In this section you can find general information about critical security issues when working with NW SAP RFC SDK.
RFC client receiving callbacks from an SAP system
If you want to enable an external RFC client to receive callbacks from an SAP system, you have to implement the corresponding RFC server functionality as well as the proper client functions of the external program. This means that the server-related security issues may affect your external RFC client as well.
Logon check for registered RFC servers
If an RFC server is registered on an RFC gateway, it is generally possible to send calls from other SAP systems (not relevant to this gateway) or from external RFC clients to this server. If, for security reasons, the server should only be able to be called by specified systems or users, the server must implement its own logon data check and reject unwanted initiators.
For detailed information on executing this logon check refer to SAP Note 1058327 .
Using the sapnwrfc.ini file
You can generally use the sapnwrfc.ini file as a repository for connection parameters that can be referenced by the corresponding functions in order to relieve programming activities. As the information included in this file is stored on the server's hard disc it may be subject to external attacks. Therefore it is strongly recommended that you avoid storing security-related data in this file. Security-critical parameters are mainly User and Password, but information about message server names, program ID, or gateway information may also be affected.
Configuring registered RFC servers using transaction SM59
If you specify an external RFC server as an RFC destination using transaction SM59 you need to enter the corresponding program ID of the RFC server. This program ID can - if known - generally be used by other external servers (not related to the Gateway) to establish a connection to an SAP system. Therefore, we recommend that you:
Implement a dynamic (changeable) token for this program ID in the external RFC server.
Choose a value for this program ID that exhausts the provided number of digits in order to make it as secure as possible.