on 08-12-2008 11:06 AM
Dear All,
I have two SAP system - One Solman (7.0) and another ECC 6.0 (SR3) on HPUX box with Oracle DB (Unicode).
I want to establish Trust relationship between these system.
I have configured the same, as per the following link:
http://help.sap.com/saphelp_nw04/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/content.htm
and note 128447.
My requirement is one user X in solman client 001,
will execute some test plan (Tcode stwb_2) which will take the control to ECC 6.0 client 200, execute the tcode as user Y and come back in Solman again.
The user X (SAP_ALL) exists in Solman - client 001 and user Y (SAP_ALL) exists in ECC 6.0 - client 200.
In ECC 6.0 client 200, I have created a role ZRFCACL with the following and assigned to the user Y (as per the above help / note):
Role : ZRFCACL
Auth. Obj: S_RFCACL
Value assigned to fields are:
RFC_SYSID : SOL
RFC_CLIENT: 001
RFC_USER : X
RFC_EQUSER: N
RFC_TCODE : *
RFC_INFO : *
ACTVT : 16
Whenever the user X is trying to execute the test from solman, he is getting the error : "No authorization to log on as trusted system (RC = 0)"
Each time the user is trying the above, in ECC 6.0, the following dump is occuring:
CALL_FUNCTION_SINGLE_LOGIN_REJ under username SAPSYS
I have assigned the role ZRFCACL to user X in Solman also.
Next, I have performed the following check:
created one user M in both system
created the role ZRFCACL2 in ECC 6.0 client 200 as follows and assigned the role to user M:
Role : ZRFCACL2
Auth. Obj: S_RFCACL
Value assigned to fields are:
RFC_SYSID : SOL
RFC_CLIENT: 001
RFC_USER : ''
RFC_EQUSER: Y
RFC_TCODE : *
RFC_INFO : *
ACTVT : 16
Assigned SAP_ALL to user M in both system (So the user M in Solman does not have ZRFCACL2).
This time, the trust relationship worked and no dump got generated.
I have also checked the thread
but unable to resolve the issue.
Any suggestion where the things are going wrong in this / what else I need to check or this is not possible at all?
Thanks in advance for your help.
Sudip
This link has the real way to setup trust relationships. I followed SAP's help but it was not accurate enough, so I post it hoping to help all those lost in the intricacies of trust relationships.
Best regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have created same user (userid) in both the system to get rid of this issue.
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Tip : don't use DDIC or SAP* for testing. These won't work whatever you do.
http://help.sap.com/saphelp_nw04/helpdata/EN/22/042671488911d189490000e829fbbd/content.htm
Hi,
Check the latest security guide
SM_SECURITY_SPS22 Page 65
Rg,
Karthik
Edited by: HemaKarthik on Mar 1, 2010 3:50 PM
Edited by: HemaKarthik on Mar 1, 2010 3:51 PM
Edited by: HemaKarthik on Mar 1, 2010 3:52 PM
Hi Sudip,
The dump shows that you have no trust issues. The error occur during the logon step.
I´ve read again your description and I think you missed some steps in the online help:
===================================================
If you want to create a suitable authorization for different
clients and users, note that you have to enter the caller data (caller client and caller user) of the caller system (in our example from system C00) into the S_RFCACL fields RFC_CLIENT and RFC_USER. For example, if user U_1 under client M_1 in caller system C00 wants to work as user U_2 with client M_2 in the called system S00 under a trusted relationship, then the user (U_2, M_2) in the system S00 must have authorization ZRFCACL_XXX, which has the following settings:
RFC_SYSID : C00
RFC_CLIENT: M_1
RFC_USER : U_1
RFC_EQUSER: N (for NO)
RFC_TCODE : *
RFC_INFO : *
ACTVT : 16
The following steps describe how you can enter the above settings for server system S00:
SU03 + double-click the entry "AAAB" "Cross-Application Authorization Objects" and then choose "Authorization check for RFC user (ex. trusted system)" as the object class, then double-click the authorization object S_RFCACL and create Z_RFCACL_XXX.
