Did you know that there is a RFC firewall built into BW 7.3? Well it’s not exactly a firewall but it is designed to prevent remote applications from starting a program that communicates with NW BW 7.3 via RFC. Before I get too deep into the point of this article I want to disclose that I am NOT an expert BW administrator. Most life long BOBJ folks hardly know what BASIS means. 🙂 I’m more of a long time relational database ROLAP BOBJ kind of guy. My only motivation for obtaining this knowledge was to help make SAP BusinessObjects, SAP Data Services and other RFC connections work with SAP NW BW 7.3. So forgive me in advance if this is something that existed long before BW 7.3 or if there is a better way to configure BW. At any rate, let’s get to the point…
If you are trying to integrate the SAP BusinessObjects tools or SAP Data services with SAP NW BW 7.3 you will find that the following applications connect to BW via RFC:
1. Data Services Load and Read from BW (ABAP and RFC)
2. Relational BOBJ UNX on BW using JCo (Java Connector)
3. Crystal Reports 2011 with the BW MDX driver
4. BW Crystal Report Publishing
5. UNV on BW MDX BEx query
However, before any of the above applications will be able to communicate with BW, you have to set a few parameters before BW will open up the gates.
I’ll admit, I took the shotgun approach when fixing my BW environment and simply turned the gateway security off. It was a new system so no other conflicting parameters had been established. (See below for info about the reg_info and sec_info files) I would recommend that you review all the settings available before simply turning this security feature off. Consulting an experienced BW security consultant would be wise as well. In my environment the key was a profile parameter called “gw\acl_mode”. In BW 7.3 this parameter is set to 1 (Use files and / or block everything not granted). By setting it to 0 (Allow All), the gateway will accept all remote RFC programs. If it is enabled (Set to 1), you’ll find it difficult to make a remote RFC connection unless you have the proper entries in your files that grant RFC access and registrations. In the SAP GUI you can run transaction /nrz11 to manage profile values. Search for ‘gw\acl_mode’ to change this parameter. While there check for the paths found in ‘gw\reg_info’ and ‘gw\sec_info’ as you might need them later.
However, it appears that administrators can take a more secure approach by defining an ACL (Access Control List) file that explicitly lists the hosts, users, programs or networks that are allowed to make a connection. See the links below for more details. I have also found that the ‘gw\acl_mode’ setting gets a little ambiguous if the ‘gw\reg_info’ and ‘gw\sec_info’ parameters are also set and their associated files exists in the path specified. There is some indication in the links provided below that if these files are used the ‘gw\acl_mode’ settings = 0 does not matter. In short, the ‘gw\acl_mode’ might only be relevant if the ‘gw\reg_info’ and ‘gw\sec_info’ files do not exists. However, if the ‘gw\acl_mode’ = 1 and ‘gw\acl_file’, ‘gw\sec_info’ and ‘gw\reg_info’ parameter are all three set, all three settings might work together. ??? (I know..confusing) To view and manage gateway connections run transaction /nsmgw to monitor connections and also manage the reg_info and sec_info files. Hint: use the menu options “Go To”->”Expert Functions”->”External Security”->* Again it was just easier for me to remove the sec.DAT and reg.DAT files and stick with the ‘gw\acl_mode’ = 0 setting.
The good news is that these little gems have solved several integration problems between BusinessObjects, Crystal Reports 2011, Data Services and BW. The bad news is that it took me over two weeks of research to figure it out. Thankfully I was in my lab and not on a customer’s site when I first discovered this issue. Surprisingly the SAP support notes made no mention of this setting under the BI* area. (maybe not so surprisingly). Shortly after the discovery, I also had 4 different clients run into the same issue. I get the impression that this is not a well known configuration parameter but I could be wrong. Hopefully you will find this article before you invest a lot of time into researching the problem.
Below are a few links that you can use to reference the various parameter values available when securing your BW gateway. If you have more information, please feel free to post a comment.
