Start of Content Area

Background documentation Network Security and Communication  Locate the document in its SAP Library structure

This section gives you an overview of the security-relevant topics in the area of network security and communication.

Preventing Misuse of the RFC Software Development Kit

Do not install RFC Software Development Kit (RFC SDK) in your production system or on your application servers or front ends. For more information on avoiding misuse of RFC SDK, see SAP Note 43417.

Restricting Access to External CPI-C or RFC Server Programs

You can restrict access to external server programs by using a suitable authorization check. For detailed information: Restricting Access to External Server Programs. 

Restricting Registration of External Server Programs

When using an RFC server (based on RFC SDK, NW RFC SDK, JCo, .NET Connector or Business Connector), under certain circumstances there is always the danger that an external harmful program registers itself as an RFC server.

Find out how to protect yourself against harmful registration: Restricting Registration of External Server Programs.

Restricting Access to RFC Server Program RFCEXEC or RFCEXEC.EXE

Program RFCEXEC represents an external RFC server that can be addressed by the SAP system. This enables you to use the various operating system functions.

This program is part of the classic RFC SDK and provides a good example of how you can implement an RFC server. Many applications now use this example program in a production environment. Because of this, it has become necessary to restrict access to this program.

Note

For more information: SAP Note 618516.

A modified version of the program is available with SAP NW RFC SDK Patch Level 2.

Note

For more information: SAP Note 1140031.

Allowing RFC Connections from Known and Selected Systems Only

Systems that you allow to communicate with one another using RFC should be protected by the appropriate network measures (see Network Measures). Either keep systems in a self-contained secure LAN, or control access using SAP routers and packet filters.

Deactivating Remote Monitoring of SAP Gateway

Note

SAP Gateway controls remote RFC and CPI-C communications. It reads queries and sets up work processes for the connection. It includes a monitor that you can use for SAP Gateway analysis and administration. In the standard system, you can access the gateway monitor either locally or from a remote computer. However, we recommend that you deactivate remote monitoring of SAP Gateway.

To deactivate remote monitoring of SAP Gateways, set profile parameter gw/monitor to 1 (see SAP Note 64016).

More Information

      Encryption for RFC

       

 

 

 

 

 

 

End of Content Area