RFC: AS ABAP ( AS ABAP (SAP Library - Network and Transport Layer Security)

RFC: AS ABAP à AS ABAP

Use

For the communication path between two AS ABAP systems when using RFC, the calling AS ABAP is the initiator of the communication and the AS ABAP defined as the RFC destination system is the acceptor. Settings that are relevant for load balancing are made in the initiating AS ABAP system.

Initiator (AS ABAP)

To specify the SNC options for the initiating AS ABAP, use transaction SM59. See Maintaining RFC Destinations and their SNC Options Using Transactions. Depending on whether or not you use load balancing, note the following:

· Without load balancing

If you do not use load balancing, then specify the SNC name of the destination application server in the SNC options for the destination in the Partners field.

● With load balancing

If you use load balancing, the system (re-)determines the destination application server at the time of the RFC call. After determining the application server, the system retrieves the corresponding application server's SNC name from the message server and uses it to establish the SNC-protected communication.

In this case, enter the SNC name of the main instance in the Msg.-Server field. In the current implementation, the SNC name is parsed as a name, but is not used.

To configure the system to use the SNC name of a specific application server in case you disable load balancing, enter the desired application server's SNC name in the Partners field. As long as you use load balancing, the system ignores the contents of this field.

Acceptor (AS ABAP)

To be able to receive SNC-protected RFCs from other AS ABAP systems, you need to specify the corresponding systems in the SNC system ACL. In the accepting AS ABAP:

...

1. Call transaction SNC0 to maintain entries in the SNC system ACL (table SNCSYSACL).

2. Create an entry for each application server from other systems that needs RFC access to this AS ABAP. To create an entry, choose Edit à New entries; to modify an existing one, choose Goto à Details.

Note

If you have multiple servers in a remote system that use different credentials (different SNC names), you need to make an entry for each server in the table SNCSYSACL.

The table maintenance screen appears.

3. Enter the System ID and SNC name of the initiating system in the corresponding fields.

4. Activate the Entry for RFC activated indicator.

5. If CPIC connections are also to be accepted for this connection, then also activate the Entry for CPIC activated indicator.

6. Save the data.

Note the following:

● The SNCSYSACL entries that you make using transaction SNC0 are saved as external RFC destinations (type = E). Internal destinations (type = I) are automatically generated and not shown in transaction SNC0.

● If RFCs are to occur within a single AS ABAP system as "external RFCs" to itself (meaning that you defined the RFC destination with the type ABAP Connections in transaction SM59), then you need to create an external destination entry (type = E) in addition to the automatically generated internal entry (type = I).

● In addition, you need to specify whether the accepting AS ABAP should accept RFCs that do not use SNC protection. To allow insecure RFC connections, set the profile parameter snc/accept_insecure_rfc to the value "1" (see Profile Parameter Settings on AS ABAP).

System and User Authentication

When using SNC-protected RFCs between two AS ABAP systems, the application server from one system uses SNC to authenticate the application server of the other system. Based on the entries in SNCSYSACL (SNC name of the application server making the call), the accepting application server recognizes that the RFC call was initiated by another AS ABAP. The accepting AS ABAP then uses the standard RFC password or token-based authentication to apply the correct user account and authorizations to the RFC call.

Example

The table below shows an example for using the SNC system ACL.

Access Control List SNC Systems

System ID	SNC Name	RFC Activated	CPIC Activated
XYZ	p:CN=sap02.host2, OU=TEST02, O=myCompany, C=US	Yes	Yes
XYZ	p:CN=sap02.host3, OU=TEST01, O=myCompany, C=US	Yes	Yes

User A in System XYZ (application server host2) performs an RFC call to system ABC (application server host1). Based on the information in the SNCSYSACL table, the system ABC uses SNC to authenticate the system XYZ. The system ABC then authenticates User A using the standard authentication mechanism (password or token) that was provided with the RFC request.