An external RFC server program started on an explicit host is started directly by a gateway and therefore has access to the same environment as the gateway.
For an RFC call that uses a TCP/IP connection to start an external program on an explicit host, the AS ABAP is the initiator of the communication and the external program is the acceptor.
To specify the SNC options for the initiator (AS ABAP), use transaction SM59. See Maintaining RFC Destinations and their SNC Options Using Transaction SM59.
If you do not specify a gateway in the RFC destination maintenance, then the external RFC server program is started by the application server's standard gateway. This constellation is very similar to that described in RFC: TCP/IP Connection - Start an External Program on an Application Server. However, in this case, the system ignores the SNC partner name as defined in the RFC destination's SNC options and uses the application server's SNC name as the SNC name for the external RFC server program instead.
You do not need to specify any additional SNC options for external programs that start on an explicit host. The programs retrieve the SNC information that they need as follows:
The SNC mode (active or inactive) for the connection and the quality of protection are defined in transaction SM59 for the initiator and are automatically sent to the program to be started.
To specify the path and file name of the external library, the gateway that starts the external RFC server program sends the value of its own profile parameter snc/gssapi_lib to the external program as a command line parameter. (This command line parameter value overrides the SNC_LIB environment variable value.)
The RFC server program's SNC name is the name defined as the SNC partner name in the RFC destination (using transaction SM59). It is sent to the external RFC server program in the RFC request. The external RFC server program extracts this name from the SNC protocol that frames the RFC request and uses it to acquire its accepting credentials.
See Profile Parameter Settings on the Gateway for information pertaining to SNC with gateway operations.
In addition, note the following:
The gateway uses the common Berkeley remote shell (rsh or remsh) to start programs on remote hosts. The Berkeley remote shell performs only a simple authentication based on the IP address and cannot protect the TCP datastream that it uses. Therefore, we recommend that you do not use the starting of programs on remote hosts when using SNC.