Beruflich Dokumente
Kultur Dokumente
Products
Products Industries
Industries Support
Support Training
Training Community
Community Developer
Developer Partner
Partner
About
About
Home / Community / Blogs + Actions
Matt Fraser
more by this author
share
0 share
0 tweet share
0
Follow
Almost every SAP installation today has one feature in common, and that is
the presence, somewhere in the landscape, of SLD, or System Landscape
Directory. For many, if not most, customers, SLD is integrated with another
necessary component, Solution Manager, on the same system, as this is a
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 1/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
very quick and easy way to get a basic SLD up and running, and the
integration with Solution Manager is practically built-in. Other customers may
have had their first SLD as part of a PI installation, and much of what follows
below may apply in the same manner.
The Problem
This means that SLD maintenance has a production impact, and so typically
must be scheduled for maintenance windows outside normal business hours.
If your SLD is integrated with Solution Manager, this same restriction therefore
applies to Solution Manager maintenance. Note, depending on which SolMan
scenarios you utilize, you may have this restriction anyway, but if your primary
purpose for SolMan is Maintenance Optimizer and landscape monitoring, then
your Basis team may be quite frustrated by the need for production downtimes
in order to maintain it.
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 2/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
The Solution
Many customers therefore seek to separate SLD from Solution Manager,
migrating it to its own system, and thus insulating it and your production
landscape from Solution Manager maintenance activities. A number of
documents describe this process, so this isn’t the main focus of the current
post. However, here’s a quick overview of the process, along with links to
more detailed documents for each step:
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 3/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
So, you’ll check SM59 and the SLD_UC RFC connection will fail a connection
test. You’ll wallow about looking at gateway ports and services, checking RFC
listener statuses, etc (Tom Cenens has a great post about the things to check
that could go wrong at How to push ABAP system data to a Java only SLD).
When you have ensured that everything is configured correctly, that’s when
you realize there is a (mostly) undocumented step in configuring the security
on a gateway in newer NetWeaver releases. There is a small text file which
you must create and populate appropriately, and the documentation on the
need for this is mainly found in SAP Notes (see Notes 1843782: GW:
Installation changes default from gw/acl_mode to 1, 1480644: gw/acl_mode
versus gw/reg_no_conn_info, and especially 1069911: GW: Changes to the
ACL list of the gateway (reginfo)).
gw/acl_mode
So what does gw/acl_mode = 1 do?
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 4/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
You probably won’t actually find this parameter in your SLD instance or default
profile, which means it will be at the default setting, i.e. “1.”
With this setting, the system will check for the existence of a reginfo or secinfo
file. However, by default, these files don’t exist unless you create them. In the
absence of explicit instructions coded into these files, the system reverts to the
default behavior of rejecting registrations from all external systems, and thus
your SLD updates from ABAP systems are not occurring.
REGINFO.DAT
The preferred method for allowing external systems of your choosing to
register with the gateway, and thus with SLD, is to create the permissions file.
The default location for the file is \usr\sap\<SID>\SCS<nr>\data, and the
default filename is REGINFO.DAT. You won’t find this file there in a fresh
installation, however, so you must create it yourself.
Note 1069911 (linked above) and Note 1105897 (GW: reginfo and secinfo with
permit and deny ACL) between them give an overview of the ways you can
format the reginfo file, but the bottom line is that you need something like the
following in it:
#VERSION=2
The following lines (there can definitely be more than one) will start with either
P (Permit) or D (Deny). There are four keywords (TP, HOST, ACCESS, and
CANCEL) to be specified, each with their own list or range.
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 5/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
ACCESS is very similar to HOST. The difference is that HOST specifies the
servers that are allowed to log on, whereas ACCESS specifies the servers
allowed to use the registered server. It’s a very specific difference, and in most
cases you will probably have exactly the same list for HOST and ACCESS.
Again, see the Note for details.
CANCEL is the list of servers allowed to log off. Again, you will probably have
the same list for CANCEL as you do for HOST and ACCESS.
For all three, HOST, ACCESS, and CANCEL, the local system is always
included (permitted), so you don’t need to specify it explicitly. You only need to
specify external systems.
So, if all of your SAP systems are on the subnet 10.50.15.x, as an example,
then your REGINFO.DAT file will probably look like this:
#VERSION=2
Conclusion
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 6/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
In the work folder, the gw_log file (with datestamp) will have a set of lines
similar to:
And, of course, the RFC connection will now test successfully and
registrations will succeed.
More Information
For an overview of best practices, how-tos, and planning guides related to
SLD, I recommend visiting and bookmarking More on System Landscape
Directory, maintained by Wolf Hengevoss. Most of the documentation
available for SLD is linked from this highly informative page.
