To increase the security setting of the message server you have to do the following settings:
1. Set whether external monitors such as the "msmon" monitoring program are allowed to connect to the message server.
With the "ms/monitor" parameter, you can restrict the access of the external "msmon" monitoring program.
The parameter can have the following values:
a) 0: Only application servers may change the internal memory of the message server and execute monitor functions (default setting).
b) 1: External (monitoring) programs may also make changes.
With the parameter ms/admin_port = (the default value is 0), you can open and close TCP ports on the message server for administration. An external client can use the port to connect to the message server to administer it. By default, the administration with external programs is deactivated. To activate it for specific programs, you can open a special port for administration. Clients that log on to the message server using this port can perform all administration tasks.
Possible values: You can change the parameter in a dynamic way, and the administration port is closed again with a value of 0 or lower. A value greater than 0 specifies the port number.
You can open and close the administration port by using transaction SMMS (SMMS -> Go to -> Security Settings).
2. Set the separation of the internal and external communication
To prevent unwanted clients appearing on the message server as the application server, you can use the parameter rdisp/msserv_internal = (default = 0) . A different data channel is then used for internal communication than for external communication, for which the external clients have read-only access to the information. In addition to the sapms<SID> (rdisp/msserv) port, the message server opens another port that is only used for the internal communication with the application servers.
If an application server tries to log on to the 'old' port, or if it is not listed in the ACL file, the following error message is logged in the trace file:
MsSLoginClient: client sapprod_PRD_00 (a.b.c.d) is EXTERNAL, access denied
The port number should be higher than 1024 since otherwise, you will need additional operating system rights to open the port.
Select a port that is not used by any other application on your host.
Application servers must also log on using this port. Application servers the log on with the sapms<SID> port are rejected with error (MSEACCESSDENIED).
If you want to use this parameter, you must define it centrally. It must have the same value on all application servers.
You can then only execute regular queries on the normal sapms<SID> port. This does not affect the load distribution or the retrieval of application server lists and logon groups.
In an SCS instance, you can set the value of the parameter rdisp/msserv = 0. The Message Server will then not open an external port, because it is not used.
If the values for rdisp/msserv and/or rdisp/msserv_internal are changed, then both the message server and the application server must be restarted so that these changes come into effect.
Changes with the sapevt program:
The sapevt program must attach to the internal port, otherwise no events can be triggered in the system. If sapevt connects through the external port and then tries to trigger events, the program terminates with the return code -20 (MSEACCESSDENIED). You will find this error message in the dev_evt trace file.
Return code -20 (MSEACCESSDENIED) with other programs.
The return code -20 (MSEACCESSDENIED) can also be reported with other programs that log on to the Message Server through the external port (sapms<SID>) and try to start actions that are now no longer allowed. To ensure that these programs work correctly, you must log on to the internal port.
3. Set the use of an ACL list (Access Control List) for the message server
The "ms/acl_info" parameter specifies a file (default: /usr/sap/<SID>/SYS/global/ms_acl_info) with access rights to the message server. If the file exists, it must contain all machine names, domains, IP addresses and/or subnet masks for the application servers that are allowed to log on to the message server. You can either list the names or enter each name in a separate line. This file does not affect external clients that only want to retrieve information from the message server. This is always possible.
The entries must have the following syntax:
HOST=[*| ip_adr | host_name | Subnet_mask | Domain ] [, ...]
Examples for valid entries are:
HOST = * (all hosts are allowed)
HOST=host1,host2 (Logons allowed from host1 and host2)
HOST=*.sap.com (all hosts in the sap.com domain can log on)
HOST=18.104.22.168 (hosts with this IP address can log on)
HOST=147.45.56.* (hosts with this subnet can log on)
Set the access authorizations for the file to a value that prevents unwanted modifications.
You can activate reading of the file in transaction SMMS which means that you can add, change and/or delete dynamic entries (SMMS -> Goto -> Security Settings).