Network Security and Communication

Allowing RFC Connections from Known and Selected Systems Only

You must take appropriate network measures to secure RFC communications between systems (see Network Infrastructure). Operate your systems in a closed, secure LAN or use SAProuters and packet filters to control access to the systems.

Deactivating Remote Monitoring of the SAP Gateways

The SAP Gateway controls remote RFC and CPI-C communications. It reads queries and sets up work processes for the connection. It includes a monitor that you can use to analyze and administer the SAP Gateway. In the standard system, you can access the gateway monitor locally or from a remote computer. However, we recommend that you deactivate remote monitoring of the SAP Gateway.

 

To deactivate remote monitoring of SAP Gateways, set the profile parameter gw/monitor to 1 (see also SAP Note 64016).

 

Using RFC Trusted System Networks

In a scenario that consists of trusted systems, servers in one system trust servers from another system. Users in the first system (system A) who access the second system (system B), are not authenticated by passwords each time they access system B. System B trusts system A; this trust relationship allows system B to accept the user from system A without any further authentication. The user must have user accounts in both systems and gets the authorizations from the target system, in this case system B.

RFC Trusted System Network

The benefit of this procedure is that users only need to authenticate themselves once when they communicate with trusting systems. No logon information needs to be sent across the network. Users in this network require the authorization object S_RFCACL.

However, to guarantee the security of trusting systems, you must check the following prerequisites, which entail an increased amount of administration:

  • The systems must have the same level of security requirements. (This means they must represent a single ‘virtual’ SAP system.) Do not implement the trusted system concept between systems with very different levels of security requirements, for example, between your development system and your personnel system.
  • The systems must have a compatible user administration concept and share an authorization concept. Users who exist in one system must exist in all systems.

Only if you meet these requirements do we recommend the implementation of a trusted system concept.

Further Information

·        Setting Up a Trusted System Network

·        Authorization Object S_RFCACL

·        Encryption for RFC

Also read the following SAP Note:

·        128447 (Trusted Systems)