Alert Moderator
19 Comments
You must be Logged on to comment or reply to a post.
Andy Silvey
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 7/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
Hi Matt,
excellent blog and explanations and advice, what about the SAP recommendation of
using PI as the SLD.
Best regards,
Andy.
Hi Andy, and thanks for the compliment (means a lot coming from you).
Regards,
Matt
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 8/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
Andy Silvey
Hi Matt,
If you haven’t got PI, then when choosing which SAP system
to host the SLD on, I would advise pick the SAP system which
has the least chance/expectation/reason/behaviour of going
down – the SLD needs to be up all the time.
Best regards,
Andy.
Andy Silvey
Andy.
Muniyappan Marasamy
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 10/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
Regards,
Muni
Hi Muni,
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 11/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
Cheers,
Matt
Muniyappan Marasamy
Isaias Freitas
Hello Matt,
I believe that setting CANCEL, HOST and ACCESS to the same value is not ideal from a
security perspective. Maybe some servers are allowed to ACCESS the registered
program, but should not be allowed to CANCEL it.
And HOST should be a list of servers that are allowed to register the specific program
defined by TP.
You can take a look at Gateway Access Control Lists – Security and Identity
Management – SCN Wiki. I hope it helps .
Regards,
Isaías
Hi Isaias,
Thanks for the link to the wiki. I never found that when I was trying to figure
out why my stuff wouldn’t work (which is what prompted me to write this
blog at the time). That is significantly more detail about how the ACLs work
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 12/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
However, I am a bit confused, and I hope you can enlighten me. Both your
wiki and Note 1069911 imply that CANCEL should in fact include the
servers that make up your SAP system or landscape, which is what I was
trying to illustrate (perhaps I was not clear enough that I meant an internal,
controlled list of IP addresses that represent the data center or the SAP
systems). Also, the Note says that CANCEL details which systems are
allowed to logoff from the gateway (which seems desirable), but your wiki is
less clear, implying that this allows the remote host to cancel the gateway’s
registration (which I agree would not normally be something we would do
for a server-server interface, unless it was just meant to be a one-time
interaction).
Cheers,
Matt
Isaias Freitas
Hello Matt,
You should allow at least both involved systems (SLD and the
SAP system where the SLD programs are registered) to
cancel the registration.
The reason is that if you stop the SLD system, for example, to
do some maintenance task, the SLD must be able to cancel its
registration in a “nice way”, so the SAP system is “aware” that
the SLD is not available.
The same applies if you need to stop the SAP system. It must
be able to cancel the SLD registration, so SAP can stop
“nicely”.
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 13/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
CANCEL=internal,<SLD server>
Cheers,
Isaías
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 14/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
Isaias Freitas
Hello Matt,
Cheers!
Gustavo Mac
Hi Matt,
I’m configuring SLD in a standalone instance and you mention that basically the
following steps must be made:
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 15/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
I have done step 4.1 and im fine but when I go to the 4.2 Java Functional Unit
Configuration I’m having issues with the roles that are assigned to the user but when i go
to the UME in the sld there are no basic roles like user admin to be assigned to my
current user, and so on with the rest of the functional units i select, and i wonder:
b. What is the purpose of doing this configuration, is there an specific reason why we
should do this, if so what’s the reason?
d. Am i missing something in the installation of the Java AS for the SLD? If so what do i
need to do to get the basic roles in the sld ume?
Thanks
Hi Gustavo,
When you install the AS Java, there is a part where you can select a
functional unit to activate (i.e., ADS, Java Extensions, or, obviously, SLD).
However, it has been my experience that this doesn’t usually do the trick,
and after the install (and update) is complete, you usually have to go back
manually and activate the functional unit, by navigating to
http(s)://host:port/sld/fun.
Can you live without it? Maybe. But it’s probably better to fix any problems
so that this process can complete successfully. I think this wizard will setup
the SLD-specific roles for you.
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 16/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
So, before running it, you need to make sure your user account is in the
Administrators group, or use the built-in Administrator user to run the
wizard. My guess is that perhaps you ran it with a user lacking the full
authorization to perform the activities.
Cheers,
Matt
Jill Diesman
Hi Matt,
Best regards,
Jill
Isaias Freitas
Hello Jill,
You can change the path/name of the file by setting the parameter
“gw/reg_info”.
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 17/18
1/30/2018 SLD Migration and gw/acl_mode | SAP Blogs
Best regards,
Isaías
https://blogs.sap.com/2014/09/09/sld-migration-and-gwaclmode/ 18/18