Show TOC

Network Security and CommunicationLocate this document in the navigation structure

Use

This section gives you an overview of the security-relevant topics in the area of network security and communication.

Preventing Misuse of the RFC Software Development Kit

Do not install the RFC Software Development Kit (RFC SDK) in your production system or on your application servers or front ends. For more information on avoiding misuse of the RFC SDK, see SAP Note 43417 Information published on SAP site.

Restricting Access to External CPI-C or RFC Server Programs

You can restrict access to external server programs by using a suitable authorization check. For detailed information: Restricting Access to External Server Programs.

Restricting Registration of External Server Programs

Restricting Registration of External Server Programs

When using an RFC server (based on RFC SDK, NW RFC SDK, JCo, .NET Connector or Business Connector), under certain circumstances there is always the danger that an external harmful program registers itself as an RFC server.

Find out how to protect yourself against harmful registration: Restricting Registration of External Server Programs.

Restricting Access to RFC Server Program RFCEXEC or RFCEXEC.EXE

Restricting Access to RFC Server Program RFCEXEC or RFCEXEC.EXE

The program RFCEXEC represents an external RFC server that can be addressed by the SAP system. This enables you to use the wide range of operating system functions.

This program is part of the classic RFC SDK and provides a good example of how you can implement an RFC server. Many applications now use this example program in a production environment. This has led to access to the program being restricted.

Note

For more information: SAP Note 618516 Information published on SAP site.

A modified version of the program is available with SAP NetWeaver RFC SDK Patch Level 2.

For more information: SAP Note 1140031 Information published on SAP site.

Allowing RFC Connections from Known and Selected Systems Only

Systems that you allow to communicate with one another using RFC should be protected by the appropriate network measures (see Network Measures). Operate your systems in a closed, secure LAN or use SAProuters and packet filters to control access to the systems.

Deactivating Remote Monitoring of Gateway

Note

The Gateway controls remote RFC and CPI-C communications. It reads queries and sets up work processes for the connection. It includes a monitor that you can use to analyze and administer the Gateway. In the standard system, you can access the gateway monitor locally or from a remote computer. However, we recommend that you deactivate remote monitoring of the Gateway.

To deactivate remote monitoring of SAP Gateways, set the profile parameter gw/monitor to 1 (see also SAP Note 64016 Information published on SAP site).

More Information