cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Trusted RFC not working for different user , working for same user

Sudip1
Participant

on ‎08-12-2008 11:06 AM

0 Kudos

Dear All,

I have two SAP system - One Solman (7.0) and another ECC 6.0 (SR3) on HPUX box with Oracle DB (Unicode).

I want to establish Trust relationship between these system.

I have configured the same, as per the following link:

http://help.sap.com/saphelp_nw04/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/content.htm

and note 128447.

My requirement is one user X in solman client 001,

will execute some test plan (Tcode stwb_2) which will take the control to ECC 6.0 client 200, execute the tcode as user Y and come back in Solman again.

The user X (SAP_ALL) exists in Solman - client 001 and user Y (SAP_ALL) exists in ECC 6.0 - client 200.

In ECC 6.0 client 200, I have created a role ZRFCACL with the following and assigned to the user Y (as per the above help / note):

Role : ZRFCACL

Auth. Obj: S_RFCACL

Value assigned to fields are:

RFC_SYSID : SOL

RFC_CLIENT: 001

RFC_USER : X

RFC_EQUSER: N

RFC_TCODE : *

RFC_INFO : *

ACTVT : 16

Whenever the user X is trying to execute the test from solman, he is getting the error : "No authorization to log on as trusted system (RC = 0)"

Each time the user is trying the above, in ECC 6.0, the following dump is occuring:

CALL_FUNCTION_SINGLE_LOGIN_REJ under username SAPSYS

I have assigned the role ZRFCACL to user X in Solman also.

Next, I have performed the following check:

created one user M in both system

created the role ZRFCACL2 in ECC 6.0 client 200 as follows and assigned the role to user M:

Role : ZRFCACL2

Auth. Obj: S_RFCACL

Value assigned to fields are:

RFC_SYSID : SOL

RFC_CLIENT: 001

RFC_USER : ''

RFC_EQUSER: Y

RFC_TCODE : *

RFC_INFO : *

ACTVT : 16

Assigned SAP_ALL to user M in both system (So the user M in Solman does not have ZRFCACL2).

This time, the trust relationship worked and no dump got generated.

I have also checked the thread

but unable to resolve the issue.

Any suggestion where the things are going wrong in this / what else I need to check or this is not possible at all?

Thanks in advance for your help.

Sudip

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member323486
Explorer
‎01-28-2013 2:40 PM
0 Kudos

This link has the real way to setup trust relationships. I followed SAP's help but it was not accurate enough, so I post it hoping to help all those lost in the intricacies of trust relationships.

Best regards,

http://wiki.sdn.sap.com/wiki/display/ABAPConn/Setting+Up+a+Trusted+Relationship+between+two+SAP+ABAP... 

Show replies
Show replies
Sudip1
Participant
‎02-15-2010 10:08 AM
0 Kudos

I have created same user (userid) in both the system to get rid of this issue.

Thanks

Show replies
Show replies
Former Member
‎02-16-2010 1:26 AM
0 Kudos

Sudip,

It looks like you need 2 objects in your ZRFCACL roles

1. S_RFCACL (Which you have)

2. S_RFC

SAP_ALL does not include these two.

Regards,

Saire

Former Member
‎03-01-2010 9:35 AM
0 Kudos

Tip : don't use DDIC or SAP* for testing. These won't work whatever you do.

http://help.sap.com/saphelp_nw04/helpdata/EN/22/042671488911d189490000e829fbbd/content.htm

Former Member
‎03-01-2010 2:46 PM
0 Kudos

Hi,

Check the latest security guide

https://websmp102.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000718044&_SCENARIO=011000358700000002...

SM_SECURITY_SPS22 Page 65

Rg,

Karthik

Edited by: HemaKarthik on Mar 1, 2010 3:50 PM

Edited by: HemaKarthik on Mar 1, 2010 3:51 PM

Edited by: HemaKarthik on Mar 1, 2010 3:52 PM

Valdecir
Product and Topic Expert
Product and Topic Expert
‎08-12-2008 4:30 PM
0 Kudos

Hi Sudip,

The dump shows that you have no trust issues. The error occur during the logon step.

