SAP systems can communication with another SAP, or a non-SAP system, in two basic ways: With a Remote Function Call (RFC) you can call functions directly in a system (using an ABAP interface or RFC API). The Internet Communication Framework (ICF) enables you to use HTTP, HTTPS or SMTP to communicate with other systems from an SAP system.
This guide provides you with fundamental information and advice for the secure use of RFC and ICF when communicating between SAP systems and other SAP systems or external systems.
This guide is aimed at technical consultants and system administrators.
Read the following SAP Notes about RFC and ICF security topics:
43417 (RFC Software Development Kit)
618516 (Restricting Access to the RFC Server Program RFCEXEC or RFCEXEC.EXE).
Note
This Note is only relevant for the classic RFC API.
128447 (Trusted Systems Network for RFC Communication)
532918 (RFC Trace Generation)
1148023 (Data Security for RFC Traces and Debugging)
668252 (Authorizations for Remote Debugging in ICF)
110612 (Configuration of SAP Gateway)
64016 (Gateway Monitoring)
For more detailed information, see the following topics:
Note
This section of the documentation refers to scenarios for the ABAP environment. For information about the security requirements of SAP J2EE systems, see the following: