Solved: ABAP to ABAP RFC with SNC, but without passwords s...

Former Member · ‎11-11-2011

Hi gurus,

We have SNC in place between the SAPGui client server and the application servers which includes SSO for the SAPGui users. It is optional for them and works.

Environment is AIX OS's, 7.01 systems and the library is the KRB5.

Now we have also activated SNC for the RFC connections between the ABAP application servers. Some of these have SYSTEM user credentials in the connections to receive IDOCs and call some BAPIs in the target systems.

I was expecting that after the SNC authentication between the 2 application servers for the RFC call worked, that I would also be able to deactivate the password of the system user in the target client (in SU01).

Not so!

In the client server we have SNC active and QoP = 8 (which is used). In the target we have SNC0 maintained and the SYSTEM user we tried with the canonical name it has, that which the system has and despite that the systems the same SNC identity it is still not possible to eliminate the password.

According to [SAP Note 650347|https://service.sap.com/sap/support/notes/650347] SNC cannot be used for SSO for application server communication. There must be a "real" PC side client with access to a tocken or entering a password.

SNC for system to system RFC must use a password for the user despite SNC, and the SNC authentication is only supported at the system level and not connection user level.

The whole idea was actually to avoid Trusted RFC (which does eliminate the password) but it looks like we are forced to use Trusted RFC anyway.

I still have some hope that there is a way to use table USRACLEXT to map the SYSTEM user to the system's own identity, but would like to know whether anyone can spot what is not configured correctly, confirm whether it is not possible or knows about some feature or workaround?

Cheers,

Julius

mvoros · ‎11-12-2011

Hi Julius,

check the last section "User Authentication in the SAP System" in [SAP documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/d9/e8a740bbaa4d8f8bee6f7b173bd99f/content.htm]. It describes authentication mechanism for RFC call with SNC. I'm not sure but it seems like the first 2 steps do not require password. Not sure about "without performing additional authentication". Other steps require valid password. So try to figure out if you can satisfy conditions of first 2 steps. If not then I don't think that you will be able to achieve your goal without Trusted RFC.

Cheers

mvoros · ‎11-12-2011

Hi Julius,

check the last section "User Authentication in the SAP System" in [SAP documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/d9/e8a740bbaa4d8f8bee6f7b173bd99f/content.htm]. It describes authentication mechanism for RFC call with SNC. I'm not sure but it seems like the first 2 steps do not require password. Not sure about "without performing additional authentication". Other steps require valid password. So try to figure out if you can satisfy conditions of first 2 steps. If not then I don't think that you will be able to achieve your goal without Trusted RFC.

Cheers

Former Member · ‎11-12-2011

Hi Matrin,

Thanks for confirming that it looks like it is possible and one would expect it to be possible, except it did not work.

So it looks like a SAP Help vs OSS note contest...

SAP Note 650347: "...for communication between two server components, SNC cannot be used for SSO purposes."

vs

SAP Help: "1) If the SNC name from the RFC program corresponds to the SNC name in the specified user's master record in the designated client, then the SAP system accepts the RFC logon request (without performing additional authentication)."

So I will raise the bet for the SAP Help by another 10 marbles and try to map the user ID in table USRACLEXT to the system's own SNC name. According to the documentation that should also work for one uniquely mapped user ID.

Will keep you posted..

Cheers,

Julius

WolfgangJanzen · ‎11-15-2011

I donu2019t know the exact place where you have quoted from the SAP Help.

Maybe it was referring to an external RFC client; in that case there is a 50% chance that it is right.

Reason: external RFC clients could either be u201Cuser agentsu201D (i.e. they are only used by one single user at one point of time and thus u201Crepresentu201D the user) or they could be u201Cmiddleware / server componentsu201D (i.e. they are serving requests for multiple different users).

SNC (same as SSL) can only be used to identify the communication partners.

If the communication partner who is initiating the communication (i.e. the u201Cclientu201D) is a middleware or server component, SNC (and SSL) cannot be used for user authentication and thus not for SSO. This is mentioned in note 1028503 (as comment), for example.

Cheers, Wolfgang

Former Member · ‎11-15-2011

Hi Wolfgang,

Thank you for confirming.

See the link in Martin Voros's post to SAP Help.

This gives Jco as an example. Being a Java server, I assumed the same would be true for ABAP server. Actually I never questioned it before and expected there to be a way.

I guess Trusted RFC is infact the only option then to eliminate the password of the connection user.

Thanks again!

Julius

tim_alsop · ‎11-15-2011

Our product uses SNC between Java and ABAP stacks and we don't need to pass a password in the RFC connection string. This is because JCO allows you to have more control over the connection string parameters used. The problem with ABAP to ABAP is that the configuration details entered in sm59 do not allow a target user id to be specified without a password, unless the systems are trusted. If it was possible to change the sm59 behaviour I am sure this would be possible, and then RFC connections configured in sm59 would work without password, and without a trusted connected. i guess SAP decided not to do this and force you to use a password, even when SNC is used to authenticate the end points (e.g. the two ABAP systems).

ABAP to ABAP RFC with SNC, but without passwords sent for the RFC-user