I´ve read again your description and I think you missed some steps in the online help:

===================================================

If you want to create a suitable authorization for different

clients and users, note that you have to enter the caller data (caller client and caller user) of the caller system (in our example from system C00) into the S_RFCACL fields RFC_CLIENT and RFC_USER. For example, if user U_1 under client M_1 in caller system C00 wants to work as user U_2 with client M_2 in the called system S00 under a trusted relationship, then the user (U_2, M_2) in the system S00 must have authorization ZRFCACL_XXX, which has the following settings:

RFC_SYSID : C00

RFC_CLIENT: M_1

RFC_USER : U_1

RFC_EQUSER: N (for NO)

RFC_TCODE : *

RFC_INFO : *

ACTVT : 16

The following steps describe how you can enter the above settings for server system S00:

SU03 + double-click the entry "AAAB" "Cross-Application Authorization Objects" and then choose "Authorization check for RFC user (ex. trusted system)" as the object class, then double-click the authorization object S_RFCACL and create Z_RFCACL_XXX.

After this, make sure you activate your settings.

===================================================

Please, create the new authorization as recommended in the help ( the excerpt above is not complete... ) . this will help you go through this issue.

Regards,

Valdecir

Show replies
Show replies
Sudip1
Participant
‎08-13-2008 7:08 AM
0 Kudos

Hi Valdecir,

Thanks for the reply.

Actually, I thought, that instead of creating the auth. profile, let us create a role with S_RFCACL with same values. Thats why I tried with role zrfcacl and zrfcacl2.

Now I have done the following:

Created two auth. profile using SU03 and using S_RFCACL object : ZRFCACL_SOL & ZRFCACL_SOL2 as follows:

ZRFCACL_SOL:

RFC_SYSID : SOL

RFC_CLIENT: 001

RFC_USER : ''

RFC_EQUSER: Y

RFC_TCODE : *

RFC_INFO : *

ACTVT : 16

ZRFCACL_SOL2:

RFC_SYSID : SOL

RFC_CLIENT: 001

RFC_USER : X (X is the user in solman and Y in ECC)

RFC_EQUSER: N

RFC_TCODE : *

RFC_INFO : *

ACTVT : 16

Then created two profile using SU02 and using object S_RFCACL and above created authorizations. I named the profiles as ZRFCACLSOL and ZRFCACLSOL2 respectively.

Then I added these two profiles to user M (ZRFCACLSOL - equal user) and X (ZRFCACLSOL2 - non equal user) in Txn SU01. Also, I removed the roles (that I created with S_RFCACL) from the users.

Then I again tried. With M - it is success and with X its failure. The same dump occured in ECC.

Please tell me what next to check?

Thanks & Regards

Sudip

Sudip1
Participant
‎08-14-2008 5:58 AM
0 Kudos

Dear All,

Any suggestion please.

Thanks & Regards

Sudip

Former Member
‎03-21-2009 8:02 AM
0 Kudos

Hi gurus,

I have the same problem. Trusted RFC not working for diferent user, when apply the SAP Note 128447

Please, can yours give me any suggestion for this problem.

Tranks

Sergio.

Former Member
‎08-12-2008 11:33 AM
0 Kudos

Hello Sudip,

First of all, There is no need to provide any User for a Trusted RFC Connection. If you want to create a Trusted RFC Connection, there is another mechanism using SMT1 TCode. Please go through the following.

Well, there is a concept called trusting system and trusted system. The source system will the Trusted system and the destination will be the Trusting system.

For example, from PRD to DEV you are creating a Trusted RFC connection, which doesn't require a usre name and password, the PRD will become Trusted system and DEV will become Trusting system.

Performing the following steps to recreate the Trusted RFC connection between the system.

On the Trusting System

1.Create the Trusted RFC connection in sm59

a. RFC destination = <trustedSID>TRUSTED

b. Connection Type = 3

c. Description = SID Trusted System

d. Click save

e. Target host= <hostname of trusted system)

f. Enter System #

g. Click save

2. Create the Trusted System

a. smt1

b. Click create

c. Enter the name of the rfc connection created in step 1

d. Enter the client, userid, and password information

On the Trusted system

1. Create an RFC connection (sm59 create)

2. RFC Destination = <trustingSID>CLNT<trustingclient#> ex. CKDCLNT500

3. Connection type = 3

4. Description = <trustingSID> Client <trustingclient#>

5. Save

6. Enter Target Host and System Number information

7. Click Logon Security Tab

8. Trusted system= yes

9. Enter language and client information

10. Check the current user option

11. Save

I hope this is helpful.

Regards,

Satish

Show replies
Show replies
Sudip1
Participant
‎08-12-2008 2:21 PM
0 Kudos

Dear Satish,

Thanks for the reply.

Please check my post - I have already created the trust relationship using the help.sap.com link thats why I have not mentioned it separately. I am being able to use the trusted RFC if I use same user for both the system.

The process you have described is a repeatation of the process described in the SAP help link.

My issue is the RFC is not working if there are different users in both system though I have configured as per the documentation.

Any suggestion in this regard will be really helpful.

Thanks

Sudip

Valdecir
Product and Topic Expert
Product and Topic Expert
‎08-12-2008 3:44 PM
0 Kudos

Hi Sudip,

Please, tell me what is descrided in the dump generated in the target system when this error ocurrs.

Generally, you have in the ST22 dump more detailed information on the cause.

Regards.

Valdecir

Sudip1
Participant
‎08-12-2008 4:05 PM
0 Kudos

Hi Valdecir,

Thanks for the reply. I am providing the detail of the generated dump below:

Please check in case any clue is there.

Runtime Errors CALL_FUNCTION_SINGLE_LOGIN_REJ

Date and Time 12.08.2008 18:59:32

-

-

Short text

No authorization to logon as trusted system (Trusted RC=0).

-

-

What happened?

Error in the ABAP Application Program

The current ABAP program "SAPMSSY1" had to be terminated because it has

come across a statement that unfortunately cannot be executed.

-

-

What can you do?

Note down which actions and inputs caused the error.

To process the problem further, contact you SAP system

administrator.

Using Transaction ST22 for ABAP Dump Analysis, you can look

at and manage termination messages, and you can also

keep them for a long time.

-

-

Error analysis

An RFC call (Remote Function Call) was sent with the invalid user ID "98819 "

. Or the calling system is not registered as trusted system in the

target system.

-

-

How to correct the error

The error code of the trusted system was 0.

Meaning:

0 Correct logon as trusted system mode

1 No trusted system entry for the calling system "SOL " or the

security key entry for the system "SOL " is invalid

2 User "98819 " does not have RFC authorization (authorization object

(S_RFCACL) for user "98819 " witl client 001.

3 The timestamp of the logon data is invalid

The error code of the SAP logon procedure was 1.

Meaning:

0 Login was correct

1 Wrong password or invalid user ID

2 Locked user

3 Too many attempted logons

5 Error in the authorization buffer (internal error)

6 No external user check

7 Invalid user type

-

-

System environment

SAP-Release 700

Application server... "gcbeccd"

Network address...... "10.10.4.158"

Operating system..... "HP-UX"

Release.............. "B.11.23"

Hardware type........ "ia64"

Character length.... 16 Bits

Pointer length....... 64 Bits

Work process number.. 1

Shortdump setting.... "full"

Database server... "gcbeccd"

Database type..... "ORACLE"

Database name..... "RD3"

Database user ID.. "SAPSR3"

Char.set.... "C"

SAP kernel....... 700

created (date)... "Apr 5 2008 00:55:24"

create on........ "HP-UX B.11.23 U ia64"

Database version. "OCI_102 (10.2.0.1.0) "

Patch level. 146

Patch text.. " "

Database............. "ORACLE 9.2.0.., ORACLE 10.1.0.., ORACLE 10.2.0.."

