Show TOC

Secure VH for RFC: ConceptLocate this document in the navigation structure

Configure a virtual host for SNC communication only

You can use the UCON RFC basis scenario to create a dedicated virtual host for SNC communication only (known as a Secure VH).

This procedure is recommended in the following situation: You classify specific remote-enabled function modules (or RFMs) as critical to security in your system and you want them to be accessed externally using only SNC. Any external calls of the RFMs in question without SNC are rejected in this case. On the other hand, you do not want to enable access to all RFMs in your system using SNC exclusively, for example you want specific RFMs to be called from external systems and SNC cannot be configured for them (or only with a lot of work).

Process

  • In the case of RFMs that are critical to security and that you want to protect using stronger encryption, authentication, and Single Sign-On mechanisms, use a dedicated Communication Assembly (called Secure CA). Any RFMs assigned to the Secure CA can only be called using SNC.
    Note Calls without SNC are rejected by UCON runtime as soon as the RFM in question is in the final phase of the UCON setup. In the first two phases (Logging and Evaluation), the UCON runtime checks are only simulated and no calls are rejected.
  • For RFMs in the Default CA, the regular RFC security measures (including UCON RFC basis protection) are enough or can also be called without SNC.

Using the UCON phase manage tool, you can identify RFC calls that were

  • called using SNC only and are critical to security
  • called with and without SNC and are also critical to security
The RFMs in these two groups (1 and 2) can then be assigned to the Secure CA.
Note In the case of RFMs in group (2), you must take care to make the relevant SNC modifications before the assignment to Secure CA to avoid rejections in the future. If it is not possible to configure a particular destination in the right way, you must not assign the RFMs called by this destination to the Secure CA.

In the final phase, always make sure that only those RFMs are assigned to the Secure CA that were already called using SNC or that can be called using SNC. You can achieve this by using the results list of the phase manager tool. Here, you can check all RFMs that are assigned to the Secure CA at the end of the evaluation phase and ensure that:

  • They were called using SNC only up until now or
  • the relevant destinations were modified accordingly.

If these conditions are not met and the RFMs in question still need to be called externally, you must assign them to the Default CA.

Related Information