If you use a registered RFC server (based on RFC SDK, SAP NetWeaver RFC SDK, JCo, .NET Connector or Business Connector), there is always the risk that a potential attacker registers an external harmful program on a RFC destination and catches RFC calls that are to be sent to the correct external RFC program.
To use the following procedure, the SAP system must fulfill the following prerequisites:
SAP Kernel 7.00
Patch Level 119
ABAP Support Package 13
You can use two different mechanisms to prevent unwanted external programs from registering with an RFC destination:
Use the reginfo file
Use SNC ( Secure Network Communications)
To do this, follow the procedure below:
In the $DIR_DATA directory, create a file with the name reginfo.
If you want to use another directory and/or file name, you can store the new filename in the gw/reg_info profile parameter.
The reginfo file is imported at system start. Each row can contain one or multiples of the following values:
Program ID This defines the RFC destination that are to be assigned to the following security settings.
Host name (or IP address) from which a registration can be made for this RFC destination.
Host name (or IP address) from which RFC calls may be sent to this RFC destination.
Host name (or IP address) from which registered external programs may be deregistered.
The Gateway allows registered programs to be deregistered remotely. There is the danger that an attacker uses this function for a denial of service attack. You can prevent such attacks by restricting the hosts that are authorized for this.
Maximum number of registered servers for the defined program ID.
You can either explicitly allow or exclude activities (registration, deregistration, RFC calls) using the reginfo file.
When creating an RFC destination (transaction SM59), activate SNC for this destination and define an SNC name for the external program.
The Gateway only then allows registration for the related program ID if an external program that has a digitally-signed certificate registers itself using SNC and which contains the SNC name defined.
This procedure is intended for defending against IP spoofing attacks in particular which could circumvent the security settings in the reginfo file.