SAP database version. 700

Operating system..... "HP-UX B.11"

Memory consumption

Roll.... 16192

EM...... 4189840

Heap.... 0

Page.... 0

MM Used. 1194640

MM Free. 2992576

-

-

User and Transaction

Client.............. 000

User................ "SAPSYS"

Language Key........ "E"

Transaction......... " "

Transactions ID..... "489F2BD6C36D0F12E10000000A0A049E"

Program............. "SAPMSSY1"

Screen.............. "SAPMSSY1 3004"

Screen Line......... 2

Information on caller of Remote Function Call (RFC):

System.............. "SOL"

Database Release.... 700

Kernel Release...... 700

Connection Type..... 3 (2=R/2, 3=ABAP System, E=Ext., R=Reg. Ext.)

Call Type........... "synchron and non-transactional (emode 0, imode 0)"

Inbound TID.........." "

Inbound Queue Name..." "

Outbound TID........." "

Outbound Queue Name.." "

Client.............. 001

User................ 98819

Transaction......... "SMSY"

Call Program........."SAPLSRTT"

Function Module..... "SCCR_GET_RELEASE_NR"

Call Destination.... "SM_RD3CLNT200_TRUSTED"

Source Server....... "gcbsolm_SOL_00"

Source IP Address... "10.10.4.206"

Additional information on RFC logon:

Trusted Relationship "X"

Logon Return Code... 1

Trusted Return Code. 0

Note: For releases < 4.0, information on the RFC caller are often

only partially available.

-

-

Information on where terminated

Termination occurred in the ABAP program "SAPMSSY1" - in

"REMOTE_FUNCTION_CALL".

The main program was "SAPMSSY1 ".

In the source code you have the termination point in line 67

of the (Include) program "SAPMSSY1".

-

-

Source Code Extract

-

Line

SourceCde

-

37

endmodule.

38

39

module %_rfcdia_call output.

40

"Do not display screen !

41

call 'DY_INVISIBLE_SCREEN'.

42

perform remote_function_diacall.

43

endmodule.

44

45

module %_cpic_start.

46

if sy-xprog(4) = '%RFC'.

47

perform remote_function_call using rfctype_external_cpic.

48

else.

49

call 'APPC_HD' id 'HEADER' field header id 'CONVID' field convid.

50

perform cpic_call using convid.

51

endif.

52

endmodule.

53

54

55

form cpic_call using convid type c.

56

communication send id convid buffer header.

57

if sy-subrc eq 0.

58

perform (sy-xform) in program (sy-xprog).

59

else.

60

message a800.

61

endif.

62

endform.

63

64

form remote_function_call using value(type).

65

data rc type i value 0.

66

do.

>>>>>

call 'RfcImport' id 'Type' field type.

68

if sy-xprog = 'JAVA'.

69

system-call plugin

70

id 'JAVA' value 'FORW_JAVA'

71

id 'RC' value rc.

72

  • if there is no rollout on the JAVA side which

73

  • rolls both, JAVA and ABAP, we return to the

74

  • C-Stack and reach this point

75

76

  • in case there was an rollout, the ABAP-C stack is lost

77

  • and we jump direkt to this point

78

79

  • here we trigger the rollout on this Abap side with

80

  • the following statement

81

system-call plugin

82

id 'JAVA' value 'ROLL_OUT'

83

id 'RC' value rc.

84

else.

85

perform (sy-xform) in program (sy-xprog).

86

rsyn >scont sysc 00011111 0.

-

-

Contents of system fields

-

Name

Val.

