{"id":1681,"date":"2021-06-08T11:12:49","date_gmt":"2021-06-08T09:12:49","guid":{"rendered":"https:\/\/sast-solutions.com\/blog-en\/?p=1681"},"modified":"2021-06-08T11:12:49","modified_gmt":"2021-06-08T09:12:49","slug":"trusted-system-relationships-simplify-logon-procedure-rfc-communication-how-sensible-secure-is-their-use","status":"publish","type":"post","link":"https:\/\/sast-solutions.com\/blog-en\/2021\/06\/08\/trusted-system-relationships-simplify-logon-procedure-rfc-communication-how-sensible-secure-is-their-use\/","title":{"rendered":"Trusted system relationships simplify the logon procedure for RFC communication \u2013 but how sensible and secure is their use?"},"content":{"rendered":"

\"SASTThe RFC (Remote Function Call) is the main SAP technology for exchanging data between SAP systems. In addition to standard RFC connections, it is also possible to configure trusted relationships. In our technology tip, find out when you should use trusted system relationships and how you can use them securely.<\/p>\n

<\/p>\n

 <\/p>\n

Configuring a trusted RFC relationship without password<\/strong><\/h2>\n

In contrast to standard connections, a trusted system connection does not require a password to be entered. This greatly simplifies the logon procedure for RFC communication. A connection of this type can be established if the calling system has previously been declared as a \u201ctrusted system\u201d to the called system and the called system has also been registered as a \u201ctrusting system\u201d. Both SAP systems should have the same security level in this scenario.<\/p>\n

During a call, the trusting SAP system checks whether the call was made from a trusted SAP system.<\/p>\n

\"SAST<\/p>\n

You can use the authorization object S_RFCACL in the target system to control which users are allowed to make calls without entering a password. You can differentiate here by SAP system ID (SAPSID), client, and calling transaction. The logon data of a user can then be verified using the function module AUTHORITY_CHECK_TRUSTED_SYSTEM.<\/p>\n

In contrast to standard RFC connections, trusted RFC connections are not created directly in transaction SM59, but instead are tested and maintained using transaction SMT1. When you create a connection to a trusting system, all the necessary information \u2013 like the name of the application server and the security key \u2013 is provided automatically. Transaction SMT2 enables you to display the trusting systems.<\/p>\n

What you need to watch out for when using trusted RFC connections<\/strong><\/h2>\n
    \n
  • You should only use trusted system relationships after a thorough analysis and risk assessment.<\/li>\n
  • When a Solution Manager is integrated with SAP systems, trusted RFC connections are used as the standard, due to performance reasons. You should check whether this connection type should be replaced with a standard RFC connection, with system user and password, particularly for systems with enterprise-critical data.<\/li>\n
  • Make sure that the authorization object S_RFCACL does not have any values with \u201c*\u201d.<\/li>\n
  • The following applies for RFC connections to trusting RFC systems: Do not save any user information, otherwise the trusting system will no longer be able to differentiate between calling users.<\/li>\n
  • RFC connections should only use technical users or system users that have the authorizations required for this specific purpose \u2013 and only these authorizations.<\/li>\n
  • Do not use trusted connections from systems with low classification levels to systems with higher classification levels.<\/li>\n<\/ul>\n

    How you can guarantee secure RFC communication<\/strong><\/h2>\n
      \n
    • If RFC access is made through a trusted system relationship, make sure that the authorization object S_RFCACL has precisely defined which user in the target system is authorized to perform function calls without specifying the password.<\/li>\n
    • To increase RFC security even more, we recommend checking your SAP Gateway and hardening it, particularly the ACL files secinfo, reginfo, and prxyinfo. For more information, refer to our blog https:\/\/sast-solutions.com\/blog-en\/2019\/02\/01\/step-by-step-secure-sap-gateway\/<\/a><\/li>\n
    • We also recommend using Secure Network Communications (SNC) to protect data communication via RFC protocol.<\/li>\n<\/ul>\n

      In closing, here\u2019s one more technology tip for you to think about:<\/p>\n

      The tables RFCDES, RFCTRUST, and RFCSYSACL are used for logging by default. If table logging is activated through the system parameter rec\/client=1, you can use the report RSTBHIST or RSVTPROT (or transaction SCU3) to track the changes that have been made to the settings for trusted relationships.<\/p>\n

      If you need more information about using trusted system relationships or would like to have support in securing your trusted RFC connections, visit our website<\/a> or e-mail us<\/a>.<\/p>\n

      \"Matthias
      \nMatthias Anst\u00f6tz (SAP Security Consultant, SAST SOLUTIONS)<\/strong><\/p>\n

       <\/p>\n

      More information on the topic:<\/h2>\n

      RFC Interfaces in SAP Landscapes: An Overview<\/a><\/p><\/blockquote>\n