After this, make sure you activate your settings.
===================================================
Please, create the new authorization as recommended in the help ( the excerpt above is not complete... ) . this will help you go through this issue.
Regards,
Valdecir
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Valdecir,
Thanks for the reply.
Actually, I thought, that instead of creating the auth. profile, let us create a role with S_RFCACL with same values. Thats why I tried with role zrfcacl and zrfcacl2.
Now I have done the following:
Created two auth. profile using SU03 and using S_RFCACL object : ZRFCACL_SOL & ZRFCACL_SOL2 as follows:
ZRFCACL_SOL:
RFC_SYSID : SOL
RFC_CLIENT: 001
RFC_USER : ''
RFC_EQUSER: Y
RFC_TCODE : *
RFC_INFO : *
ACTVT : 16
ZRFCACL_SOL2:
RFC_SYSID : SOL
RFC_CLIENT: 001
RFC_USER : X (X is the user in solman and Y in ECC)
RFC_EQUSER: N
RFC_TCODE : *
RFC_INFO : *
ACTVT : 16
Then created two profile using SU02 and using object S_RFCACL and above created authorizations. I named the profiles as ZRFCACLSOL and ZRFCACLSOL2 respectively.
Then I added these two profiles to user M (ZRFCACLSOL - equal user) and X (ZRFCACLSOL2 - non equal user) in Txn SU01. Also, I removed the roles (that I created with S_RFCACL) from the users.
Then I again tried. With M - it is success and with X its failure. The same dump occured in ECC.
Please tell me what next to check?
Thanks & Regards
Sudip
Hello Sudip,
First of all, There is no need to provide any User for a Trusted RFC Connection. If you want to create a Trusted RFC Connection, there is another mechanism using SMT1 TCode. Please go through the following.
Well, there is a concept called trusting system and trusted system. The source system will the Trusted system and the destination will be the Trusting system.
For example, from PRD to DEV you are creating a Trusted RFC connection, which doesn't require a usre name and password, the PRD will become Trusted system and DEV will become Trusting system.
Performing the following steps to recreate the Trusted RFC connection between the system.
On the Trusting System
1.Create the Trusted RFC connection in sm59
a. RFC destination = <trustedSID>TRUSTED
b. Connection Type = 3
c. Description = SID Trusted System
d. Click save
e. Target host= <hostname of trusted system)
f. Enter System #
g. Click save
2. Create the Trusted System
a. smt1
b. Click create
c. Enter the name of the rfc connection created in step 1
d. Enter the client, userid, and password information
On the Trusted system
1. Create an RFC connection (sm59 create)
2. RFC Destination = <trustingSID>CLNT<trustingclient#> ex. CKDCLNT500
3. Connection type = 3
4. Description = <trustingSID> Client <trustingclient#>
5. Save
6. Enter Target Host and System Number information
7. Click Logon Security Tab
8. Trusted system= yes
9. Enter language and client information
10. Check the current user option
11. Save
I hope this is helpful.
Regards,
Satish
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Satish,
Thanks for the reply.
Please check my post - I have already created the trust relationship using the help.sap.com link thats why I have not mentioned it separately. I am being able to use the trusted RFC if I use same user for both the system.
The process you have described is a repeatation of the process described in the SAP help link.
My issue is the RFC is not working if there are different users in both system though I have configured as per the documentation.
Any suggestion in this regard will be really helpful.
Thanks
Sudip
Hi Valdecir,
Thanks for the reply. I am providing the detail of the generated dump below:
Please check in case any clue is there.