-

SY-SUBRC

0

SY-INDEX

1

SY-TABIX

0

SY-DBCNT

1

SY-FDPOS

0

SY-LSIND

0

SY-PAGNO

0

SY-LINNO

1

SY-COLNO

1

SY-PFKEY

SY-UCOMM

SY-TITLE

CPIC and RFC Control

SY-MSGTY

SY-MSGID

SY-MSGNO

000

SY-MSGV1

SY-MSGV2

SY-MSGV3

SY-MSGV4

SY-MODNO

0

SY-DATUM

20080812

SY-UZEIT

185932

SY-XPROG

SAPRFCSL

SY-XFORM

READ_SINGLE_LOGIN_DATA

-

-

Active Calls/Events

-

No. Ty. Program Include Line

Name

-

2 FORM SAPMSSY1 SAPMSSY1 67

REMOTE_FUNCTION_CALL

1 MODULE (PBO) SAPMSSY1 SAPMSSY1 30

%_RFC_START

-

-

Chosen variables

-

Name

Val.

-

No. 2 Ty. FORM

Name REMOTE_FUNCTION_CALL

-

%_DUMMY$$

0000

0000

2222

0000

SY-REPID

SAPMSSY1

0000000000000000000000000000000000000000

0000000000000000000000000000000000000000

5454555322222222222222222222222222222222

310D339100000000000000000000000000000000

SYST-REPID

SAPMSSY1

0000000000000000000000000000000000000000

0000000000000000000000000000000000000000

5454555322222222222222222222222222222222

310D339100000000000000000000000000000000

HEADER

000000000000

000000000000

TYPE

3

0000

0003

SY-XPROG

SAPRFCSL

0000000000000000000000000000000000000000

0000000000000000000000000000000000000000

5455445422222222222222222222222222222222

3102633C00000000000000000000000000000000

%_ARCHIVE

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

RC

0

0000

0000

SY-XFORM

READ_SINGLE_LOGIN_DATA

000000000000000000000000000000

000000000000000000000000000000

544455444445444445445422222222

2514F39E7C5FCF79EF414100000000

%_SPACE

0

0

2

0

-

No. 1 Ty. MODULE (PBO)

Name %_RFC_START

-

%_PRINT

000 0###

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

2222333222222222222222222222222222222222222222222222222222222222222222222222222222222222223000

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

RFCTYPE_INTERNAL

3

0000

0003

-

-

Internal notes

The termination was triggered in function "ab_xsignon"

of the SAP kernel, in line 2491 of the module

"//bas/700_REL/src/krn/rfc/absignon.c#9".

The internal operation just processed is "CALY".

Internal mode was started at 20080812185932.

Calling system.....: "SOL "

Caller.............: "98819 "

Calling client.....: 001

RFC user ID........: "98819 "

RFC client.........: 200

Trusted return code: 0

Logon return code..: 1

Transaction code...: "SMSY "

Active state.......: "-782823270"

Note: At releases < 4.0, the information for the caller is not

available.

-

-

Active Calls in SAP Kernel

-

Lines of C Stack in Kernel (Structure Differs on Each Platform)

-

(0) 0x4000000003b2b450 CTrcStack + 0x1b0 at dptstack.c:227 [dw.sapRD3_DVEBMGS00]

(1) 0x4000000004d2c470 Z16rabaxCStackSavev + 0x1d0 [dw.sapRD3_DVEBMGS00]

(2) 0x4000000004d32160 ab_rabax + 0x3570 [dw.sapRD3_DVEBMGS00]

(3) 0x4000000002b43cb0 SignOnDumpInfo + 0x280 at absignon.c:2491 [dw.sapRD3_DVEBMGS00]

(4) 0x4000000002b3f2f0 ab_xsignon + 0xb30 at absignon.c:876 [dw.sapRD3_DVEBMGS00]

(5) 0x4000000002aa4cb0 ab_rfcimport + 0x1ad0 at abrfcfun.c:3599 [dw.sapRD3_DVEBMGS00]

(6) 0x40000000040f4a80 Z8abjcalyv + 0x500 [dw.sapRD3_DVEBMGS00]

(7) 0x400000000402f190 Z8abextriv + 0x440 [dw.sapRD3_DVEBMGS00]

(8) 0x4000000003f538b0 Z9abxeventPKt + 0xb0 at abrunt1.c:281 [dw.sapRD3_DVEBMGS00]

(9) 0x4000000003f360a0 ab_dstep + 0x280 [dw.sapRD3_DVEBMGS00]