A list of the gateway Security Parameters (Link)
Setting up an ACL list for server or networks (Link)
Making Security Settings for Remote Programs (Link)
General Gateway Parameter’s help page (Link)
SAP BusinessObjects JCo Universe Setup Wiki (Link)
SAP Note 1480644 (gw/acl_mode versus gw/reg_no_conn_info)
For Google Search purposes 🙂 I am listing the possible errors from the BusinessObjects Tools below:
Error Received in IDT using JCo when RFC is blocked:
com.sap.connectivity.cs.java.drivers.DBDError: [Data Federator Driver] [Server] [Connector ‘testSourceConnection1350699853522’] An error occurred while trying to ping the server: SAP NetWeaver BW has reported an RFC error: Error during RFC callback: Error when opening an RFC connection (CPIC-CALL: ‘ ThSAPOCMINIT’ : cmRc=2 thRc=67
Crystal Report 2011 using BW MDX Driver
Crystal Reports will lockup or Freeze if you attempt to connect a report to a BEx query.
Data Services RFC Test Fails
10/19/2012 23:10:40 [ INFO ] RFC Server connection 1-BW|SAPGW0x|PROGRAM catched java.lang.Exception: CPIC-CALL: SAP_CMACCPTP3 on convId:
LOCATION SAP-Gateway on host server.name.om / sapgw01
ERROR registration of tp TRANSPORT_NAME from host
remote.hostname.local not allowed
TIME Fri Oct 19 23:10:40 2012
Great post and thanks for the help on this issue last week 🙂
Hello Jonathan ,
it was interesting to read your article , I think that you have mentioned 1 thing that every SAP BI/BW/BO need to have is a strong BASIS guys.
did you leave massage in SAP SCN community ?
I played data services with BW and it worked fine, I guess it also got to who have installed your BW system , and whether he/she knows what they are doing .
if you have in the future any question you are welcome to contact me
I agree concerning the BASIS team. Unfortunately many of the site (both large and small) where I have implemented BOBJ and DataServices with BW have very few knowledgeable BASIS engineers. I don’t know why that is the case. From a BOBJ and DS perspective the Gateway security was not a frequent issue until the release of the 7.20 kernel or BW 7.3. Apparently this build (by default) is enabling some of these security features during the install.
Hi, Jonathan. That is a very interesting article and very thorough. I feel your pain and thank you for sharing. Might you be able to comment on the issue I’m experiencing between SBOP Data Services and ECC Server when loading the SAP Rapidmarts? RFC runs the ABAP programs sent by the DS server and outputs the .dat files to the shared folder on the ECC server. The BO/DS user has full access to the shared folder. If the file exists, it is deleted and re-created, no errors. If the file doesn’t exist, the RFC process outputs the file. Here’s where it gets tricky: if the file exists and is deleted and re-created, the next step in the DS dataflow (the transform) can read the file and the job moves on. If the .dat file doesn’t exist and is being created for the first time, the transform cannot read the file and gets that 80101 error and the job hangs up. We found this out because we re-ran the DS job and it moved past where it got hung up before. Might you (or anyone out there?) have any thoughts on this, please? My e-mail is email@example.com.
Have you tried creating a script object (before the DF executes) to create or copy an empty .dat file into the shared directory?
Thank you for posting this article. It made my day by a simple profile (gw/acl_mode) change from 1 to 0.
Thanks. This is a great post which will definitely save lots of days for many who are trying to create RFC connection 🙂 I myself spent a lot of time and none of SAP documentation and even SAP support is able to tell this straightaway.
Outstanding Article – life-savor! As a Basis guy for 17 years, I’ve seen a lot of curve balls from SAP. None so big though as the release of the 7.20 kernel (and removing rfc completely – without any documentation or reference to this fact which is key if you’re working on a net-new install, e.g. BW 7.31.) Thank goodness I found the error file on the BODS server that gave me the RFCIO error leading me here! OSS is no help and these params are all but forgotten. Great Job Jonathan! (and thank you Google 🙂 )
I’m glad you found this useful. Thank You.
You just saved my day (or week). Spent many days on this one after we moved our environment to an external hosting partner. Thank you so much.
Thanks for the post. This information related to Note 1480644 – gw/acl_mode versus gw/reg_no_conn_info helped me resolve our issue
I wanted to ask you a sonsulta concerning the conectvidad of dashboards with SAP BW 7.00
sap bw 7.00 am on the side of BO have Dashboards 4.0 sp September.
Giving me this error.
that version 4.0 SPxx dashboards, you can connect to BW?
thanks for your help
Yimi castro G