Runtime Errors CALL_FUNCTION_SINGLE_LOGIN_REJ
Date and Time 12.08.2008 18:59:32
-
-
Short text |
No authorization to logon as trusted system (Trusted RC=0). |
-
-
What happened? |
Error in the ABAP Application Program |
The current ABAP program "SAPMSSY1" had to be terminated because it has |
come across a statement that unfortunately cannot be executed. |
-
-
What can you do? |
Note down which actions and inputs caused the error. |
To process the problem further, contact you SAP system |
administrator. |
Using Transaction ST22 for ABAP Dump Analysis, you can look |
at and manage termination messages, and you can also |
keep them for a long time. |
-
-
Error analysis |
An RFC call (Remote Function Call) was sent with the invalid user ID "98819 " |
. Or the calling system is not registered as trusted system in the |
target system. |
-
-
How to correct the error |
The error code of the trusted system was 0. |
Meaning: |
0 Correct logon as trusted system mode |
1 No trusted system entry for the calling system "SOL " or the |
security key entry for the system "SOL " is invalid |
2 User "98819 " does not have RFC authorization (authorization object |
(S_RFCACL) for user "98819 " witl client 001. |
3 The timestamp of the logon data is invalid |
The error code of the SAP logon procedure was 1. |
Meaning: |
0 Login was correct |
1 Wrong password or invalid user ID |
2 Locked user |
3 Too many attempted logons |
5 Error in the authorization buffer (internal error) |
6 No external user check |
7 Invalid user type |
-
-
System environment |
SAP-Release 700 |
Application server... "gcbeccd" |
Network address...... "10.10.4.158" |
Operating system..... "HP-UX" |
Release.............. "B.11.23" |
Hardware type........ "ia64" |
Character length.... 16 Bits |
Pointer length....... 64 Bits |
Work process number.. 1 |
Shortdump setting.... "full" |
Database server... "gcbeccd" |
Database type..... "ORACLE" |
Database name..... "RD3" |
Database user ID.. "SAPSR3" |
Char.set.... "C" |
SAP kernel....... 700 |
created (date)... "Apr 5 2008 00:55:24" |
create on........ "HP-UX B.11.23 U ia64" |
Database version. "OCI_102 (10.2.0.1.0) " |
Patch level. 146 |
Patch text.. " " |
Database............. "ORACLE 9.2.0.., ORACLE 10.1.0.., ORACLE 10.2.0.." |
SAP database version. 700 |
Operating system..... "HP-UX B.11" |
Memory consumption |
Roll.... 16192 |
EM...... 4189840 |
Heap.... 0 |
Page.... 0 |
MM Used. 1194640 |
MM Free. 2992576 |
-
-
User and Transaction |
Client.............. 000 |
User................ "SAPSYS" |
Language Key........ "E" |
Transaction......... " " |
Transactions ID..... "489F2BD6C36D0F12E10000000A0A049E" |
Program............. "SAPMSSY1" |
Screen.............. "SAPMSSY1 3004" |
Screen Line......... 2 |
Information on caller of Remote Function Call (RFC): |
System.............. "SOL" |
Database Release.... 700 |
Kernel Release...... 700 |
