Configuring SNC: External Programs to AS ABAP Using RFC
Use
For the communication path from an external program to SAP NetWeaver Application Server (AS) ABAP when using RFC, the external program is the initiator of the communication and the AS ABAP is the acceptor.
Initiator (External Program)
To apply SNC protection to external programs that communicate with an AS ABAP using RFC, you need to specify the SNC options in either the saprfc.ini file or over the program interface in rfclib. This section describes how to specify the information in saprfc.ini.
For more information about using rfclib, see C Program Interfaces.
Prerequisites
- You want to apply SNC protection to the communications between the RFC external program and the AS ABAP.
- The external program uses the saprfc.ini file.
Procedure
Set the SNC parameters in saprfc.ini as shown in the table below.
SNC Parameters for RFC External Programs to AS ABAP
| Parameter | Description | Required or Optional | Permitted Values | Default |
|---|---|---|---|---|
|
SNC_PARTNERNAME |
SNC name of the communication partner (application server) |
Required |
String value |
None |
|
SNC_LIB |
Path and file name of the gssapi library |
Required |
String value |
None |
|
SNC_MODE |
SNC activation indicator |
Required |
0,1 0 = SNC disabled 1= SNC activated |
None |
|
SNC_QOP |
Quality of protection (protection level) |
Optional |
1,2,3,8,9 |
3 |
|
SNC_MYNAME |
SNC name of the user sending the RFC |
Optional |
String value |
The name provided by the security product for the user currently logged on |
Example saprfc.ini file
DEST=XYZ_S TYPE=A ASHOST=host1 SYSNR=01 SNC_MODE=1 SNC_PARTNERNAME=p:CN=sap01.host1, OU=TEST01, O=myCompany, C=US SNC_LIB=C:\SAP_Cryptolib\sapcrypto.dll
This example sets up the application server host1 as the RFC destination. The server's SNC name is p:CN=sap01.host1, OU=TEST01, O=myCompany, C=US and the SNC library is located at C:\ SAP _Cryptolib\sapcrypto.dll.
Acceptor (AS ABAP)
To configure the acceptor (the AS ABAP) for using SNC, set the profile parameters on the application server.
For more information, see Profile Parameter Settings on AS ABAP.
User Authentication in the SAP System
As with RFC calls without SNC protection, you need to specify a user and client in the RFC program when connecting to the SAP system. The following additional steps apply to the authentication procedure when using SNC:
- If the SNC name from the RFC program corresponds to the SNC name in the specified user's master record in the designated client, then the SAP system accepts the RFC logon request (without performing additional authentication).
- Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, user, and SNC name combination. If a matching entry is found, then the SAP system accepts the logon request (without performing additional authentication).
- Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, user, and an asterisk (*) as the SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.
- Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, an asterisk as the user ID, and the RFC program's SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.
- Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, an asterisk as the user ID, and an asterisk as the SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.
- Otherwise, the SAP system denies the logon request.