Harmonizing RFC communication infrastructure for CHARM
How do you switch from using RFC/TMS communication for CHARM to RFC communication only? A number of SAP notes explain how to do this. It comes down to implementing the relevant SAP notes on the Solution Manager system (if not already present) and on the managed SAP systems and configuring the RFC connections to the clients used by CHARM for the managed SAP system.
Relevant SAP notes
Note 1756014 – Harmonizing RFC communication infrastructure for ChaRM Check
Note 1384598 – Harmonizing RFC communication infrastructure in ChaRM/QGM
Why do you want to use RFC only?
If you use RFC communication, you will know where to troubleshoot as where if you use the “old” way RFC/TMS communication mixture you would have to first find out in which of those communication parts the problem resides. You no longer need RFC connections to client 000 of your managed SAP systems when you use RFC communication only.
There is no need to create TMS domain links in between different TMS domains that are to be used in CHARM.
The SAP Basis teams are often not so fond uon making a lot of changes to their TMS domains. It depends how the TMS domain(s) have been set up. One of the things that can get in the way is the TMSADM user-id: 1568362 – TMSADM password change
When you place a lot of systems in a single TMS domain or you link a lot of TMS domains, it means each managed system connected in those domains which are connected together gets an update pushed towards the system. If any of the system(s) is unavailable due to ongoing operations (or a issue of some sort) you can have an inconsistent landscape configuration.
All in all good reasons to move away from using the combined communication method TMS/RFC and going for RFC communication.
What do I need to do further?
You need to configure the RFC connections towards the clients used by CHARM for your managed SAP system (through SOLMAN_SETUP). The trusted RFC connection is used so don’t forget to also set up trusted RFC.
Customers often already have these connections in place after the integration of a managed SAP system in SAP Solution Manager.
RFC user authorizations
The RFC users use the standard authorizations according to SAP Note 1572183 – Authorizations for SAP Solution Manager RFC users
This SAP note is updated frequently which also means your SAP Basis or SAP Authorization team (depending on who handles this, often SAP Basis does) should also update the roles in the SAP Solution Manager system in order to have the latest additional authorization objects added to the roles.
I’m not so fond of this mechanism to be honest, the way of delivery and the continuous effort needed at customer side. I hope SAP comes up with a better solution in the future.
How do I check if it works?
Make sure you have the corrections in place along with the RFC destination(s) & correct authorizations.
Navigate to SOLAR_PROJECT_ADMIN (or go through the Solution Manager workcenter). Edit the CHARM enabled project of your choice (or create a new project & enable it for CHARM). I assume the prerequisites are in place, the correct logical component (related to the managed SAP system) is in the project and the project is CHARM enabled.
Go into tab System Landscape – Change Management as displayed in the screenshot above.
Under Change Request Management, hit the “Check” button.
Expand The System overview for project <your Solution Manager project> in this example “CHARM_MAIN”
You can see in the actual result(s) that the new TMS remote functionality is active which means you are using RFC communication to handle CHARM related actions. Underneath you can see the information on the needed RFC connections and settings.
Note that I blanked out the SID in the above screenshot.
Attention point
An attention point but a valid one in general is that it should be ensured that the RFC destinations keep working properly. The best way to ensure is to monitor it. Solution Manager has a RFC connectivity monitoring scenario which can be used. Another possibility is doing daily checks on the SOLMAN_SETUP – managed system setup configuration list where you also get the current RFC configuration status with traffic lights (make sure that the list is up to date, if needed refresh it). This is mostly an attention points for SAP Basis, you should inform them of the importance that these RFC destinations are configured correctly and keep working properly. Otherwise, you will end up having issues in CHARM.
Hi Wences
Yes, you are correct, thanks for adding value to the blog post. This is mentioned in the SAP note that you have to ensure import authorization is available on the user who performs the TMS activities.
Best regards
Tom
Hi Tom,
I have a question which is generic regarding Solution Manager rather than CHARM specific. What are the trusted conenctions for accessing Solution Manager from those systems managed by Solution Manager designed for? The RFC clients do not need to supply any passwords and the connections will time out in 2 minutes etc.. These trusted connections present some security risks (hence the limited timeout) and they are optional. The fact that they can be set up makes me incline to think that there must be a purpose to having them in the first place. Can you throw some light on this please?
Rgds,
Raymond
Hi Raymond
Good question.
A trusted RFC connection is more secure if security is managed well because the password is not send over so the password cannot be sniffed. However, a trusted RFC forms a security risk if security is too loose meaning if you don't have very strict (self-defined) authorizations for your users, you risk exposing your managed SAP system to a greater degree.
The fact that Solution Manager warns you to think about setting up a trusted RFC is related to the security risk it can impose.
A really nice document that describes the above:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b2cce390-0201-0010-5a9f-cca08c75b6ea?quicklink=index&overridelayout=true
Best regards
Tom
Hi Tom,
Thank you for the reply and reference to the doc. I read the doc under Trusted RFC System but my question isn't answered, namely, "
What is the purpose of using the trusted connections for accessing Solution Manager from those systems managed by Solution Manager? What are the benefits for using them in the first place at the cost of some security risks? I understand trusted connections are optional rather than mandatory.
Rgds,
Raymond
Hi Raymond
It's more secure than non-trusted RFC's. You can always call the argument "yes but" but we should not do that. Look at any other safety measure, the assumption is made the situation is handled properly. So assuming security is handled correctly, it's safer.
It's the recommended configuration for using RFC communication for CHARM but indeed, it is optional because if it is not available, the system reverts to using the TMW RFC.
I don't have an example right now (I'll try to find it back) but I encountered a situation where I really needed to have the trusted RFC in place in the scenario where CHARM is configured against a managed SAP system that is not linked through TMS (so not in the TMS Domain nor TMS Domain Links available).
If not for a specific scenario, the advantage is it's safer but it's not a requirement in general to connect managed SAP systems to SAP Solution Manager or vice versa. I hope I've answered your question now.
Best regards
Tom
Hi Tom,
We are currently running into issues when using the preliminary import of a normal change. We have all RFCs maintained correctly, but it seems that an error is still pointing to the TMS RFC to client 000.
I was thinking that this might be because we have created inter domain links between domain of our solman and domain of our managed system. Do you think we should remove this domain link?
Also, upon doing a consistency check on the project we are using, it says "Classical TMS is used". Is this normal when we would want to use the Harmonized RFC infrastructure? We have already applied the Harmonized RFC SAP notes into SolMan and our managed system.
Thanks!
Hi Luigi
I don't know if those domain links are causing the issue. I would guess not.
Check following SAP notes:
I don't have the line "Classical TMS is used" when I perform a check of my project so I would think it's not normal but perhaps it's related to the version you are running on. I'm on SolMan 7.1 SP10 at my customer where this is implemented.
Best regards
Tom
Hello Luigi,
Have you found any solution for the same? I am facing same issue please let me know how you resolve this issue.
Thanks