Connection Type..... 3 (2=R/2, 3=ABAP System, E=Ext., R=Reg. Ext.) |
Call Type........... "synchron and non-transactional (emode 0, imode 0)" |
Inbound TID.........." " |
Inbound Queue Name..." " |
Outbound TID........." " |
Outbound Queue Name.." " |
Client.............. 001 |
User................ 98819 |
Transaction......... "SMSY" |
Call Program........."SAPLSRTT" |
Function Module..... "SCCR_GET_RELEASE_NR" |
Call Destination.... "SM_RD3CLNT200_TRUSTED" |
Source Server....... "gcbsolm_SOL_00" |
Source IP Address... "10.10.4.206" |
Additional information on RFC logon: |
Trusted Relationship "X" |
Logon Return Code... 1 |
Trusted Return Code. 0 |
Note: For releases < 4.0, information on the RFC caller are often |
only partially available. |
-
-
Information on where terminated |
Termination occurred in the ABAP program "SAPMSSY1" - in |
"REMOTE_FUNCTION_CALL". |
The main program was "SAPMSSY1 ". |
In the source code you have the termination point in line 67 |
of the (Include) program "SAPMSSY1". |
-
-
Source Code Extract |
-
Line | SourceCde |
-
37 | endmodule. |
38 | |
39 | module %_rfcdia_call output. |
40 | "Do not display screen ! |
41 | call 'DY_INVISIBLE_SCREEN'. |
42 | perform remote_function_diacall. |
43 | endmodule. |
44 | |
45 | module %_cpic_start. |
46 | if sy-xprog(4) = '%RFC'. |
47 | perform remote_function_call using rfctype_external_cpic. |
48 | else. |
49 | call 'APPC_HD' id 'HEADER' field header id 'CONVID' field convid. |
50 | perform cpic_call using convid. |
51 | endif. |
52 | endmodule. |
53 | |
54 | |
55 | form cpic_call using convid type c. |
56 | communication send id convid buffer header. |
57 | if sy-subrc eq 0. |
58 | perform (sy-xform) in program (sy-xprog). |
59 | else. |
60 | message a800. |
61 | endif. |
62 | endform. |
63 | |
64 | form remote_function_call using value(type). |
65 | data rc type i value 0. |
66 | do. |
>>>>> | call 'RfcImport' id 'Type' field type. |
68 | if sy-xprog = 'JAVA'. |
69 | system-call plugin |
70 | id 'JAVA' value 'FORW_JAVA' |
71 | id 'RC' value rc. |
72 |
|
73 |
|
74 |
|
75 | |
76 |
|
77 |
|
78 | |
79 |
|
80 |
|
81 | system-call plugin |
82 | id 'JAVA' value 'ROLL_OUT' |
83 | id 'RC' value rc. |
84 | else. |
85 | perform (sy-xform) in program (sy-xprog). |
86 | rsyn >scont sysc 00011111 0. |
-
-
Contents of system fields |
-
Name | Val. |
-
SY-SUBRC | 0 |
SY-INDEX | 1 |
SY-TABIX | 0 |
SY-DBCNT | 1 |
SY-FDPOS | 0 |
SY-LSIND | 0 |
SY-PAGNO | 0 |
SY-LINNO | 1 |
SY-COLNO | 1 |
SY-PFKEY | |
SY-UCOMM | |
SY-TITLE | CPIC and RFC Control |
SY-MSGTY | |
SY-MSGID | |
SY-MSGNO | 000 |
SY-MSGV1 | |
SY-MSGV2 | |
SY-MSGV3 | |
SY-MSGV4 | |
SY-MODNO | 0 |
SY-DATUM | 20080812 |
SY-UZEIT | 185932 |
SY-XPROG | SAPRFCSL |
SY-XFORM | READ_SINGLE_LOGIN_DATA |
-
-
Active Calls/Events |
-
No. Ty. Program Include Line |
Name |
-
2 FORM SAPMSSY1 SAPMSSY1 67 |
REMOTE_FUNCTION_CALL |
1 MODULE (PBO) SAPMSSY1 SAPMSSY1 30 |
