Configuring SNC: External Programs to AS ABAP Using RFC
For the communication path from an external program to SAP NetWeaver Application Server (AS) ABAP when using RFC, the external program is the initiator of the communication and the AS ABAP is the acceptor.
One example of such a connection is the connection from an AS Java to an AS ABAP server. In this case, the AS Java uses the Java Connector (JCo) to establish the connection.
To apply SNC protection to external programs that communicate with an AS ABAP using RFC, you need to specify the SNC options in either the saprfc.ini file or over the program interface in rfclib. This section describes how to specify the information in saprfc.ini.
For more information about using rfclib, see C Program Interfaces.
The program may have a user interface for maintaining the parameters. See the program's documentation for details.
Example:
For example, on the AS Java you make the settings according to the application that establishes the connection. The application may also have its own user interface, or it may use the Destination or RFC Adapter service. For more information, see the AS Java documentation.
Prerequisites
- You want to apply SNC protection to the communications between the RFC external program and the AS ABAP.
- The external program uses the saprfc.ini file.
Procedure
Set the SNC parameters in saprfc.ini as shown in the table below.
SNC Parameters for RFC External Programs to AS ABAP
| Parameter | Description | Required or Optional | Permitted Values | Default |
|---|---|---|---|---|
|
SNC_PARTNERNAME |
SNC name of the communication partner (application server) |
Required |
String value |
None |
|
SNC_LIB |
Path and file name of the gssapi library |
Required |
String value |
None |
|
SNC_MODE |
SNC activation indicator |
Required |
0,1 0 = SNC disabled 1= SNC activated |
None |
|
SNC_QOP |
Quality of protection (protection level) |
Optional |
1,2,3,8,9 |
3 |
|
SNC_MYNAME |
SNC name of the user sending the RFC |
Optional |
String value |
The name provided by the security product for the user currently logged on |
Example saprfc.ini file
DEST=XYZ_S TYPE=A ASHOST=host1 SYSNR=01 SNC_MODE=1 SNC_PARTNERNAME=p:CN=sap01.host1, OU=TEST01, O=myCompany, C=US SNC_LIB=C:\SAP_Cryptolib\sapcrypto.dll
This example sets up the application server host1 as the RFC destination. The server's SNC name is p:CN=sap01.host1, OU=TEST01, O=myCompany, C=US and the SNC library is located at C:\ SAP _Cryptolib\sapcrypto.dll.
To configure the acceptor (the AS ABAP) for using SNC, set the profile parameters on the application server.
For more information, see Profile Parameter Settings on AS ABAP.
The value contained in the parameter snc/accept_insecure_rfc determines whether or not to accept unprotected RFC connections. You can define this parameter to deny all insecure RFCs, accept all insecure RFCs, or accept insecure RFCs for specific users only (based on the Insecure communications permitted indicator in the table USRACL).
As with RFC calls without SNC protection, you need to specify a user and client in the RFC program when connecting to the SAP system. The following additional steps apply to the authentication procedure when using SNC:
- If the SNC name from the RFC program corresponds to the SNC name in the specified user's master record in the designated client, then the SAP system accepts the RFC logon request (without performing additional authentication).
- Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, user, and SNC name combination. If a matching entry is found, then the SAP system accepts the logon request (without performing additional authentication).
- Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, user, and an asterisk (*) as the SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.
- Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, an asterisk as the user ID, and the RFC program's SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.
- Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, an asterisk as the user ID, and an asterisk as the SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.
- Otherwise, the SAP system denies the logon request.Note
When establishing the RFC connection:
The RFC connection is established over a gateway port. For SNC-protected connection requests, the RFC library uses the secure gateway port, which accepts only SNC-protected connections. However, if both SNC and load-balancing are used, the RFC libraries also use the conventional gateway port for SNC-protected connections.