Show TOC

Network Security and CommunicationLocate this document in the navigation structure


Using ICF Services

To use the ICF to communicate with other systems, you must activate separately each individual service that you want use.


Since each active service could potentially perform security-relevant functions in other systems, it is important that you only activate those services that you really need.

Using Virtual Hosts

It is possible to redirect inbound HTTP requests to another system using a specific URL parameter.

To avoid this mechanism from being abused, zou can use the Virtual Host concept of the ICF. For this it is necessary to create an ICF service tree for each virtual host.

Using Trusted System Networks

If you use HTTP RFC destinations (RFC connection type H) for ICF communications with another SAP system, you can set up a Trusted System network, as with RFC communications.

In a scenario that consists of trusted systems, servers in one system trust servers from another system. Users in the first system (system A) who access the second system (system B), are not authenticated by passwords each time they access system B. System B trusts system A; this trust relationship allows system B to accept the user from system A without any further authentication. The user must have user accounts in both systems and gets the authorizations from the target system, in this case system B.

Figure 1: SAP Trusted System Network

The benefit of this procedure is that users only need to authenticate themselves once when they communicate with trusting systems. No logon information needs to be sent across the network.

However, to guarantee the security of trusting systems, you must check the following prerequisites, which entail an increased amount of administration:

  • The systems must have the same level of security requirements. (This means they must represent a single 'virtual'SAP system.) Do not implement the trusted system concept between systems with very different levels of security requirements, for example, between your development system and your personnel system.

  • The systems must have a compatible user administration concept and share an authorization concept. Users who exist in one system must exist in all systems.

Only if you meet these requirements do we recommend the implementation of a trusted system concept.