RFC: TCP/IP Connection - Start an External Program on an Explici (SAP Library - Network and Transport Layer Security) Host

RFC: TCP/IP Connection - Start an External Program on an Explicit Host

An external RFC server program started on an explicit host is started directly by a gateway and therefore has access to the same environment as the gateway.

For an RFC call that uses a TCP/IP connection to start an external program on an explicit host, the AS ABAP is the initiator of the communication and the external program is the acceptor.

Initiator (SAP System)

To specify the SNC options for the initiator (AS ABAP), use transaction SM59. See Maintaining RFC Destinations and their SNC Options Using Transaction SM59.

Note

If you do not specify a gateway in the RFC destination maintenance, then the external RFC server program is started by the application server's standard gateway. This constellation is very similar to that described in RFC: TCP/IP Connection - Start an External Program on an Application Server. However, in this case, the system ignores the SNC partner name as defined in the RFC destination's SNC options and uses the application server's SNC name as the SNC name for the external RFC server program instead.

Acceptor (External Program)

You do not need to specify any additional SNC options for external programs that start on an explicit host. The programs retrieve the SNC information that they need as follows:

· SNC mode and quality of protection

The SNC mode (active or inactive) for the connection and the quality of protection are defined in transaction SM59 for the initiator and are automatically sent to the program to be started.

● Name and location of the external library

To specify the path and file name of the external library, the gateway that starts the external RFC server program sends the value of its own profile parameter snc/gssapi_lib to the external program as a command line parameter. (This command line parameter value overrides the SNC_LIB environment variable value.)

● SNC name for the external program

The RFC server program's SNC name is the name defined as the SNC partner name in the RFC destination (using transaction SM59). It is sent to the external RFC server program in the RFC request. The external RFC server program extracts this name from the SNC protocol that frames the RFC request and uses it to acquire its accepting credentials.

Gateway Operations

See Profile Parameter Settings on the Gateway for information pertaining to SNC with gateway operations.

In addition, note the following:

● Make sure that SNC is activated for the gateway (snc/enable = 1) and that the path and file name of the external library are contained in the profile parameter snc/gssapi_lib.

● Per default, external programs without SNC protection will not be started by the gateway. To enable the starting of external programs without using SNC protection, set the gateway's profile parameter snc/permit_insecure_start to the value "1".

● When using SNC, we recommend having the gateway start external RFC server programs locally and not on remote hosts. Disable the starting of programs on remote hosts as described in Profile Parameter Settings on the Gateway.

Recommendation

The gateway uses the common Berkeley remote shell (rsh or remsh) to start programs on remote hosts. The Berkeley remote shell performs only a simple authentication based on the IP address and cannot protect the TCP datastream that it uses. Therefore, we recommend that you do not use the starting of programs on remote hosts when using SNC.

● However, if the RFC server program does have to start on a remote host, then make sure that the path and file name of the external library are also valid on the remote host. (The location of the library is specified in the gateway's profile parameter snc/gssapi_lib and sent to the external program on the remote host. This path and file name must be valid on the remote host.)