Search This Blog

Wednesday, April 20, 2011

Trusting Transaction (SMT2)


The trusting transaction SMT2 (or SM59 ® RFC ® Trusting Systems) constructs a list of all trusting systems that have been established for this trusted system. Here, a logon and authorization check for the current user and client is performed, using the destination TRUSTING_SYSTEM@S00 that has been automatically created.       
 
This basically corresponds to transaction SM51, if you use Remote Login to perform a logon on a different application server. 
                                                                    
If problems occur while setting the destination TRUSTING_SYSTEM@S00 (such as host name or service information), you either have to create a new destination for your needs, and then enter the host name or service information using SAP router strings, or adjust the network settings of the server. To correct the problem in transaction SMT2, you have to adjust the network configuration of the server. As this transaction is only to be used for test purposes, in this case you could also choose to ignore the error.                    
                                           
To perform a logon as a different user or client, you have to create a new RFC destination with a trusted option set. 
 

In this scenario, the following error text in SMT2 can be ignored:

No authorization to log on as a trusted system (Trusted RC=0)

 

If the host name contains the character '_' (as in "my_host"), then the generation of the related trusting system destination may lead to incorrect settings. This problem can be corrected by implementing Support Package SAPKB46D09 (see below). For earlier releases, the changes required to correct the problem can be made manually.
 

Using a Trusted/Trusting Relationship


You can now use the configured trusted/trusting relationship to create RFC destinations in the trusted system (client), which are for the trusting system (server), by using transaction SM59 and the 'Trusted System' flag. The result of this is that, when such destinations are used for the RFC logon to the trusting system, no password is sent.

                                                                                

A prerequisite for successfully using a trusted/trusting relationship is that the user being used has the corresponding authorization object S_RFCACL in the trusting server system. If you want to create a suitable authorization for different      

clients and users, note that you have to enter the caller data (caller client and caller user) of the caller system (in our example from system C00) into the S_RFCACL fields RFC_CLIENT and RFC_USER. For example, if user U_1 under client M_1 in caller system C00 wants to work as user U_2 with client M_2 in the called system S00 under a trusted relationship, then the user (U_2, M_2) in the system S00 must have authorization ZRFCACL_XXX, which has the following settings:    

 
  RFC_SYSID : C00  
 
  RFC_CLIENT: M_1                                                            

  RFC_USER  : U_1                                                             

  RFC_EQUSER: N (for NO)                                                     

  RFC_TCODE : *                                                              

  RFC_INFO  : *                                                               

  ACTVT     : 16                                                             

                                                                             

The following steps describe how you can enter the above settings for server system S00:

                                              

SU03 + double-click the entry "AAAB"  "Cross-Application Authorization Objects" and then choose "Authorization check for RFC user (ex. trusted system)" as the object class, then double-click the authorization object S_RFCACL and create Z_RFCACL_XXX.

After this, make sure you activate your settings.                          

                                                                             

If the same user is always used in the client system and server system for a trusted/trusting relationship (meaning that U_1 = U_2), the authorization Z_RFCACL_XXX can also be defined as follows:  

·          RFC_SYSID : C00                                                            

·          RFC_CLIENT: M_1                                                            

·          RFC_USER  : ' '                                                                      

·          RFC_EQUSER: Y (for Yes)                                                              

·          RFC_TCODE : *                                                              

·          RFC_INFO  : *                                                              

·          ACTVT     : 16                                                             

Setting the authorization field RFC_EQUSER to 'Y' is the same as setting the field RFC_USER = SY-UNAME for the logged user in the caller system (here, system C00).                           

Note that when maintaining and assigning S_RFCACL authorizations (in this case, Z_RFCACL_XXX), you must use as few generic values (for example '*') for RFC_SYSID, RFC_CLIENT and RFC_USER as possible. By doing this, those users who fulfill these criteria regarding RFC_CLIENT and RFC_USER, can call RFC modules from within the caller system, using the called user.

                           

You must ensure that high security requirements in the caller system is linked with the usage of user maintenance transactions (such as SU01). If this is not the case, anyone who has this authorization can get a user and log on to the trusting system (S00).      

