Skip to main content
Kofax

SAP link is not allowed to register on the SAP gateway

Article # 3036016 - Page views: 289

Issue

Usable to sent messages from SAP to KCS due to enhanced security settings on SAP introduced with kernel 640.

The following errors might be reported:

  • When checking the status of these messages in SAP transaction /nSOST they will show up with error code:
    751: "Message cannot currently be transferred to node TCLINKSC-Node due to connection Error"error 751.png
  • The connection test in SAP Transaction /nSM59 also reports a connection error.
    ERROR: timeout during allocate of registered programtimeout.png
  • The TC/LINK-SC reports an event log entry15026, that the registration is not allowed.
    Type :             Warning
    Event :            15026
    Description:
    RFC Server connection error, RFC function: RfcListen RFC error string: KEY=RFC_IO5
    STATUS=RFC DRV=??? ??? MESSAGE=CPIC-CALL: 'SAP_CMACCPTP : rc=20
    LOCATION           SAP-Gateway on host SAP-Gateway / sapgw00
    ERROR              registration of tp TCLINKSC.PROGID from host KCSServer not allowed
    TIME               Fri Feb 16 14:31:10 201
    RELEASE            720
    COMPONENT          SAP- INTSTAT=IO HANDLE=22 DRV=??? LINE=2178 CODE=5 RFC connection
    errors typically occur due to network problems. Check RFC error string, verify
    network connection to SAP gateway and R/3 application server. Contact SAP System
    Administrator on persistent RFC error.

Cause

Assuming the following configuration items are correct this is caused by enhanced security features introduced in SAP Kernal 640.

  • RFC User, password, RFC Destination and RFC Node are setup correctly in SAP and on TC/LINK-SC side.
  • Within KCS Monitor the TC/LINK-SC is shown as green and active.

With SAP Kernel 640, SAP has improved their security settings, external programs like TC/LINK-SC are only allowed to register at the SAP Gateway if these applications are specifically listed in a file of allowed applications. 

Solution

Allowed applications are stored in the ACL list of the gateway, by default this gateway ACL check is now enabled. You can verify this as follows:

  1. Ask the SAP administrator to start the SAP transaction /nRZ10 (Edit profiles)
  2. You will get a selection box for the profile, which includes the Default profile, Instance profile and Start profile.
  3. Select the Instance profile
  4. In the Edit Profile selection box, choose Extended maintenance and press the Display button.sap1.png
  5. In the instance profile you will find the parameter gw/acl_mode and - if it is set to 1 - the ACL check is enabled.
  6. You might set this gw/acl_mode parameter to 0 and restart the SAP gateway to disable the ACL checking, but this is not the method recommended by SAP.sap2.png
  7. If gw/acl_mode=1, SAP will check additional files reg_info and sec_info.
    These files contain an information, which hosts and which programs are allowed to access the SAP gateway.
  8. To check the definitions in these files, ask the SAP administrator to start SAP transaction /nSMGW
    Select then menu option Goto - Expert functions - External Security - Display (Sec Info) and Display (Reg Info)sap3.png
  9. If the reg_info file does not exist, the system will show you a default file, which is used instead. The default file only allows local access.
  10. You see also a comment where the SAP system expects the file to be located:
    If the SAP Server runs on a Windows machine, the file is named reginfo.DAT and is located in the sub folder data of the SAP instance directory.sap4.png
  11. The syntax of this reginfo.DAT file is explained in SAP Note 1408081 - Basic settings for reg_info and sec_info
    Basically the P at the beginning of each line stands for Permit, while D would mean Deny
    Then the TP parameter defines the programID used by this external application, * means, that all programIDs are allowed
    The HOST parameter defines, which host names (FQDN or IP addresses) are allowed to access the SAP gateway, here you can also use wildcards.
  12. Now you have to add a rule, which allows the TCLINK to access the SAP gateway
  13. Ask the SAP Administrator to create an appropriate reginfo.DAT file within the operating system in the specified directory.
    Or possibly the file does already exist and only needs to be modified to include TC/LINK-SC as allowed application.
  14. Include the entries from the internal default and add a line, which allows the TCLINK machine to access the SAP gateway.
    In our test case we added a line to allow all KCS Servers having an IP 172.20.242.xxx to connect to the SAP server: P TP=* HOST=172.20.242.*
  15. After changing the file on operating system level you must select the menu option Goto - Expert functions - External Security - Reread to read the file again and make the changes active in SAP.
  16. Afterward you can again to display the file using menu option Goto - Expert functions - External Security - Display (Reg Info)sap5.png
  17. If the ACL file is modified correctly, restart the TC/LINK-SC and verify that the event log entries 15026 are not reported anymore.
  18. Send some test messages from the SAP GUI to verify that the messages are now picked up correctly.

Level of Complexity 

Moderate

Applies to  

Product Version Build Environment Hardware
Kofax Communication Server - TC/LINK-SC All      
  • Was this article helpful?