Start of Content Area

Procedure documentation Configuring SNC: External Programs AS ABAP Using RFC  Locate the document in its SAP Library structure

Use

For the communication path from an external program to an AS ABAP when using RFC, the external program is the initiator of the communication and the AS ABAP is the acceptor.

Example

One example of such a connection is the connection from an AS Java to an AS ABAP server. In this case, the AS Java uses the Java Connector (JCo) to establish the connection.

Initiator (External Program)

To apply SNC protection to external programs that communicate with an AS ABAP using RFC, you need to specify the SNC options in either the saprfc.ini file or over the program interface in rfclib. This section describes how to specify the information in saprfc.ini. For information on using rfclib, see C Program Interfaces.

Note

The program may have a user interface for maintaining the parameters. See the program’s documentation for details.

Example

For example, on the AS Java you make the settings according to the application that establishes the connection. The application may also have its own user interface, or it may use the Destination or RFC Adapter service. See Configuring SNC: AS Java AS ABAP in the AS Java documentation for more information.

Prerequisites

        You want to apply SNC protection to the communications between the RFC external program and the AS ABAP.

     The external program uses the saprfc.ini file.

Procedure

Set the SNC parameters in saprfc.ini as shown in the table below.

SNC Parameters for RFC External Programs AS ABAP

Parameter

Description

Required or Optional

Permitted Values

Default

SNC_PARTNERNAME

SNC name of the communication partner (application server)

Required

String value

None

SNC_LIB

Path and file name of the gssapi library

Required

String value

None

SNC_MODE

SNC activation indicator

Required

0,1

0 = SNC disabled

1= SNC activated

None

SNC_QOP

Quality of protection (protection level)

Optional

1,2,3,8,9

3

SNC_MYNAME

SNC name of the user sending the RFC

Optional

String value

The name provided by the security product for the logged-on user.

Example saprfc.ini file

DEST=XYZ_S
TYPE=A
ASHOST=host1
SYSNR=01
SNC_MODE=1
SNC_PARTNERNAME=p:CN=sap01.host1, OU=TEST01, O=myCompany, C=US
SNC_LIB=C:\SAP_Cryptolib\sapcrypto.dll

This example sets up the application server host1 as the RFC destination. The server's SNC name is p:CN=sap01.host1, OU=TEST01, O=myCompany, C=US and the SNC library is located at C:\SAP_Cryptolib\sapcrypto.dll.

Acceptor (AS ABAP)

To configure the acceptor (the AS ABAP) for using SNC, set the profile parameters on the application server as described in Profile Parameter Settings on AS ABAP.

Note

The value contained in the parameter snc/accept_insecure_rfc determines whether or not to accept unprotected RFC connections. You can define this parameter to deny all insecure RFCs, accept all insecure RFCs, or accept insecure RFCs for specific users only (based on the Insecure communications permitted indicator in the table USRACL).

User Authentication in the SAP System

As with RFC calls without SNC protection, you need to specify a user and client in the RFC program when connecting to the SAP system. The following additional steps apply to the authentication procedure when using SNC:

...

       1.      If the SNC name from the RFC program corresponds to the SNC name in the specified user's master record in the designated client, then the SAP system accepts the RFC logon request (without performing additional authentication).

       2.      Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, user, and SNC name combination. If a matching entry is found, then the SAP system accepts the logon request (without performing additional authentication).

       3.      Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, user, and an asterisk (*) as the SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.

       4.      Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, an asterisk as the user ID, and the RFC program's SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.

       5.      Otherwise, the SAP system searches the USRACLEXT table for an entry corresponding to the client, an asterisk as the user ID, and an asterisk as the SNC name. If a matching entry is found, then the system verifies the user's password. If the password is valid, then the SAP system accepts the logon as a secure logon.

       6.      Otherwise, the SAP system denies the logon request.

Note

When establishing the RFC connection:

The RFC connection is established over a gateway port. For SNC-protected connection requests, the RFC library normally uses the secure gateway port, which accepts only SNC-protected connections. However, if both SNC and load-balancing are used, the RFC libraries also use the conventional gateway port for SNC-protected connections.

 

 

End of Content Area