RFC/ICF Security Guide


SAP systems can communicate with other SAP systems or with external systems through two channels: Remote Function Call (RFC) can be used to call functions in a system directly (through an ABAP interface or using RFC API). The Internet Communication Framework (ICF) enables you to use HTTP, HTTPS or SMTP to communicate with other systems from an SAP system. 

This guide provides you with fundamental information and advice for the secure use of RFC and ICF when communicating between SAP systems and other SAP systems or external systems.

Target Groups

This guide is aimed at technical consultants and system administrators.

Important SAP Notes

Read the following SAP Notes about RFC and ICF security topics:

?     43417      (RFC Software Development Kit)

?     618516    (Restricting Access to the RFC Server Program RFCEXEC or RFCEXEC.EXE)

?     128447    (Trusted Systems Network for RFC Communication)

?     532918    (RFC Trace Generation)

?     668252    (Authorizations for Remote Debugging in ICF)

?     110612    (Configuration of the SAP Gateway)

?     64016      (Gateway Monitoring)

Further Information

For more detailed information, see the following topics:

Technical Scenarios – Overview

RFC Scenarios

ICF Scenarios

This section of the documentation refers to scenarios for the ABAP environment. For information about the security requirements of SAP J2EE systems, see the following:

SAP NW AS Security Guide for Java Technology