Setup a trusted RFC connection #sapadmin
Setting up a trusted RFC connection
As a SAP Administrator I often get questions on trusted RFC connections. I also noticed on the SCN forums that there are often questions regarding the setup.
All in all it’s not that hard but it’s like that with a lot of configurations and setups, you just have to know how to do it properly and it will cause less issues.
After you have set up a trust connection from AA1 to BB1 for example, you can access BB1 through AA1 without having to login again, given your username exists on both sides and you have sufficient authorizations.
In transaction SM59 you need to define a RFC connection towards the target system you want to enable as trusted in your source system.
For example:
On your source SAP system AA1 you want to setup a trusted RFC towards target system BB1. When it is done it would mean that when you are logged onto AA1 and your user has enough authorization in BB1, you can use the RFC connection and logon to BB1 without having to re-enter user and password .
In transaction SM59 on AA1 define an R3 type RFC connection(connection type 3) towards BB1.
Maintain the technical settings tab
Next go to the logon & security tab
Fill in details for logon
Choose the right option in MDMP & Unicode (is your target Unicode yes or no). We assume BB1 is Unicode in this example as it will be like that for most SAP system with a recent release level.
Now you can first test this RFC connection to see if it works, if you run into problems you need to fix them before continuing.
This can be done using Utilities -> Connection Test, Authorization Test and Unicode Test
Now the R3 RFC connection is made, we can continue to the next step. Go to transaction SMT1 and click the create button.
Fill in the previously created RFC connection name
Click yes
Now click the Maintain Destination button
This will take you back into SM59 destination BB1CLNT100
Change the Trusted System option to yes in the logon & security tab.
Yes
Remove the user from the logon and select “Current User”.
Result in SM59 destination BB1CLNT100
Setting the trusted system to yes and so on can be done directly when creating the RFC connection in SM59 but maintaining the destination when creating the entry in SMT1 avoids more issues in my opinion (you already know up front the connection itself works when you enter SMT1).
Save the RFC connection
Now you have a trusted RFC connection. The current user flag checked means that the RFC connection will use the user-id of the person who is logged on and wants to use the RFC connection. This is for security reasons, you should not fill in a user/pass in a trusted RFC connection as it can be abused by other users that way.
The necessary authorization to actually use this RFC connection has to be set in the target SAP system BB1 and of course in the client where the RFC is pointing to (client 100 in this example). Object S_RFCACL is the authorization object which needs to be maintained in BB1 client 100 for the user-ids that have to be able to use the trusted RFC connection from AA1 to BB1 client 100.
The specifics for S_RFCACL depend on the SAP release version. For this a SAP note exists which has details on what should be set:
Note 128447 – Trusted/trusting systems
Once you have created your trusted RFC you should also see BB1 in transaction SMT1 on SAP system AA1 and AA1 in transaction SMT2 (trusting SAP systems) on SAP system BB1. You can repeat the steps (switch AA1 and BB1) to configure a trusted RFC connection from BB1 to AA1 if wanted.
We face with the problem that the "Remote Login" test within our trusted RFC connection does not show any result. When we jump from RZ20 of SAP Solution Manager into the sattelite system via this Trusted RFC we unfortunately cannot open a new window.
Our Trusted RFC connection contains SAP Router.
Any ideas how to set up Trusted RFC connection containing SAP Router?
Thanks
It might be solved by a SAP note that is available (perhaps multiple SAP notes exist on the subject).
You could try the solution from the following SAP note:
RFC / Leave to Transaction - SAP Note Number: 507808
Kind regards
Tom
Good Attempt ..Easy to read and interpret...
Hi Jacob
Thanks for commenting.
Best regards
Tom
Nice doc Tom.
Simple and well presented.
Will be useful.
Regards,
Himanshu
Hi Himanshu
Thanks for comment!
Best regards
Tom
Hello Tom,
I have created RFC in source system to destination system now the SMT1 has to be done in Source system or destination system, i am guessing source system when i do this i get below screen, i clicked on create where i get different screens and i dont get your screens above from Display and maintain trsuted system.
Thanks,
Aj
Hi Aj
You can work in one way or in both ways.
From X to Y you perform:
on X --> create SM59 RFC destination with user/pass to Y
on X --> create SMT1 entry and use RFC destination previously defined
on X --> change RFC destination into trusted
Then you have created a trusted connection from X to Y.
If you want one from Y to X you have to perform the same actions on Y afterwards so swap X and Y in above steps.
Hope that makes it more clear?
Best regards
Tom
Hello Tom,
Thanks for the reply.
I carried out the exactly the same steps but i dont get the same screens for SMT1 as what shown in your guide above. Am i missing something ?
Thanks,
Aj
Hi Aj
It can look different depending on your netweaver version. What verion are you working on?
You might have a wizard for example when you push create in SMT1.
Best regards
Tom
Hello Tom,
I am using SAP EHP 1 for SAP NetWeaver 7.1.
Yes i get the Wizard.
Does the user name should be same on the source and target system ?
Also does the user need to have authorization object S_RFCACL to create trusted RFC ?
Thanks,
Aj
Hi Tom,
On the last step, when I change Trust Relationship to yes, it ask me to delete the password, I select "Yes", and tick the "Current user", but the result is different from what you have. The PW status is bak to "is inital". and the connection failed.
Is the connection failure due to the PW Status change , or is it something else ?
PFCG S_RFCACL had been setup.
Thank you
Welly
Hello,
"L-RC = 100" means "Client does not exist".
This means that the client "100" does not exist at the target system of your destination.
Regards,
Isaías
Thank you Isaias.
Best regards
Welly
You're welcome!
Nice Document Tom,
I am still confused though, If we can directly make the RFC as trusted by the option while creation, why do we have SMT1 and SMT2 there. Are they only present to display which are all the trusted system for a particular system?
But then you can add the systems in SMT1 and SMT2 and in certain cases, you need to do it.
Not sure
AC