Show TOC

Security IssuesLocate this document in the navigation structure


In this section you can find general information about critical security issues when working with NW SAP RFC SDK.

Programming Issues

  • RFC client receiving callbacks from an SAP system

    If you want to enable an external RFC client to receive callbacks from an SAP system, you have to implement the corresponding RFC server functionality as well as the proper client functions of the external program. This means that the server-related security issues may affect your external RFC client as well.

  • Logon check for registered RFC servers

    If an RFC server is registered on an RFC gateway, it is generally possible to send calls from other SAP systems (not relevant to this gateway) or from external RFC clients to this server. If, for security reasons, the server should only be able to be called by specified systems or users, the server must implement its own logon data check and reject unwanted initiators.


    For detailed information on executing this logon check refer to SAP Note 1058327 Information published on SAP site.

Administration Issues

  • Using the sapnwrfc.ini file

    You can generally use the sapnwrfc.ini file as a repository for connection parameters that can be referenced by the corresponding functions in order to relieve programming activities. As the information included in this file is stored on the server's hard disc it may be subject to external attacks. Therefore it is strongly recommended that you avoid storing security-related data in this file. Security-critical parameters are mainly User and Password, but information about message server names, program ID, or gateway information may also be affected.

  • Configuring registered RFC servers using transaction SM59

    If you specify an external RFC server as an RFC destination using transaction SM59 you need to enter the corresponding program ID of the RFC server. This program ID can - if known - generally be used by other external servers (not related to the Gateway) to establish a connection to an SAP system. Therefore, we recommend that you:

    • Implement a dynamic (changeable) token for this program ID in the external RFC server.

    • Choose a value for this program ID that exhausts the provided number of digits in order to make it as secure as possible.

Further Information

You can find general information on RFC security issues here: