10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 1 – basic understanding

More

SAP ABAP Central

Home SAP ABAP Tutorials Interview Q&A Job Certifications Books

FİYAT İNDİRİMİ FİYAT İNDİRİMİ

İş Yerinin Alışveriş Yeri

Avansas.com

Friday, 12 February 2021

RFC Gateway security, part 1 – basic understanding

Basic understanding

In the following i will do the question and answer game to develop a basic
understanding of the RFC Gateway, the RFC Gateway security and its related
terms.

What is the RFC Gateway?

The RFC Gateway can be seen as a communication middleware. The RFC Gateway
act as an RFC Server which enables RFC function modules to be used by RFC
clients. It also enables communication between work or server processes of SAP
NetWeaver AS and external programs.

From a technical perspective the RFC Gateway is a SAP kernel process running on
OS level as user <SAPSID>adm.

Where can we find the RFC Gateway?

There are three places where we can find an RFC Gateway:

◉ In SAP NetWeaver Application Server ABAP: Every Application Server has a

built-in RFC Gateway.

Search This Blog

Search

sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-1-basic.html 1/5
10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 1 – basic understanding

Blog Archive

▼ 2021 (145)
► October (11)
► September (16)
► August (13)
► July (20)
► June (15)
► May (8)
► April (13)
► March (20)
▼ February (14)
Adding Languages to SAP
ABAP Platform 1909,
Develo...
Replication of Cost Centers
to Employee Central wi...
Get latest version of ABAP
trial using BTP

◉ In SAP NetWeaver Application Server Java: The SCS instance has a built-in RFC RFC Gateway security, part
Gateway. 2 – reginfo ACL
Pass by value or pass by
reference?
Simple way to generate a
pdf of adobe form and
sav...
Ten concepts of interface
and integration in SAP-
f...
RFC Gateway security, part
1 – basic understanding
Complete process to create
Change Document in
ABAP...
Printing Slowness
My experience during a
SAP technical upgrade
(Pre-...
PPM Financial Planning –
Update FIN_PLAN Values
us...
Printing to ABAP Console
Simple isn’t easy – ABAP
composition (Chunk it
◉ The Stand-alone RFC Gateway: As a dedicated RFC Gateway serving for up)
various RFC clients or as an additional component which may be used to extend a
SAP NW AS ABAP or AS Java system. ► January (15)

Who can access the RFC Gateway in general ► 2020 (177)

► 2019 (182)
The RFC Gateway is by default reachable via the services ‘sapgw<InstNo>’ and
► 2018 (155)
‘sapgw<InstNo>s’ which can be mapped to the ports ’33<InstNo>’ and
’48<InstNo>’. Access to this ports is typically restricted on network level. ► 2017 (199)
► 2016 (71)
There may also be an ACL in place which controls access. The location of this ACL
can be defined by parameter ‘gw/acl_info’. ► 2015 (5)
► 2014 (2)
Which usage types are there? ► 2013 (4)
► 2012 (3)

sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-1-basic.html 2/5
10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 1 – basic understanding

Popular Posts

External REST api

integration in SAP using
REST handlers
I have been not blogging
for quite sometime and I
was looking for some interesting use-
case related to SAP Gateway which
could be of some h...

FOR expression in ABAP

7.40 – Best case scenarios
As we all know, the In-line
declarations, operators
and expressions available
in 7.4 SP02 onward are taking the
abap world by storm for las...

Excel file (*.xlsx)

Export/Import
In this Blog-post I’d like to
give a few insights on how
This diagram shows all use-cases except `Proxy to other RFC Gateways´. we process XLSX file by
using latest ABAP, which might be
quite different than in ...
‘Registered external RFC Servers’
Building an SAP Query
The RFC Gateway allows to register ‘external RFC Server programs’ (also known with ABAP Code
as ‘Registered Server’ or ‘Registered Server Program’) to itself and allows RFC ABAP code is used with
clients to consume the functions offered by these programs. SAP query tool to enhance
the query output. You can
write down the code under the Extras
An example would be the program ‘Trex_<SID>_<timestamp>’ registered at the tab for the Infoset in th...
RFC Gateway of the SAP NW AS ABAP by the server running SAP TREX.
How to use
BAPI_PRICES_CONDITION
Another example would be the program ‘IGS.<SID>’ registered by the SAP IGS
S to mass upload price
running on the SAP NW AS ABAP which runs on the same server as the RFC conditions
Gateway (since it is part of it). Brief overview of
BAPI_PRICES_CONDITIONS: is the
‘Started external RFC Servers’ unreleased BAPI and deficient in many
aspects as there is missing
The RFC Gateway is also capable to start programs on the OS level. documentation and also...