After you have maintained the authorization Z_RFCACL_XXX, you must create an authorization profile as follows, and link it to the authorization Z_RFCACL_XXX:                                                              

                                                                                      

Call SU02 and in the field "Manually edit authorization profiles", enter Z_<C00> as the authorization profile. Choose "Create work area for profiles" and then create a new profile. Enter S_RFCACL as the object, and Z_RFCACL_XXX as the authorization.

After this, make sure you activate the profile.  

                                                                                     

You now have to assign the authorization profile you have just created to the trusted/trusting user. To do this, enter the profile Z_<C00> on the tab page Profile in transaction SU01.                                                 

You can check the authorizations for the logged on users in the current system in advance, by using the function module AUTHORITY_CHECK_TRUSTED_SYSTEM.

As of Release 40B, for security reasons, the authorization profile SAP_ALL does not contain an authorization for S_RFCACL.  

Authorization errors that occur while using an RFC destination which has the 'Trusted Systems' flag set to 'Yes' are documented with the following messages:

                                                                                   

No authorization to log on as a trusted system (trusted RC = <0 1 2 3>).                                                                                    

Here, the trusted return codes ( = 0, 1, 2 or 3 ) have the following meanings:

                                                                        

 0   Invalid logon data (user ID and client) for the trusting system.                                                                        

     Solution: In the server system (trusting system), create the userin the corresponding client.                                               

 1   Calling system is not a trusted system, or security  ID for the system is invalid.                             

     Solution: Create (again) the trusted system                

 2   User has no authorization for the server system  (trusting system, for object S_RFCACL), or a logon was made using one of the protected users DDIC or SAP*.                                                          

Solution:                                                                      
Provide the user with the corresponding authorization or avoid using the protected users DDIC and SAP*. Authorization errors that occur while using an RFC destination which has the 'Trusted Systems' flag set to 'Yes' are documented with the following messages:
 

No authorization to log on as trusted system (Trusted RC = <0 1 2 3>).                                  

                                                                                   

Here, the trusted return codes ( = 0, 1, 2 or 3 ) have the following meanings:

 0   Invalid logon data (user ID and client) for the trusting system.                                                                       

     Solution: In the server system (trusting system), create the user in the corresponding client.                                               

 1   Calling system is not a trusted system, or security ID for the system is invalid.                              

     Solution: Create (again) the trusted system (see above).                

 2   User has no authorization for the server system (trusting system, for object S_RFCACL), or a logon was made using one of the protected users DDIC or SAP*.                                                          

     Solution: Provide the user with the corresponding authorization or avoid using the protected users DDIC and SAP*.                                              

  3 Time stamp of the logon data is invalid.                            

      Solution:  Check the system time on the client host and server  host, as well as the validity date of the logon data.                 

      (Note that the default date 00:00:00 means unrestricted validity.)                                                    

 

Building a Trusted/Trusting Relationship


A trusted/trusting relationship must always be built starting from the trusting system (server). The following describes the individual steps for defining a trusted/trusting relationship of the trusted system C00 (client) to trusting system S00 (server):                  
 
Log on to the trusting system S00 (server). Here, create a destination for the trusted system C00 (client) using transaction SM59 (for example, C00_SYSTEM). It is important that the option 'Trusted System' is not set to active for this destination (Security Option Trusted System = No). 
 
We recommend that you do not specify any logon data in this destination, as someone could use a remote login to misuse this destination in SM59 by working as the user that is defined here. This destination must only be used for creating and deleting the trusted/trusting relationship and not for any other purpose. It must therefore be named correspondingly.

Call transaction SMT1 (or SM59  and then transaction menu RFC ® Trusted Systems).                                                          

Choose Create. Enter the destination of the client system (in the example, C00_SYSTEM) in the dialog box. After confirming this, an RFC logon to the client system occurs, and the necessary information is exchanged between the systems (S00 <-> C00). 
 
 If no logon data has been entered in the destination (in the example, C00_SYSTEM), an RFC logon screen is displayed for the client system (C00). In this particular case, a manual logon must be performed. In each case, a successful logon to the client system must be performed in this step, so that the trustedrelationship can be built.
 
