10/15/2012

SAP Trusted RFC connection

As a SAP Administrator I often get questions on trusted RFC connections. I also noticed on the SDN forums that there are often questions regarding the setup.

All in all it’s not that hard but it’s like that with a lot of configurations and setups, you just have to know how to do it properly and it will cause less issues.

A trusted connection between SAP systems means you can logon across system boundaries without a password transfer.

First you have transaction SM59 where you need to define a RFC connection towards the target system you want to enable as trusted in your source system.

For example:

On your source SAP system AA1 you want to setup a trusted RFC towards target system BB1. When it is done it would mean that when you are logged onto AA1 and your user has enough authorization in BB1, you can use the RFC connection and logon to BB1 without having to re-enter user and password .

In transaction SM59 on AA1 define an R3 type RFC connection(connection type 3) towards BB1.

Maintain the technical settings tab Next go to the logon & security tab

Fill in details for logon

Choose the right option in MDMP & Unicode (is your target Unicode yes or no). We assume BB1 is Unicode in this example as it will be like that for most SAP system with a recent release level.

Now you can first test this RFC connection to see if it works, if you run into problems you need to fix them before continuing.

This can be done using Utilities -> Connection Test, Authorization Test and Unicode Test

Now the R3 RFC connection is made, we can continue to the next step. Go to transaction SMT1 and click the create button.

Fill in the previously created RFC connection name Click yes

Now click the Maintain Destination button

This will take you back into SM59 destination BB1CLNT100

Change the Trusted System option to yes in the logon & security tab.

Yes Remove the user from the logon and select "Current User".

Result in SM59 destination BB1CLNT100

Setting the trusted system to yes and so on can be done directly when creating the RFC connection in SM59 but maintaining the destination when creating the entry in SMT1 avoids more issues in my opinion (you already know up front the connection itself works when you enter SMT1).

Save the RFC connection

Now you have a trusted RFC connection. The current user flag checked means that the RFC connection will use the user-id of the person who is logged on and wants to use the RFC connection. This is for security reasons, you should not fill in a user/pass in a trusted RFC connection as it can be abused by other users that way.

The necessary authorization to actually use this RFC connection has to be set in the target SAP system BB1 and of course in the client where the RFC is pointing to (client 100 in this example). Object S_RFCACL is the authorization object which needs to be maintained in BB1 client 100 for the user-ids that have to be able to use the trusted RFC connection from AA1 to BB1 client 100.

The specifics for S_RFCACL depend on the SAP release version. For this a SAP note exists which has details on what should be set: Note 128447 - Trusted/trusting systems

Once you have created your trusted RFC you should also see BB1 in transaction SMT1 on SAP system AA1 and AA1 in transaction SMT2 (trusting SAP systems) on SAP system BB1. You can repeat the steps (switch AA1 and BB1) to configure a trusted RFC connection from BB1 to AA1 if wanted

No comments:

Post a Comment

Popular Posts