Common examples are ‘tp’ for transport management via STMS or ‘gnetx.exe’ for Facebook
the graphical screen painter on the SAP GUI client host.

There may be some cases where starting a program is used to register a

‘Registered Server Program’ at the RFC Gateway. In these cases the program
started by the RFC Gateway may also be the program which tries to register to
Twitter
the same RFC Gateway.

Follow @Go_SAP_ABAP
Please note: One should be aware that starting a program using the RFC Gateway
is an interactive task. This means the call of a program is always waiting for an
answer before it times out. If the called program is not an RFC enabled program
(compiled with the SAP RFC library) the call will time out, but the program is still Total Pageviews
left running on the OS level!
To overcome this issue the RFC enabled program ‘SAPXPG’ can be used as a
wrapper to call any OS command. This is for example used by AS ABAP when
888,495
starting external commands using transaction SM49/SM69.

Typically remote servers start the to-be-registered program on the OS level by

themselves.

‘RFC destinations’

Most common use-case is the SAP-to-SAP communication, in other words

communication via RFC connections between SAP NetWeaver AS systems, but
also communication from RFC clients using the SAP Java Connector (JCo) or the
SAP .NET Connector (NCo) to SAP NetWeaver AS systems.

sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-1-basic.html 3/5
10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 1 – basic understanding
The RFC Gateway hands over the request from the RFC client to the dispatcher
which assigns it to a work process (AS ABAP) or to a server process (AS JAVA).

‘Proxy to other RFC Gateways’

The RFC Gateway can also be used to proxy requests from one RFC Gateway to
another.

For example system AAA is not allowed to communicate directly with system BBB
but both are allowed to communicate with system PXY. System AAA may send the
request to system PXY which will forward it to system BBB to circumvent the
restrictions.

What about the reginfo ACL?

The reginfo file is holding rules controlling which remote servers (based on their
hostname/ip-address) are allowed to either register, access or cancel which
‘Registered Server Programs’ (based on their program alias (also known as ‘TP
name’)).

Its location is defined by parameter ‘gw/reg_info’.

In case of SAP NW AS ABAP for example it may be defined as
‘$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)data$(DIR_SEP)$(FN_REG_INFO)
’ to make sure all RFC Gateways of the application servers of the same system
rely on the same configuration.

What about the secinfo ACL?

The secinfo file is holding rules controlling which programs (based on their
executable name or fullpath, if not in $PATH) can be started by which user calling
from which host(s) (based on its hostname/ip-address) to which RFC Gateway
server(s) (based on their hostname/ip-address).

Its location is defined by parameter ‘gw/sec_info’.

In case of SAP NW AS ABAP for example it may be defined as
‘$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)data$(DIR_SEP)$(FN_SEC_INFO)
’ to make sure all RFC Gateways of the application servers of the same system
rely on the same configuration.

How are reginfo and secinfo related?

As we learnt before the reginfo and secinfo are defining rules for very different
use-cases, so they are not related.

What about the prxyinfo ACL?

The prxyinfo file is holding rules controlling which source systems are allowed to
talk to which destination systems over the current RFC Gateway (based on their
hostname/ip-address).

Its location is defined by parameter ‘gw/prxy_info’.

In case of SAP NW AS ABAP for example it may be defined as
‘$(DIR_GLOBAL)$(DIR_SEP)security$(DIR_SEP)data$(DIR_SEP)$(FN_PRXY_INFO
)’ to make sure all RFC Gateways of the application servers of the same system
rely on the same configuration.

Wait! What about the SNC System ACL?

RFCs between two SAP NetWeaver AS ABAP or between RFC clients using
JCo/NCo and the RFC Gateway are typically controlled on network level only. The
RFC Gateway does not perform any additional security checks.

When using SNC to secure RFC destinations on AS ABAP the so called ‘SNC
System ACL’, also known as ‘System Authentication’ – where imho the term
‘Authentication’ is misleading -, is introduced and must be maintained
accordingly.
sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-1-basic.html 4/5
10/21/21, 1:21 PM SAP ABAP Central: RFC Gateway security, part 1 – basic understanding

This ACL is applied on the ABAP layer and is maintained in transaction SNC0.

Posted by Sabrina Pinto at 14:39

Labels: ABAP Connectivity, NW ABAP Remote Function Call (RFC)

No comments:

Post a Comment

Enter your comment...

Comment as: fahribatur77@ Sign out

Publish Preview Notify me

Newer Post Home Older Post

Subscribe to: Post Comments (Atom)

WP Template

Get Free Installation

VW Themes Visit Site

© 2016 sapabapcentral.com, All rights reserved. Simple template. Powered by Blogger.

sapabapcentral.blogspot.com/2021/02/rfc-gateway-security-part-1-basic.html 5/5