%_RFC_START |
-
-
Chosen variables |
-
Name |
Val. |
-
No. 2 Ty. FORM |
Name REMOTE_FUNCTION_CALL |
-
%_DUMMY$$ |
0000 |
0000 |
2222 |
0000 |
SY-REPID |
SAPMSSY1 |
0000000000000000000000000000000000000000 |
0000000000000000000000000000000000000000 |
5454555322222222222222222222222222222222 |
310D339100000000000000000000000000000000 |
SYST-REPID |
SAPMSSY1 |
0000000000000000000000000000000000000000 |
0000000000000000000000000000000000000000 |
5454555322222222222222222222222222222222 |
310D339100000000000000000000000000000000 |
HEADER |
000000000000 |
000000000000 |
TYPE |
3 |
0000 |
0003 |
SY-XPROG |
SAPRFCSL |
0000000000000000000000000000000000000000 |
0000000000000000000000000000000000000000 |
5455445422222222222222222222222222222222 |
3102633C00000000000000000000000000000000 |
%_ARCHIVE |
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 |
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
RC |
0 |
0000 |
0000 |
SY-XFORM |
READ_SINGLE_LOGIN_DATA |
000000000000000000000000000000 |
000000000000000000000000000000 |
544455444445444445445422222222 |
2514F39E7C5FCF79EF414100000000 |
%_SPACE |
0 |
0 |
2 |
0 |
-
No. 1 Ty. MODULE (PBO) |
Name %_RFC_START |
-
%_PRINT |
000 0### |
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
2222333222222222222222222222222222222222222222222222222222222222222222222222222222222222223000 |
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
RFCTYPE_INTERNAL |
3 |
0000 |
0003 |
-
-
Internal notes |
The termination was triggered in function "ab_xsignon" |
of the SAP kernel, in line 2491 of the module |
"//bas/700_REL/src/krn/rfc/absignon.c#9". |
The internal operation just processed is "CALY". |
Internal mode was started at 20080812185932. |
Calling system.....: "SOL " |
Caller.............: "98819 " |
Calling client.....: 001 |
RFC user ID........: "98819 " |
RFC client.........: 200 |
Trusted return code: 0 |
Logon return code..: 1 |
Transaction code...: "SMSY " |
Active state.......: "-782823270" |
Note: At releases < 4.0, the information for the caller is not |
available. |
-
-
Active Calls in SAP Kernel |
-
Lines of C Stack in Kernel (Structure Differs on Each Platform) |
-
(0) 0x4000000003b2b450 CTrcStack + 0x1b0 at dptstack.c:227 [dw.sapRD3_DVEBMGS00] |
(1) 0x4000000004d2c470 Z16rabaxCStackSavev + 0x1d0 [dw.sapRD3_DVEBMGS00] |
(2) 0x4000000004d32160 ab_rabax + 0x3570 [dw.sapRD3_DVEBMGS00] |
(3) 0x4000000002b43cb0 SignOnDumpInfo + 0x280 at absignon.c:2491 [dw.sapRD3_DVEBMGS00] |
(4) 0x4000000002b3f2f0 ab_xsignon + 0xb30 at absignon.c:876 [dw.sapRD3_DVEBMGS00] |
(5) 0x4000000002aa4cb0 ab_rfcimport + 0x1ad0 at abrfcfun.c:3599 [dw.sapRD3_DVEBMGS00] |
(6) 0x40000000040f4a80 Z8abjcalyv + 0x500 [dw.sapRD3_DVEBMGS00] |
(7) 0x400000000402f190 Z8abextriv + 0x440 [dw.sapRD3_DVEBMGS00] |
(8) 0x4000000003f538b0 Z9abxeventPKt + 0xb0 at abrunt1.c:281 [dw.sapRD3_DVEBMGS00] |
(9) 0x4000000003f360a0 ab_dstep + 0x280 [dw.sapRD3_DVEBMGS00] |
