SAP systems can build trust relationships to one another in order to minimize the requirement for authentication when logging on to a remote system: If a calling system SAP system is known to the system being called as the calling system, then no password is required for the logon.
The calling R/3 System must be registered with the called R/3 System as a calling system. The called system is known as the trusting or system to be called.
Trust relationships between SAP systems offer the following benefits:
Single Sign-On is possible beyond system boundaries.
No passwords are transmitted in the network.
Timeout mechanisms for the logon data protect against illegal logon attempts.
User-specific logon data is checked in the called system.
The trust relationship is not mutual, meaning that it applies to one direction only. To establish a mutual trust relationship between two partner systems, you must define each of the two as a calling system in its respective partner system.
For extra security, you can use SAP’s SNC Interface (Secure Network Communications) for third-party security systems such as Kerberos and SECUDE.
In transaction SM59, you have defined the destination that you want to use to create the trust relationship.
Creating a Trust Relationship between SAP Systems
You can use a Wizard to create trust relationships between SAP systems. The Wizard guides you step-by-step through the required activities:
From the overview screen, call transaction SM59 and choose
Note
You can restrict access to transaction SMT1 using authorization object S_RFC_TT.
If calling systems have already been defined, they are displayed in a hierarchy tree. To display existing calling systems, expand the nodes in the hierarchy tree.
To create a trust relationship, choose Create.
The Wizard appears with an initial window and general information. If you press Continue, the actual maintenance steps appear:
Enter Destination: In this dialog box, enter the destination that you want to use to set up the trust relationship.
Display Information: All the necessary information, such as the application server name and the security key is supplied automatically.
Configuration: If you want to restrict the validity period of the logon data, enter a time (using the format hh.mm.ss) in the Validity period field. If you want to copy the transaction code of the calling program to the called system, select the relevant checkbox.
Note
Only then will an authorization check be performed in the called system for the transaction code (field RFC_TCODE of authorization object S_RFCACL).
Note
If a trust relationship is deleted, and no valid logon data exists, the logon screen for the system in question appears. You then need to log on to this system in order to complete the deletion.
Finish: When you press this pushbutton in the last dialog box, the trust relationship is set up and can be used.
Displaying and Changing Destinations for Calling Systems
You can find a list of all calling systems on the tab page Systems whose calls are trusted. By double-clicking a system name, you can call a detail screen displaying the settings for the system in question.
To change existing destinations for a system, choose Destination Maintenance in the detail screen.
Note
To prevent other users from making changes to your destinations, select the Destination not changeable checkbox in the Administration tab page. To release destinations for changes again, deselect this checkbox.
Note that destinations must be kept consistent. You are therefore not allowed to change the ID of the target system, the system number, or the destination name.
Displaying Called Systems
In transaction SMT1, you can also display a list of all called systems (tab page Systems that trust the current system). To display the settings for the called system, double-click the name of the system in question.
If you click on Transaction Call, a dialog box opens where you can enter the transaction code for a transaction that you want to run in the called system. You can also specify whether the transaction is to be executed in the same session, or in a new one.
Logon Authorization Check in the Called System
An authorization check is performed on the logon data used to log on to a called system.
The check searches for the system name, client, user name, and other optional data in the data provided by the calling system, and checks these against the field values in authorization object S_RFCACL.
Note
The system administrator can check a user’s logon data using function module AUTHORITY_CHECK_TRUSTED_SYSTEM.
Testing Calling Systems
To test a calling system, you can perform the authorization checks for the current server and the called rusting system. To do this, choose
. If no valid logon data is found, the logon screen for the calling system appears. Log on here.Troubleshooting
If your login attempt fails, you will receive the following message: No authorization to log in as trusted system (error code = <0|1|2|3>). Note that you are not authorized to use users DDIC and SAP*.
The error code explanation is as follows:
0: Invalid login data (user ID and client) for the calling system
Solution: Create the user ID for the client in the called system.
1: No trusted system entry exists for the calling system, or the security key for the system is invalid.
Solution: Create the calling system entry again.
2: The user does not have authorization (object S_RFCACL) for the calling system.
Solution: Provide the user with the necessary authorization.
3: The time stamp of the login data is invalid.
Solution: Check the clock settings on both the client and server host and the expiration date of the login data. (Note that the default setting 00:00:00 means no time limit).
You can find further information about errors in trust relationships in SAP Note 128447.