Restricting Registration of External Server Programs
Use
If you use a registered RFC server (based on RFC SDK, SAP NetWeaver RFC SDK, JCo, .NET Connector or Business Connector), there is always the risk that a potential attacker registers an external harmful program on a RFC destination and catches RFC calls that are to be sent to the correct external RFC program.
Prerequisites
To use the following procedure, the SAP system must fulfill the following prerequisites:
-
SAP Kernel 7.00
-
Patch Level 119
-
ABAP Support Package 13
Procedure
You can use two different mechanisms to prevent unwanted external programs from registering with an RFC destination:
-
Use the reginfo file
-
Use SNC ( Secure Network Communications)
To do this, follow the procedure below:
reginfo File
-
In the $DIR_DATA directory, create a file with the name reginfo.
-
The reginfo file is imported at system start. Each row can contain one or multiples of the following values:
-
Program ID This defines the RFC destination that are to be assigned to the following security settings.
-
Host name (or IP address) from which a registration can be made for this RFC destination.
-
Host name (or IP address) from which RFC calls may be sent to this RFC destination.
-
Host name (or IP address) from which registered external programs may be deregistered.
-
Maximum number of registered servers for the defined program ID.
-
SNC
-
When creating an RFC destination (transaction SM59), activate SNC for this destination and define an SNC name for the external program.
The Gateway only then allows registration for the related program ID if an external program that has a digitally-signed certificate registers itself using SNC and which contains the SNC name defined.
More Information
For detailed information on configuring Gateway and the reginfo file:
For detailed information on SNC: SNC User's Guide:
-
http://service.sap.com/security
Security in Detail 
Secure User Access Authentication & Single Sign-On