(10) 0x4000000001cb4600 dynpmcal + 0x900 at dymainstp.c:2399 [dw.sapRD3_DVEBMGS00] |
(11) 0x4000000001cab0e0 dynppbo0 + 0x280 at dymainstp.c:540 [dw.sapRD3_DVEBMGS00] |
(12) 0x4000000001cb1ec0 dynprctl + 0x340 at dymainstp.c:358 [dw.sapRD3_DVEBMGS00] |
(13) 0x4000000001c9dff0 dynpen00 + 0xac0 at dymain.c:1628 [dw.sapRD3_DVEBMGS00] |
(14) 0x4000000001fea460 Thdynpen00 + 0x510 at thxxhead.c:4830 [dw.sapRD3_DVEBMGS00] |
(15) 0x4000000001fb4de0 TskhLoop + 0x4e20 at thxxhead.c:4518 [dw.sapRD3_DVEBMGS00] |
(16) 0x4000000001faae40 ThStart + 0x460 at thxxhead.c:1164 [dw.sapRD3_DVEBMGS00] |
(17) 0x4000000001569ec0 DpMain + 0x5f0 at dpxxdisp.c:1088 [dw.sapRD3_DVEBMGS00] |
(18) 0x4000000002c10630 nlsui_main + 0x30 [dw.sapRD3_DVEBMGS00] |
(19) 0x4000000002c105c0 main + 0x60 [dw.sapRD3_DVEBMGS00] |
(20) 0xc00000000002be30 main_opd_entry + 0x50 [/usr/lib/hpux64/dld.so] |
-
-
List of ABAP programs affected |
-
Index | Typ | Program | Group | Date | Time | Size | Lang. |
-
0 | Prg | SAPMSSY1 | 0 | 11.04.2005 | 09:27:15 | 22528 | E |
1 | Prg | SAPLSCCA | 1 | 05.07.2005 | 13:10:18 | 52224 | E |
2 | Prg | SAPRFCSL | 0 | 13.02.2005 | 17:31:45 | 17408 | E |
3 | Typ | RFCSYSACL | 0 | 13.02.2005 | 17:31:45 | 7168 | |
4 | Typ | SYST | 0 | 09.09.2004 | 14:18:12 | 31744 |
-
-
Directory of Application Tables |
-
Name Date Time Lngth |
Val. |
-
Program SAPMSSY1 |
-
SYST . . : : 00004612 |
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0001\0\0\0 |
-
Program SAPRFCSL |
-
RFCSYSACL . . : : 00001760 |
SOL RD3 |
-
-
ABAP Control Blocks (CONT) |
-
Index | Name | Fl | PAR0 | PAR1 | PAR2 | PAR3 | PAR4 | PAR5 | PAR6 | Source Code | Line |
-
116 | CLEA | 00 | 0035 | SAPMSSY1 | 60 | ||||||
117 | CLEA | 00 | 0036 | SAPMSSY1 | 60 | ||||||
118 | CLEA | 00 | 0037 | SAPMSSY1 | 60 | ||||||
119 | MESS | 00 | 001C | SAPMSSY1 | 60 | ||||||
120 | ENDF | 00 | 0000 | SAPMSSY1 | 62 | ||||||
121 | 00 | 0000 | SAPMSSY1 | 62 | |||||||
122 | PERP | 00 | 0001 | SAPMSSY1 | 64 | ||||||
123 | PERP | 02 | 0000 | SAPMSSY1 | 64 | ||||||
124 | WHIL | 00 | 0002 | 0000 | 0000 | 0000 | 0000 | 0000 | 0000 | SAPMSSY1 | 66 |
128 | WHIL | 00 | 0003 | 0000 | 0000 | 0000 | 0000 | 0000 | 0000 | SAPMSSY1 | 66 |
132 | BRAN | 05 | 001E | SAPMSSY1 | 66 | ||||||
133 | CALY | 00 | 0003 | 0038 | 002A | 0005 | 002B | 0000 | 0000 | SAPMSSY1 | 67 |
>>>>> | CALY | 02 | 0000 | 0039 | 8000 | 0000 | 0000 | 0000 | 0000 | SAPMSSY1 | 67 |
141 | COMP | 00 | 0002 | 0010 | 003A | SAPMSSY1 | 68 | ||||
143 | BRAF | 02 | 000E | SAPMSSY1 | 68 | ||||||
144 | SRFC | 01 | 0000 | 003A | 003B | SAPMSSY1 | 69 | ||||
146 | SRFC | 01 | 0000 | 003C | C000 | SAPMSSY1 | 69 | ||||
148 | SRFC | 02 | 0000 | 0000 | 0000 | SAPMSSY1 | 69 | ||||
150 | SRFC | 01 | 0000 | 003A | 003D | SAPMSSY1 | 81 | ||||
152 | SRFC | 01 | 0000 | 003C | C000 | SAPMSSY1 | 81 |
-
Thanks & Regards
Sudip
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.