(10) 0x4000000001cb4600 dynpmcal + 0x900 at dymainstp.c:2399 [dw.sapRD3_DVEBMGS00]

(11) 0x4000000001cab0e0 dynppbo0 + 0x280 at dymainstp.c:540 [dw.sapRD3_DVEBMGS00]

(12) 0x4000000001cb1ec0 dynprctl + 0x340 at dymainstp.c:358 [dw.sapRD3_DVEBMGS00]

(13) 0x4000000001c9dff0 dynpen00 + 0xac0 at dymain.c:1628 [dw.sapRD3_DVEBMGS00]

(14) 0x4000000001fea460 Thdynpen00 + 0x510 at thxxhead.c:4830 [dw.sapRD3_DVEBMGS00]

(15) 0x4000000001fb4de0 TskhLoop + 0x4e20 at thxxhead.c:4518 [dw.sapRD3_DVEBMGS00]

(16) 0x4000000001faae40 ThStart + 0x460 at thxxhead.c:1164 [dw.sapRD3_DVEBMGS00]

(17) 0x4000000001569ec0 DpMain + 0x5f0 at dpxxdisp.c:1088 [dw.sapRD3_DVEBMGS00]

(18) 0x4000000002c10630 nlsui_main + 0x30 [dw.sapRD3_DVEBMGS00]

(19) 0x4000000002c105c0 main + 0x60 [dw.sapRD3_DVEBMGS00]

(20) 0xc00000000002be30 main_opd_entry + 0x50 [/usr/lib/hpux64/dld.so]

-

-

List of ABAP programs affected

-

Index

Typ

Program

Group

Date

Time

Size

Lang.

-

0

Prg

SAPMSSY1

0

11.04.2005

09:27:15

22528

E

1

Prg

SAPLSCCA

1

05.07.2005

13:10:18

52224

E

2

Prg

SAPRFCSL

0

13.02.2005

17:31:45

17408

E

3

Typ

RFCSYSACL

0

13.02.2005

17:31:45

7168

4

Typ

SYST

0

09.09.2004

14:18:12

31744

-

-

Directory of Application Tables

-

Name Date Time Lngth

Val.

-

Program SAPMSSY1

-

SYST . . : : 00004612

\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0001\0\0\0

-

Program SAPRFCSL

-

RFCSYSACL . . : : 00001760

SOL RD3

-

-

ABAP Control Blocks (CONT)

-

Index

Name

Fl

PAR0

PAR1

PAR2

PAR3

PAR4

PAR5

PAR6

Source Code

Line

-

116

CLEA

00

0035

SAPMSSY1

60

117

CLEA

00

0036

SAPMSSY1

60

118

CLEA

00

0037

SAPMSSY1

60

119

MESS

00

001C

SAPMSSY1

60

120

ENDF

00

0000

SAPMSSY1

62

121

00

0000

SAPMSSY1

62

122

PERP

00

0001

SAPMSSY1

64

123

PERP

02

0000

SAPMSSY1

64

124

WHIL

00

0002

0000

0000

0000

0000

0000

0000

SAPMSSY1

66

128

WHIL

00

0003

0000

0000

0000

0000

0000

0000

SAPMSSY1

66

132

BRAN

05

001E

SAPMSSY1

66

133

CALY

00

0003

0038

002A

0005

002B

0000

0000

SAPMSSY1

67

>>>>>

CALY

02

0000

0039

8000

0000

0000

0000

0000

SAPMSSY1

67

141

COMP

00

0002

0010

003A

SAPMSSY1

68

143

BRAF

02

000E

SAPMSSY1

68

144

SRFC

01

0000

003A

003B

SAPMSSY1

69

146

SRFC

01

0000

003C

C000

SAPMSSY1

69

148

SRFC

02

0000

0000

0000

SAPMSSY1

69

150

SRFC

01

0000

003A

003D

SAPMSSY1

81

152

SRFC

01

0000

003C

C000

SAPMSSY1

81

-

Thanks & Regards

Sudip

Ask a Question