 
When a trusted relationship has been successfully built, the trusted entry for the client system (C00) is displayed. If you want to restrict the validity of the logon data for the client system, enter a timeframe in the corresponding field. The default value (00:00:00) means that the validity is unrestricted.     
                                                       
In the scenario where the same user and client are used, you can use the menu option Entry to perform authorization checks: These checks first attempt to reach the client using the logon data specified in the definition destination (in the example, C00_SYSTEM), and then try to log back on to the server system with the same logon data, using a trusted RFC. Choosing the menu option Current Server forces the return path to occur on the current application server, and choosing menu option Trusting System induces load balancing, meaning that the logon takes place on any application server in the server system.
 

If different users or clients are used for the trusted scenario, you must create an RFC destination on the client side, and perform an authorization check for the specified logon data, setting the flag for "Trusted System" to "Yes".       


Testing & Troubleshooting in Trusted/Trusting Systems



To test a trusted system, you can perform the authorization checks for the current server and the trusting system. To do this, choose the menu entry. If no valid logon data are supplied, the logon screen of the trusted systems appears. You should log on to the system. If your test is not successful, read the section Troubleshooting in Trusted/Trusting Systems below.

Troubleshooting in Trusted/Trusting Systems

After creating a trusted system, you have to test the destination. To do this, log on to the trusted system using remote login.

Alternatively, you can also perform an authorization check for the trusted server. To do this, select the respective function from the test menu.

If your login attempt fails, you will receive the following message: No authorization to log in as trusted system (error code = <0|1|2|3>). Note that the special users DDIC and SAP* must not be used.
 

The error code explanation is as follows:

·        Invalid login data (user ID and client) for the trusting system

Solution: Create the user ID for the client in the trusting system.

·        No trusted system entry exists for the calling system, or the security key for the system is invalid.

Solution: Create the trusted system entry again.

·        The user does not have a trusted system authorization (object S_RFCACL). 

Solution: Provide the user with the necessary authorization.

·        The time stamp of the login data is invalid.

Solution: Check the clock settings on both the client and server host and the expiration date of the login data. (Note that the default expiration period 00:00:00 means no limit.)

 

You can check whether correct login information has been provided for the trusted system in the trusting system by means of the function module AUTHORITY_CHECK_TRUSTED_SYSTEM.
 

If all your tests are successful and you still don't get access to the trusting system, refresh the relevant database by choosing Environment ® Mass changes ® Reset all buffers from the user maintenance screen.

To find out the cause of an error, activate the trace flag on the destination details screen, reproduce the error and read the information provided with the error ID CALL_FUNCTION_SINGLE_LOGIN_REJ in the short dump created in the called system (the trusting system).

 


Logon Authorization Checks in the Trusting System



The logon data used for logging on to a trusting system undergo an authorization check.
 
The data provided by the trusted system is checked for system name, client, user name, and other optional data. These data must match the field values of authorization object S_RFCACL.
 

The system administrator can check a user's logon data using the function module AUTHORITY_CHECK_TRUSTED_SYSTEM.

 
 

Displaying Trusting Systems



In a trusted system, you can obtain a list of all trusting systems. Choose RFC ® Trusting systems to display the list of trusting systems.
 
Click on the name of a trusting system to display the application servers of that system. The application server names contain the suffix _TRUSTED.
 
Double-clicking the name of an application server displays a dialog box, in which you can enter the transaction that you want to execute in the trusting system. You can also specify whether the transaction is to be executed in the same session, or in a new one.
 

Changing Trusted Destinations


You can change existing destinations for each system from the trusted system maintenance screen (RFC ® Trusted systems, transaction code SMT1) by clicking on the Maintain destination pushbutton.
 
In trusted systems, destinations for trusting systems are automatically created. These destinations are used when you display trusting systems via RFC ® Trusting systems (transaction code SMT2).
 
To prevent others from making changes to your trusted destination, mark the checkbox Destination not changeable in the Attributes section. To make the destination changeable again, double-click the checkbox.
 

Note that destinations must be kept consistent. For this reason, you are not allowed to change the ID of the target system, the system number, or the destination name.


Displaying, Maintaining and Testing Trusted Systems


To display or maintain a trusted system in the trusting system, proceed as follows:
 

1.If you want to define an SAP system as a trusted system, you must first create a logical destination that allows a trusted system relationship.

2.From the RFC destination overview  screen (transaction SM59), choose RFC ® Trusted systems or enter transaction code SMT1.

3.   If trusted systems have already been defined, they are displayed in a hierarchy tree. To display existing trusted systems, expand the nodes in the hierarchy tree.

