- My customer wants to use TC/LINK-SC to send messages from SAP, but for some reason these messages are not transferred to TC/LINK-SC.
- RFC User, password, RFC Destination and RFC Node are setup correctly in SAP and on TC/LINK-SC side.
- Within KCS Monitor the TC/LINK-SC is shown as green and active
- When you check the status for these messages in SAP transaction /nSOST they will show up with error code
751: "Message cannot currently be transferred to node TCLINKSC-Node due to connection Error"
- The connection test in SAP Transaction /nSM59 also reports a connection error ERROR: timeout during allocate of registered program
- The TC/LINK-SC reports an event log entry 15026, that the registration is not allowed:
Type : Warning Event : 15026 Description: RFC Server connection error, RFC function: RfcListen RFC error string: KEY=RFC_IO5 STATUS=RFC DRV=??? ??? MESSAGE=CPIC-CALL: 'SAP_CMACCPTP : rc=20 LOCATION SAP-Gateway on host SAP-Gateway / sapgw00 ERROR registration of tp TCLINKSC.PROGID from host KCSServer not allowed TIME Fri Feb 16 14:31:10 201 RELEASE 720 COMPONENT SAP- INTSTAT=IO HANDLE=22 DRV=??? LINE=2178 CODE=5 RFC connection errors typically occur due to network problems. Check RFC error string, verify network connection to SAP gateway and R/3 application server. Contact SAP System Administrator on persistent RFC error.
- Where exactly is the problem and how to solve it?
- With SAP Kernel 640, SAP has improved their security settings.
External programs like TC/LINK-SC are only allowed to register at the SAP Gateway, if these applications are specifically listed in a file of allowed applications
- See also SAP Note 1069911 - GW: Changes to the ACL list of the gateway (reginfo).
- By default this Gateway ACL check is enabled in the instance profile of the SAP server and you can verify this as follows:
- Ask the SAP administrator to start the SAP transaction /nRZ10 (Edit profiles)
- You will get a selection box for the profile, which includes the Default profile, Instance profile and Start profile.
- Select the Instance profile
- In the Edit Profile selection box, choose Extended maintenance and press the Display button
- In the instance profile you will find the parameter gw/acl_mode and - if it is set to 1 - the ACL check is enabled.
- You might set this gw/acl_mode parameter to 0 and restart the SAP gateway to disable the ACL checking, but this is not the method recommended by SAP
- If gw/acl_mode=1, SAP will check additional files reg_info and sec_info.
These files contain an information, which hosts and which programs are allowed to access the SAP gateway.
- To check the definitions in these files, ask the SAP administrator to start SAP transaction /nSMGW
Select then menu option Goto - Expert functions - External Security - Display (Sec Info) and Display (Reg Info)
- If the reg_info file does not exist, the system will show you a default file, which is used instead. The default file only allows local access.
- You see also a comment where the SAP system expects the file to be located:
If the SAP Server runs on a Windows machine, the file is named reginfo.DAT and is located in the sub folder data of the SAP instance directory
- The syntax of this reginfo.DAT file is explained in SAP Note 1408081 - Basic settings for reg_info and sec_info
Basically the P at the beginning of each line stands for Permit, while D would mean Deny
Then the TP parameter defines the programID used by this external application, * means, that all programIDs are allowed
The HOST parameter defines, which host names (FQDN or IP addresses) are allowed to access the SAP gateway, here you can also use wildcards
- Now you have to add a rule, which allows the TCLINK to access the SAP gateway
- Ask the SAP Administrator to create an appropriate reginfo.DAT file within the operating system in the specified directory.
Or possibly the file does already exist and only needs to be modified to include TC/LINK-SC as allowed application.
- Include the entries from the internal default and add a line, which allows the TCLINK machine to access the SAP gateway.
In my case I added a line to allow all KCS Servers having an IP 172.20.242.xxx to connect to the SAP server: P TP=* HOST=172.20.242.*
- After changing the file on operating system level you must select the menu option Goto - Expert functions - External Security - Reread to read the file again and make the changes active in SAP.
- Afterward you can again to display the file using menu option Goto - Expert functions - External Security - Display (Reg Info)
- If the ACL file is modified correctly, restart the TC/LINK-SC and verify that the event log entries 15026 are not reported anymore.
- Send some test messages from the SAP GUI to verify that the messages are now picked up correctly.
See also related Articles in the SAP Help Portal:
- Gateway Security Files secinfo and reginfo: https://help.sap.com/saphelp_nw73/helpdata/en/e2/16d0427a2440fc8bfc25e786b8e11c/frameset.htm
- Security Settings in the Gateway: https://help.sap.com/saphelp_nw73/helpdata/en/48/b2096e7895307be10000000a42189b/frameset.htm
See also related SAP Notes:
- 1069911 - GW: Changes to the ACL list of the gateway (reginfo)
- 1105897 - GW: reginfo and secinfo with permit and deny ACL
- 1305851 - Overview note: "reg_info" and "sec_info"
- 1408081 - Basic settings for reg_info and sec_info
- 1525125 - Update #1 to Security Note 1408081
- 1592493 - GW: Problems in "reginfo" configuration
- 1850230 - GW: "Registration of tp <program ID> not allowed"
- 2104408 - Checklist for "program <program ID> not registered" errors
- Bullet list point 1 (Arial / Size 2 / Black)
- KCS TC/LINK-SC all versions
- SAP Kernel 6.40 or higher
Keywords: ID:15026 registration of tp TCLINKSC.PROGID from host KCSServer not allowed, reginfo, secinfo, rz10, smgw