For the communication path between two AS ABAP systems when using RFC, the calling AS ABAP is the initiator of the communication and the AS ABAP defined as the RFC destination system is the acceptor. Settings that are relevant for load balancing are made in the initiating AS ABAP system.
Initiator (AS ABAP)
To specify the SNC options for the initiating AS ABAP, use transaction SM59. See Maintaining RFC Destinations and their SNC Options Using Transactions. Depending on whether or not you use load balancing, note the following:
If you do not use load balancing, then specify the SNC name of the destination application server in the SNC options for the destination in the Partners field.
If you use load balancing, the system (re-)determines the destination application server at the time of the RFC call. After determining the application server, the system retrieves the corresponding application server's SNC name from the message server and uses it to establish the SNC-protected communication.
In this case, enter the SNC name of the main instance in the Msg.-Server field. In the current implementation, the SNC name is parsed as a name, but is not used.
To configure the system to use the SNC name of a specific application server in case you disable load balancing, enter the desired application server's SNC name in the Partners field. As long as you use load balancing, the system ignores the contents of this field.
Acceptor (AS ABAP)
To be able to receive SNC-protected RFCs from other AS ABAP systems, you need to specify the corresponding systems in the SNC system ACL. In the accepting AS ABAP:
If you have multiple servers in a remote system that use different credentials (different SNC names), you need to make an entry for each server in the table SNCSYSACL.
The table maintenance screen appears.
Note the following:
System and User Authentication
When using SNC-protected RFCs between two AS ABAP systems, the application server from one system uses SNC to authenticate the application server of the other system. Based on the entries in SNCSYSACL (SNC name of the application server making the call), the accepting application server recognizes that the RFC call was initiated by another AS ABAP. The accepting AS ABAP then uses the standard RFC password or token-based authentication to apply the correct user account and authorizations to the RFC call.
Example
The table below shows an example for using the SNC system ACL.
Access Control List SNC Systems
System ID | SNC Name | RFC Activated | CPIC Activated |
---|---|---|---|
XYZ |
p:CN=sap0 2 .host 2 , OU=TEST0 2 , O=myCompany, C=US |
Yes |
Yes |
XYZ |
p:CN=sap0 2 .host 3 , OU=TEST01, O=myCompany, C=US |
Yes |
Yes |
User A in System XYZ (application server host2) performs an RFC call to system ABC (application server host1). Based on the information in the SNCSYSACL table, the system ABC uses SNC to authenticate the system XYZ. The system ABC then authenticates User A using the standard authentication mechanism (password or token) that was provided with the RFC request.