For an RFC call that uses a TCP/IP connection to call a registered program, the AS ABAP is the initiator of the communication and the registered program is the acceptor.
One example of such a connection is the connection from an AS ABAP to an AS Java server. In this case, the AS ABAP uses the Java Connector (JCo) to establish the connection.
Initiator (AS ABAP)
To specify the SNC options for the initiator (AS ABAP), use transaction SM59. For more information, see Maintaining RFC Destinations and their SNC Options Using Transaction SM59.
Acceptor (Registered Program)
To apply SNC protection to registered programs that communicate with AS ABAP systems using RFC, you need to specify the SNC options in either the saprfc.ini file or using the program interface in rfclib. This section describes how to specify the information in saprfc.ini.
For more information about using rfclib, see C Program Interfaces.
The program may have a user interface for maintaining the parameters. For more information, see the program documentation.
On the AS Java, use the JCo RFC Provider service to make the settings. For more information, see the AS Java documentation.
You have provided or installed accepting credentials for the RFC server program. (The procedure for installing credentials depends on the security product that you use.)
Set the SNC parameters in saprfc.ini as shown in the table below.
Parameter |
Description |
Required or Optional |
Permitted Values |
Default |
---|---|---|---|---|
SNC_LIB |
Path and file name of the GSSAPI library |
Required |
String value |
None |
SNC_MODE |
SNC activation indicator |
Required |
0,1 0=SNC disabled 1=SNC activated |
None |
SNC_QOP |
Quality of protection (protection level) |
Optional |
1,2,3,8,9 |
3 |
SNC_MYNAME |
SNC name of the RFC server program |
Optional |
String value |
The SNC name contained in the SNC options of the RFC destinations. |
You can use the parameter SNC_MYNAME to locally define the name that corresponds to the credentials for the RFC server program. If you do, then make sure that this SNC name corresponds to the SNC name as defined in the SNC options (SNC partner name) for the RFC destination for this server program. If you do not locally define SNC_MYNAME, then the registered program uses the SNC name defined in the RFC destination.
Example destination in the saprfc.ini file:
DEST=ABC_S TYPE=R PROGID=host4.srfcserv GWHOST=host1 GWSERV=sapgw01 SNC_MODE=1 SNC_MYNAME=p:CN=testuser, OU=TEST01, O=myCompany, C=US SNC_LIB=C:\SAP_Cryptolib\sapcrypto.dll
Using SNC with Registered Programs
You can only enter one SNC partner name when you enter the SNC options for RFC destinations. Therefore, if two or more programs have the same registered program ID, they must also use the same credentials. This is generally not a problem if the programs are started on the same computer.
However, starting registered programs on different computers is only possible if the same credentials can be used on the different computers. Whether or not this is supported depends entirely on the security product used. Normally, it is not supported and not recommended!
Gateway Operations
For information about SNC with gateway operations, see Profile Parameter Settings on the Gateway.