Skip to Content

As of SAP Basis 740 (downported to ABAP 731 with Kernel 7.21 SP 321), we have introduced the callback whitelist for each RFC destination.

When you use the ABAP statement “CALL FUNCTION <func> DESTINATION <DEST>” to call a synchronous RFC, you can, when executing the remote function module (<func>), use a synchronous RFC with the predefined destination “BACK” (that is, via the ABAP statement “CALL FUNCTION <funcBack> DESTINATION ‘BACK'” (also known as an RFC callback)) to execute a remote-enabled module (<funcBack>). The following prerequisite applies: If the RFC authorization check is activated (see SAP Note 93254) on the calling side, the caller must have the necessary RFC authorization. Otherwise, execution of the function module (<funcBack>) terminates with a corresponding error message.

Comment: In the RFC runtime, an RFC callback is supported during the synchronous RFC only. During other types of RFCs, such as during an asynchronous RFC, a transactional RFC or a background RFC, an RFC callback is not supported.

You can find more detailed information in SAP note 1686632 .

For example,

CALL FUNCTION  ‘F2’  DESTINATION ‘BACK

1. Each RFC Destination has an activation switch for its callback whitelist.

2. Profile parameter rfc/callback_security_method determines the system behavior:

Value 0:   Emergency fallback mode:

All whitelists are ignored.

Value 1:  Compatibility mode (default value):

Only callbacks prohibited by active whitelists are rejected.

Value 2:   Simulation mode:

  Only callbacks prohibited by active whitelists are rejected.

Callbacks prohibited by non-active whitelists are allowed, but logged in SAL.

Value 3:  Most secure mode:

Callbacks prohibited by active or non-active whitelists are rejected.

If you set the parameter  to 0, or 1, you will see a red alert message “RFC callback chk not secure”.

You can define the whitelist in SM59 -> Logon & Security -> Callback whitelist.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply