SAP Program RS_RFC_TT_UI -


Trust relationships can be used to link SAP systems and minimize theamount of authentication required for remote logons:
If a source SAP system is known to the remote system as acalling
system, no password is required for the logon.
The calling SAP system must be registered as a calling system in thetarget system. The target system is known as thecalled system.
Trust relationships between SAP systems have the following benefits:
  • A single logon for multiple systems.

  • No passwords are transmitted in the network.

  • Timeout mechanisms for the logon data protect against illegal logon
  • attempts.
    • User-specific logon data is checked in the trusting system.
    • Integration
      The trust relationship is not mutual, meaning that it applies to onedirection only. To establish a mutual trust relationship between twopartner systems, you must define each of the two as a calling system inits respective partner system.
      For additional security, you can use the SAP SNC interface (SecureNetwork Communications) for other security systems such as
      Kerberos and SECUDE.

      Prerequisites
      To define an SAP system as a calling system, it must have been createdas an RFC destination in transaction SM59 (for maintaining remotedestinations).
      Creating a Trust Relationship Between Systems
      You can use a Wizard to create trust relationships between SAP systems.The Wizard guides you step-by-step through the required activities:
      On the overview screen of transaction SM59, choose Extras ->Trusted Systems (or transaction SMT1).
      If calling systems have already been defined, they are displayed in ahierarchy tree. To display existing calling systems, expand the nodes inthe hierarchy tree.
      To create a trust relationship, choose Create.
      The wizard appears with an initial window and general information. Ifyou press Continue, the actual maintenance steps appear:
      Enter Destination: In this dialog box, enter the destination thatyou want to use to set up the trust relationship.
      Display Information: All the necessary information, such as theapplication server name and the security key is supplied automatically.
      Configuration: If you want to restrict the validity period of thelogon data, enter a time (using the format hh.mm.ss) in the Validityperiod field. If you want to copy the transaction code of the callingprogram to the called system, select the relevant checkbox.
      Note:
      Only then will an authorization check be performed in the called systemfor the transaction code (field RFC_TCODE of authorization objectS_RFCACL.
      Note:
      If a trust relationship is deleted, and no valid logon data exists, thelogon screen for the system in question appears. You then need to log onto this system in order to complete the deletion.
      Finish: When you press this pushbutton in the last dialog box,the trust relationship is set up and can be used.
      Displaying and Changing Destinations for Calling Systems
      You can find a list of all calling systems on the tab page "Systemswhose calls are trusted". By double-clicking a system name, you can calla detail screen displaying the settings for the system in question.
      To change existing destinations for a system, choose "DestinationMaintenance" in the detail screen.
      Hinweis:
      To prevent other users from making changes to your destinations, selectthe "Destination not changeable" checkbox in the "Administration" tabpage. To release destinations for changes again, deselect this checkbox.
      Note that destinations must be kept consistent. You are therefore notallowed to change the ID of the target system, the system number, or thedestination name.
      Displaying Called Systems
      In transaction SMT1, you can also display a list of all called systems(tab page Systems that trust current system). To display thesettings for the called system, double-click the name of the system inquestion.
      If you click on Transaction Calla dialog box opens where you canenter the transaction code for a transaction that you want to run in thecalled system. You can also specify whether the transaction is to beexecuted in the same session, or in a new one.
      Logon Authorization Check in the Called System
      An authorization check is performed on the logon data used to log on toa called system.
      The check searches for the system name, client, user name, and otheroptional data in the data provided by the calling system, and checksthese against the field values in authorization object S_RFCACL{
      Note:
      The system administrator can check a user#s logon data using functionmodule AUTHORITY_CHECK_TRUSTED_SYSTEM.
      Testing Calling Systems
      To test a calling system, you can perform the authorization checks forthe current server and the called rusting system. To do this, chooseEntry -> Authorization Check in the destination screen menu, orpress the corresponding pushbutton. If no valid logon data is found, thelogon screen for the calling system appears. Log on there.
      Troubleshooting
      If your login attempt fails, you will receive an appropriate messagewith an error code. Note that you are not authorized to use users DDICand SAP*.
      The error code explanation is as follows:

      • 0: Invalid login data (user ID and client) for the called system

      • Solution: Create the user ID for the client in the called system.
        • 1: No trusted system entry exists for the calling system, or the license
        • key for the system is invalid.
          Solution: Create the calling system entry again.
          Note:
          In some situations, the license key (installation number) may change forone or more SAP systems. This can cause errors in calls between partnersin a trusted relationship.
          If the license key changes in one or more calling (trusted) systems, allcorresponding system entries must be deleted and created again intransaction SMT1 on the server side (called system). The newinstallation numbers are implemented automatically.
          If the installation number changes in only one called (trusting) system,no problems occur. However, we still recommend that you delete thecorresponding system entry in transaction SMT1 and create it again, forreasons of consistency.
          • 2: The user does not have authorization for the calling system (object
          • S_RFCACL).
            Solution: Provide the user with the necessary authorizations.
            • 3: The time stamp of the logon data is invalid.

            • Solution: Check the time settings on both the client and serverhost, and the expiry date of the login data. (Note that the defaultsetting 00:00:00 means "no time limit#".)
              Further Information
              You can find further information about errors in trust relationships inSAP Note128447.