Show TOC Start of Content Area

Background documentation Network and Communication Security  Locate the document in its SAP Library structure

The network topology for eCATT is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to eCATT. Details that specifically apply to eCATT are described below.

Normally an RFC destination will contain a specific user name, and often a password. This means that every connection to the target system that is made using this destination will log on under the same user name, and any user with the appropriate authorization in the originating system can log onto the target system irrespective of whether they have authorization to work in that system or not. Hence the destinations are both inflexible and potentially insecure! To get around this problem, you can use trusted RFC.

Using Trusted RFC

Trusted RFC is a contract between two systems in which the target system agrees to trust connections coming from a particular system. In this case, the logon is permitted without a password.

Since this is a particularly sensitive feature, trusted RFC is protected by an additional authorization check. In order to log onto a trusted system, the user in question must possess the following:

      A user in the target system

      Authorizations for the applications he or she needs to use in the target system

      Authorization for the object S_RFCACL

This authorization object regulates a user’s right to log onto a system via a trusted connection.

Setting Up the Trusted Relationship

...

       1.      Log onto the target system and set up an RFC destination that points to your central test system.

       2.      Start transaction SMT1 and choose This graphic is explained in the accompanying text (Create).

       3.      In the next dialog box, enter the name of the RFC destination that you created in step 1.

       4.      On the next screen, you can use the following settings to restrict the use of the trusted relationship:

¡        You can set the entry to inactive.

¡        You can restrict the validity of the relationship.

       5.      Create RFC destinations in the central test system that use trusted RFC to log onto the system in which you just established the trusted relationship.

Using the Trusted Relationship

Once you have set up the trusted relationship, you can create RFC destinations that log onto the target system without requiring a password.

...

       1.      Start transaction SM59, and open an RFC destination for editing.

       2.      On the Logon tab, select the Yes radio button for the Trusted System option.

Additional Authorizations

In the target system, each user who wants to log on using trusted RFC requires an authorization containing appropriate values for the authorization object S_RFCACL.

 

End of Content Area