4.To create a trusted system, click the Create icon.

5.In the dialog window, enter the destination for the remote system. To change a destination, see Changing Trusted Destinations below.

6.All the necessary information such as application server name and security key is supplied automatically.

7.If you want to restrict the validity period of the logon data, enter an end date in the Validity period field.

8.If you want take over the transaction code of the calling program into the called system, mark the appropriate checkbox.

9.Only then will an authorization check be performed in the called system for the transaction code (field RFC_TCODE of the S_RFCACL authorization object, see Logon Authorization Checks in the Trusting System below).

 

 As you delete a trusted system relationship, the logon screen of the relevant system is displayed, if no valid logon data are provided. You must log on to that system to complete the deletion.


Trust Relationships Between SAP Systems


SAP systems may establish trusted relationships between each other.

If a calling SAP system is known to the called system as a trusted system, no password must be supplied.

The calling SAP system must be registered with the called SAP system as a trusted system. The called system is called the trusting system.

Trust relationships between SAP systems have the following advantages:

·        Single Sign-On is possible beyond system boundaries.

·        No passwords are transmitted in the network.

·        Timeout mechanism protects against replay attacks.

·        User-specific logon data are checked in the trusting system.

Using this feature, you can create a virtual SAP system consisting of various SAP systems that are called remotely. Remote logon data are checked in the trusting system.
 
The trust relationship is not mutual, which means, it applies to one direction only. To establish a mutual trust relationship between two partner systems, you must define each of the two as trusted systems in its respective partner system.
 

For additional security, you can make use of SAP's SNC interface (Secure Network Communications) for third-party security systems such as Kerberos and SECUDE.



SAP Netweaver - Overview of Monitoring Architecture

You can display monitoring data for the following components in the central monitoring system (CEN):

  • Systems based on SAP Web AS ABAP and Java

  • SAP systems with earlier releases (as of SAP R/3 3.0)

  • Non-SAP components

The data is transferred to CEN using CCMS agents or ABAP RFC connections. You can display it there directly in the Alert Monitor, or forward the data to external tools or SAP Business Intelligence for additional evaluation.

The elements of the monitoring architecture function largely independently of each other and can, particularly, be further developed and adjusted independently of each other.

The alert monitor also provides the administration methods that you need to monitor the system. These enable you to set threshold values for alerts and add or adapt auto-reaction and analysis methods. Auto-reaction methods react automatically when an alert is triggered; analysis methods enable you to examine the cause of an alert without leaving the alert monitor. The monitoring architecture also contains tools for administering and archiving the alerts.

Program/Application

Description

CCMS agents

CCMS agents are independent processes that connect a monitored component (such as a host, an ABAP instance, or a Java instance) with CEN using RFC.

Operating System Collector SAPOSCOL

SAPOSCOL is a stand-alone program that runs in the operating system background. It runs independently of SAP instances exactly once per monitored host and collects data about operating system resources.

Availability Monitoring with CCMSPING

With this type of monitoring at system or instance level, the CCMSPING agent queries the relevant message server about which instances are reported as active. You can also have the instance availability of ABAP systems monitored using a direct RFC call to the instance itself.

Monitoring with the Generic Request and Message Generator

With this type of monitoring at application level, CEN periodically calls a GRMG application using a URL. The GRMG application performs component-specific checks and returns the result of the checks to CEN.

Wednesday, April 6, 2011

Trust Relationships Between SAP Systems

SAP systems may establish trusted relationships between each other.

If a calling SAP system is known to the called system as a trusted system, no password must be supplied.

The calling SAP system must be registered with the called SAP system as a trusted system. The called system is called the trusting system.

Trust relationships between SAP systems have the following advantages:

·        Single Sign-On is possible beyond system boundaries.

·        No passwords are transmitted in the network.

·        Timeout mechanism protects against replay attacks.

·        User-specific logon data are checked in the trusting system.

Using this feature, you can create a virtual SAP system consisting of various SAP systems that are called remotely. Remote logon data are checked in the trusting system.
 
The trust relationship is not mutual, which means, it applies to one direction only. To establish a mutual trust relationship between two partner systems, you must define each of the two as trusted systems in its respective partner system.
 

For additional security, you can make use of SAP's SNC interface (Secure Network Communications) for third-party security systems such as Kerberos and SECUDE.