Wednesday, April 6, 2011

Building a Trusted/Trusting Relationship

A trusted/trusting relationship must always be built starting from the trusting system (server). The following describes the individual steps for defining a trusted/trusting relationship of the trusted system C00 (client) to trusting system S00 (server):                  
 
Log on to the trusting system S00 (server). Here, create a destination for the trusted system C00 (client) using transaction SM59 (for example, C00_SYSTEM). It is important that the option 'Trusted System' is not set to active for this destination (Security Option Trusted System = No). 
 
We recommend that you do not specify any logon data in this destination, as someone could use a remote login to misuse this destination in SM59 by working as the user that is defined here. This destination must only be used for creating and deleting the trusted/trusting relationship and not for any other purpose. It must therefore be named correspondingly.

Call transaction SMT1 (or SM59  and then transaction menu RFC ® Trusted Systems).                                                          

Choose Create. Enter the destination of the client system (in the example, C00_SYSTEM) in the dialog box. After confirming this, an RFC logon to the client system occurs, and the necessary information is exchanged between the systems (S00 <-> C00). 
 
 If no logon data has been entered in the destination (in the example, C00_SYSTEM), an RFC logon screen is displayed for the client system (C00). In this particular case, a manual logon must be performed. In each case, a successful logon to the client system must be performed in this step, so that the trustedrelationship can be built.
 
 
When a trusted relationship has been successfully built, the trusted entry for the client system (C00) is displayed. If you want to restrict the validity of the logon data for the client system, enter a timeframe in the corresponding field. The default value (00:00:00) means that the validity is unrestricted.     
                                                       
In the scenario where the same user and client are used, you can use the menu option Entry to perform authorization checks: These checks first attempt to reach the client using the logon data specified in the definition destination (in the example, C00_SYSTEM), and then try to log back on to the server system with the same logon data, using a trusted RFC. Choosing the menu option Current Server forces the return path to occur on the current application server, and choosing menu option Trusting System induces load balancing, meaning that the logon takes place on any application server in the server system.
 

If different users or clients are used for the trusted scenario, you must create an RFC destination on the client side, and perform an authorization check for the specified logon data, setting the flag for "Trusted System" to "Yes".       

No comments:

Post a Comment