Network Security and Communication

Preventing Misuse of the RFC Software Development Kit

Do not install the RFC Software Development Kit (RFC SDK) in your production system or on your application servers or front ends. For more information on avoiding misuse of the RFC SDK, see SAP Note 43417.

Restricting the Use of External CPI-C Programs or RFC Server Programs

You can restrict the use of external server programs by creating entries in the file secinfo. (For details about maintaining this file, see Defining Authorizations for External Server Programs under Authorizations.) 

Restricting Access to the RFC Server Program RFCEXEC or RFCEXEC.EXE

The program RFCEXEC represents an external RFC server that can be addressed by the SAP system. This enables you to use the wide range of operating system functions.

This program is part of the RFC SDK and shows you an example of how you can implement an RFC server. Many applications now use this example program in a production environment. This has led to access to the program being restricted. For more information, see SAP Note 618516.

Allowing RFC Connections from Known and Selected Systems Only

You must take appropriate network measures to secure RFC communications between systems (see Network Infrastructure). Operate your systems in a closed, secure LAN or use SAProuters and packet filters to control access to the systems.

Deactivating Remote Monitoring of the SAP Gateways

The SAP Gateway controls remote RFC and CPI-C communications. It reads queries and sets up work processes for the connection. It includes a monitor that you can use to analyze and administer the SAP Gateway. In the standard system, you can access the gateway monitor locally or from a remote computer. However, we recommend that you deactivate remote monitoring of the SAP Gateway.

 

To deactivate remote monitoring of SAP Gateways, set the profile parameter gw/monitor to 1 (see also SAP Note 64016).

 

Further Information

·        Encryption for RFC