SAP will check additional files reg_info and sec_info.
These files contain an information, which hosts and which programs are allowed to access the SAP gateway.
To check the definitions in these files, ask the SAP administrator to start SAP transaction /nSMGW
Select then menu option Goto - Expert functions - External Security - Display (Sec Info) and Display (Reg Info)
If the reg_info file does not exist, the system will show you a default file, which is used instead. The default file only allows local access.
You see also a comment where the SAP system expects the file to be located:
If the SAP Server runs on a Windows machine, the file is named reginfo.DAT and is located in the sub folder data of the SAP instance directory.
The syntax of this reginfo.DAT file is explained in SAP Note 1408081 - Basic settings for reg_info and sec_info
Basically the P at the beginning of each line stands for Permit, while D would mean Deny
Then the TP parameter defines the programID used by this external application, * means, that all programIDs are allowed
The HOST parameter defines, which host names (FQDN or IP addresses) are allowed to access the SAP gateway.
If you use a FQDN the SAP server must be able to resolve it otherwise, it will not accept it.
Now you have to add a rule, which allows the TCLINK to access the SAP gateway
Ask the SAP Administrator to create an appropriate reginfo.DAT file within the operating system in the specified directory.
Or possibly the file does already exist and only needs to be modified to include TC/LINK-SC as allowed application.
Include the entries from the internal default and add a line, which allows the TCLINK machine to access the SAP gateway.
In our test case we added a line to allow all KCS Servers having an IP 172.20.242.xxx to connect to the SAP server: P TP=* HOST=172.20.242.*
If the SAP Server does not accept the line, add it with the appropriate network mask, e.g.
P TP=* HOST=172.20.242.0/24 ACCESS=172.20.242.0/24 CANCEL=172.20.242.0/24
After changing the file on operating system level you must select the menu option Goto - Expert functions - External Security - Reread to read the file again and make the changes active in SAP.
Afterward you can again to display the file using menu option Goto - Expert functions - External Security - Display (Reg Info)
If the ACL file is modified correctly, restart the TC/LINK-SC and verify that the event log entries 15026 are not reported anymore.
Send some test messages from the SAP GUI to verify that the messages are now picked up correctly.
Level of Complexity
Moderate Applies to Product Version Build Environment Hardware Kofax Communication Server - TC/LINK-SC All ReferencesSome related articles in the SAP help portal: Gateway Security Files secinfo and reginfo. Security Settings in the Gateway.Links to related SAP Notes: (requires registration) 1069911 - GW: Changes to the ACL list of the gateway (reginfo) 105897 - GW: reginfo and secinfo with permit and deny ACL 1305851 - Overview note: "reg_info" and "sec_info" 1408081 - Basic settings for reg_info and sec_info 1525125 - Update #1 to Security Note 1408081 1592493 - GW: Problems in "reginfo" configuration 1850230 - GW: "Registration of tp not allowed" 2104408 - Checklist for "program not registered" errors
|
【本文地址】
公司简介
联系我们