Did you know that there is a RFC firewall built into BW 7.3? Well it’s not exactly a firewall but it is designed to prevent remote applications from starting a program that communicates with NW BW 7.3 via RFC. Before I get too deep into the point of this article I want to disclose that I am NOT an expert BW administrator. Most life long BOBJ folks hardly know what BASIS means. 🙂 I’m more of a long time relational database ROLAP BOBJ kind of guy. My only motivation for obtaining this knowledge was to help make SAP BusinessObjects, SAP Data Services and other RFC connections work with SAP NW BW 7.3. So forgive me in advance if this is something that existed long before BW 7.3 or if there is a better way to configure BW. At any rate, let’s get to the point…
If you are trying to integrate the SAP BusinessObjects tools or SAP Data services with SAP NW BW 7.3 you will find that the following applications connect to BW via RFC:
1. Data Services Load and Read from BW (ABAP and RFC)
2. Relational BOBJ UNX on BW using JCo (Java Connector)
3. Crystal Reports 2011 with the BW MDX driver
4. BW Crystal Report Publishing
5. UNV on BW MDX BEx query
However, before any of the above applications will be able to communicate with BW, you have to set a few parameters before BW will open up the gates.
I’ll admit, I took the shotgun approach when fixing my BW environment and simply turned the gateway security off. It was a new system so no other conflicting parameters had been established. (See below for info about the reg_info and sec_info files) I would recommend that you review all the settings available before simply turning this security feature off. Consulting an experienced BW security consultant would be wise as well. In my environment the key was a profile parameter called “gw\acl_mode”. In BW 7.3 this parameter is set to 1 (Use files and / or block everything not granted). By setting it to 0 (Allow All), the gateway will accept all remote RFC programs. If it is enabled (Set to 1), you’ll find it difficult to make a remote RFC connection unless you have the proper entries in your files that grant RFC access and registrations. In the SAP GUI you can run transaction /nrz11 to manage profile values. Search for ‘gw\acl_mode’ to change this parameter. While there check for the paths found in ‘gw\reg_info’ and ‘gw\sec_info’ as you might need them later.
However, it appears that administrators can take a more secure approach by defining an ACL (Access Control List) file that explicitly lists the hosts, users, programs or networks that are allowed to make a connection. See the links below for more details. I have also found that the ‘gw\acl_mode’ setting gets a little ambiguous if the ‘gw\reg_info’ and ‘gw\sec_info’ parameters are also set and their associated files exists in the path specified. There is some indication in the links provided below that if these files are used the ‘gw\acl_mode’ settings = 0 does not matter. In short, the ‘gw\acl_mode’ might only be relevant if the ‘gw\reg_info’ and ‘gw\sec_info’ files do not exists. However, if the ‘gw\acl_mode’ = 1 and ‘gw\acl_file’, ‘gw\sec_info’ and ‘gw\reg_info’ parameter are all three set, all three settings might work together. ??? (I know..confusing) To view and manage gateway connections run transaction /nsmgw to monitor connections and also manage the reg_info and sec_info files. Hint: use the menu options “Go To”->”Expert Functions”->”External Security”->* Again it was just easier for me to remove the sec.DAT and reg.DAT files and stick with the ‘gw\acl_mode’ = 0 setting.
The good news is that these little gems have solved several integration problems between BusinessObjects, Crystal Reports 2011, Data Services and BW. The bad news is that it took me over two weeks of research to figure it out. Thankfully I was in my lab and not on a customer’s site when I first discovered this issue. Surprisingly the SAP support notes made no mention of this setting under the BI* area. (maybe not so surprisingly). Shortly after the discovery, I also had 4 different clients run into the same issue. I get the impression that this is not a well known configuration parameter but I could be wrong. Hopefully you will find this article before you invest a lot of time into researching the problem.
Below are a few links that you can use to reference the various parameter values available when securing your BW gateway. If you have more information, please feel free to post a comment.
A list of the gateway Security Parameters (Link)
Setting up an ACL list for server or networks (Link)
Making Security Settings for Remote Programs (Link)
General Gateway Parameter’s help page (Link)
SAP BusinessObjects JCo Universe Setup Wiki (Link)
SAP Note 1480644 (gw/acl_mode versus gw/reg_no_conn_info)
For Google Search purposes 🙂 I am listing the possible errors from the BusinessObjects Tools below:
Error Received in IDT using JCo when RFC is blocked:
com.sap.connectivity.cs.java.drivers.DBDError: [Data Federator Driver] [Server] [Connector ‘testSourceConnection1350699853522’] An error occurred while trying to ping the server: SAP NetWeaver BW has reported an RFC error: Error during RFC callback: Error when opening an RFC connection (CPIC-CALL: ‘ ThSAPOCMINIT’ : cmRc=2 thRc=67
Crystal Report 2011 using BW MDX Driver
Crystal Reports will lockup or Freeze if you attempt to connect a report to a BEx query.
Data Services RFC Test Fails
10/19/2012 23:10:40 [ INFO ] RFC Server connection 1-BW|SAPGW0x|PROGRAM catched java.lang.Exception: CPIC-CALL: SAP_CMACCPTP3 on convId:
LOCATION SAP-Gateway on host server.name.om / sapgw01
ERROR registration of tp TRANSPORT_NAME from host
remote.hostname.local not allowed
TIME Fri Oct 19 23:10:40 2012