Security

Plain RFC connections are mainly used for prototyping, while in production secure connections are required. For more information on RFC security see:

• Security on SAP Service Marketplace

• RFC Security Best Practices on SAP SCN

• Securing RFC Connections on ABAP Connectivity Wiki

SAP NW RFC Library supports plain and secure connection with following authentication methods:

• Plain with user / password

• SNC

  • with User PSE

  • with X509

NW ABAP servers support in addition:

• SAP logon tickets

• Security Assertion Markup Language (SAML)

Assuming you are familiar with abovementioned concepts and have ABAP backend system configured for SNC communication, here you may find connection strings examples, for testing plain and secure RFC connections, with various authentication methods.

Authentication

Plain with user / password

The simplest and least secure form of the user authentication.

ABAP_SYSTEM = {
     'user': 'demo',
     'passwd': 'welcome',

     'name': 'I64',
     'client': '800',
     'ashost': '10.0.0.1',
     'sysnr': '00',
     'saprouter': SAPROUTER,
     'trace': '3'
}

c = get_connection(ABAP_SYSTEM) # plain

SNC with User PSE

User PSE is used for opening the SNC connection and the same user is used for the authentication (logon) in NW ABAP backend. Generally not recomended, see SAP Note 1028503 - SNC-secured RFC connection: Logon ticket is ignored

Prerequisites

• SNC name must be configured for the ABAP user in NW ABAP system, using transaction SU01

• SAP Single Sign On must be configured on a client and the user must be logged in on a client.

ABAP_SYSTEM = {
     'snc_partnername': 'p:CN=I64, O=SAP-AG, C=DE',
     'snc_lib': 'C:\\Program Files (x86)\\SECUDE\\OfficeSecurity\\secude.dll',

     'name': 'I64',
     'client': '800',
     'ashost': '10.0.0.1',
     'sysnr': '00',
     'saprouter': SAPROUTER,
     'trace': '3'
}

c = get_connection(ABAP_SYSTEM)

In this example the SNC_LIB key contains the path to security library (SAP cryptographic library or 3rd party product). Alternatively, the SNC_LIB can be set as the environment variable, in which case it does not have to be provided as a parameter for opening SNC connection.

SNC with X509

The client system PSE is used for opening SNC connection and forwarding user X509 certificate to NW ABAP backend system, for authentication and logon.

Prerequisites

• The user does not have to be logged into the client system, neither the Single Sign On must be configured on a client

• The trusted relationship must be established between the NW ABAP backend and the client system.

• The client system must be registered in the NW ABAP backend Access Control List (ACL), using transaction SNC0

• Keystores are generated on a client system, using SAP cryptography tool SAPGENPSE and the environment variable SECUDIR points to the folder with generated keystores

• User X509 certificate must be mapped to ABAP NW backend user, using transaction EXTID_DN

The same connection parameters as in a previous example, with X509 certificate added.

ABAP_SYSTEM = {
     'snc_partnername': 'p:CN=I64, O=SAP-AG, C=DE',
     'snc_lib': 'C:\\Program Files (x86)\\SECUDE\\OfficeSecurity\\secude.dll',

     'x509cert': 'MIIDJjCCAtCgAwIBAgIBNzA ... NgalgcTJf3iUjZ1e5Iv5PLKO',

     'name': 'I64',
     'client': '800',
     'ashost': '10.0.0.1',
     'sysnr': '00',
     'saprouter': SAPROUTER,
     'trace': '3'
}

c = get_connection(ABAP_SYSTEM)

See SAP Help for more information.