Secure VH for RFC: Concept
Configure a virtual host for SNC communication only
You can use the UCON RFC basis scenario to create a dedicated virtual host for SNC communication only (known as a Secure VH).
This procedure is recommended in the following situation: You classify specific remote-enabled function modules (or RFMs) as critical to security in your system and you want them to be accessed externally using only SNC. Any external calls of the RFMs in question without SNC are rejected in this case. On the other hand, you do not want to enable access to all RFMs in your system using SNC exclusively, for example you want specific RFMs to be called from external systems and SNC cannot be configured for them (or only with a lot of work).
Process
- In the case of RFMs that are critical to security and that you want to protect using stronger encryption, authentication, and Single Sign-On mechanisms, use a dedicated Communication Assembly (called Secure CA). Any RFMs assigned to the Secure CA can only be called using SNC.
- For RFMs in the Default CA, the regular RFC security measures (including UCON RFC basis protection) are enough or can also be called without SNC.
Using the UCON phase manage tool, you can identify RFC calls that were
- called using SNC only and are critical to security
- called with and without SNC and are also critical to security
In the final phase, always make sure that only those RFMs are assigned to the Secure CA that were already called using SNC or that can be called using SNC. You can achieve this by using the results list of the phase manager tool. Here, you can check all RFMs that are assigned to the Secure CA at the end of the evaluation phase and ensure that:
- They were called using SNC only up until now or
- the relevant destinations were modified accordingly.
If these conditions are not met and the RFMs in question still need to be called externally, you must assign them to the Default CA.