NW RFC SDK: Non-SAP to ABAP with username (trust relationship)

Hello,
I have a quite challenging non-SAP-to-ABAP RFC scenario with a trust relationship.
Hereu2019s the scenario:
An Oracle database server acts as an RFC client and calls RFC function modules in an ABAP server. (I assume the Oracle programmers are going to use NW RFC SDK 7.1 or JCo 3.0 on the Oracle server and call that from their PL/SQL based database application.)
The challenge is that I donu2019t want to use a single u201Ctechnical useru201D on the ABAP side because that would mean that all the users on the Oracle side would be mapped to one single ABAP user. Also, I donu2019t want to have to store individual ABAP passwords on the Oracle side.
Instead, I want the ABAP server to trust the RFC client the same way it might
a) trust a NetWeaver AS Java server after installing the Java serveru2019s certificate in transaction STRUSTSSO2 or
b) the way it might trust another ABAP server after configuring a trust relationship (transaction SMT1?)
The ABAP server should accept incoming RFC connections from the Oracle RFC client with just the user name and no password given and run the resulting processes in the ABAP system under the user id given in the RFC call.
I imagine the ideal solution somehow along the following lines (simplified scenario for a PC-based prototype):
- I download run a program that creates a certificate file (public key?) which I import into the ABAP system.
- The same program creates a matching file (private key?) for the RFC client.
- For reasons of simplicity, let us imagine the RFC client as a stand-alone Java SE application running on a PC.
- The Java SE application uses the JCo library to connect to the ABAP system.
- When opening the connection, it passes a username, but no password. Instead, it passes a Base64-encoded string that was generated by our key/certificate generator program.
- On the ABAP side, the function modules are run under the username used by the Java SE application when establishing the RFC connection.
Is that possible at all? How would you solve this?
Thank you very much in advance and best regards,
Thorsten

Hello,
Thanks a lot for your extremely high-quality replies. Iu2019ve been trying to work with them.
Frankly, just when (after Gregoru2019s and Timu2019s posts) I was hoping that working my way deeply enough into SNC, I would be able to solve my problem, Wolfgang comes along and tells me what Iu2019m aiming at wonu2019t work. Now Iu2019m confused.
The way I understand Wolfgang, the special trust an AS ABAP can put into another AS ABAP or an AS Java (u201Cremote RFC client, give me one certificate and I will accept every username if they come from youu201D) can not be put into a custom-made remote server software (such as the Oracle server application) acting as the RFC client, because when acting as RFC clients, the remote AS Java or AS ABAP use proprietary elements of the RFC protocol which are not available to me when I program my RFC client in the Oracle application.
@Wolfgang, is that correct?
Solution 1: Individual X.509 Certificates
Instead, I can establish X.509-based trust relationships at the level of individual usernames: create a certificate for each Oracle user, import them into the AS ABAP, map them to an ABAP user, and store the certificate on the Oracle side (Iu2019m still note sure about the different certificates and keys used publicly and privately here).
Solution 2: AS ABAP as User Management Engine for the Oracle Application
I can also see an alternative that would spare me the trouble of generating, importing, mapping and storing the certificates: delegate the user management to the AS ABAP and delete the (custom-built) logon and password-checking mechanism in the PL/SQL application:
Users are created centrally in CUA and distributed along with their passwords into (among others) the AS ABAP.
When a user logs on to the PL/SQL application, the username and password are sent for validation to an ABAP BAPI.
If authentication is successful, the AS ABAP returns a SAPLogon ticket which can be stored in the session context of the PL/SQL application and used in subsequent RFC calls. The password (a hash?) would only be transferred once during logon.
What do you think? Would both solutions work or am I still getting something wrong? Can you see a better alternative that would reduce
for solution 1 the administrative overhead for synchronization
for solution 2 the run-time dependency Oracle-ABAP and the change impact on the Oracle applicationu2019s user management concept?
Thanks a lot,
Thorsten

Similar Messages

  • Integrate 'External non-SAP Purchasing Application' with SAP SD for third party purchasing/ drop shipping?

    What is the best way to integrate 'External non-SAP Purchasing Application' with SAP SD for third party purchasing/ drop shipping?
    Details about expected process Flow.
    Receive PO from customer into SAP > SAP SD creates Sales Order > ?? SAP Integrate with External non-SAP Purchasing Application to trigger purchasing > External non-SAP Purchasing Application creates PO, Ships Material to Customer Ship to address (drop ship), Sends Shipping confirmation (FCR) & Invoices to SAP> ??Receive FCR and Invoice in SAP > ?? Initiate SAP Accounts Payable (Vendor Payments) and Accounts Receivable (Customer Invoice) > ?? Update SAP SD Sales Order with shipping status>
    Questions we need to answer;
      - How to achieve '??' steps from above process.
      - What type of Master Data we will need to configure (Say Materials Item Category, Type etc.)
      - Any standards options to configure SAP SD (Type of Sales Order)
      - We certainly don’t want to trigger SAP MM Purchasing (i.e. PR, PO etc.). How can we bypass it.
      - How to make statistical receipts against sales order line items so that SO status will be updated.
      - How to receive Invoice and FCR from External non-SAP app to trigger AP and AR transactions.
      - Are there any SAP standard configurations/ BAPIs/ BADIs available to achieve this integration.
    Any inputs on above questions are appreciable.
    Anand.

    This question is resolved. We ended up activating purchasing module and used purchasing documents PR/ PO to integrate with third party purchasing system.
    Anand.

  • Callig RFC from Non SAP System

    Hi,
    I would like to know how can I call a RFC enabled Function Module from a non SAP system, I know of Webservices, SAP API, SAP jco etc but to download all this connectors (SAP jco Sap .net etc) you require SAP service ID logon, i do not have it, with reference to Web services i cannot use it since the client is not interested ...
    1) in short i do not have SAP service user id ... what are the other options for calling  SAP RFC using an application say java even if i can use any middleware to connect the java apllication and sap rfc it is fine.
    2) The SAP services is 4.7 and they do not use EP, Netweaver Developent Studio etc ... simple plain SAP System ... also what setting has to be done at the server side ...
    regards
    Santosh

    Check this link . Might solve your problem.
    http://www.sapnet.ru/viewtopic.php?t=832

  • How to manage non-SAP objects types with SAP Netweaver ?

    I would like to know how it is possible to integrate into the SAP software configuration managment tools (NWDI CTS, CTS+...) non-SAP objects like shell scripts or SQL requests ?
    These shell scripts are, for example:
    - external host scheduler jobs
    - general scripts for start/stop application
    - parameters needed by application at the os level
    My goal should to store into a DEV SAP system these objects, in order to take benefit of SE80 version management. So, it should be possible to create transport order in SE10 and to transport these non-SAP objects in test and production system.
    Thank in advance for your answers.
    Daniel Ouin

    the standard functionality for this up until 4.72 is to call RFCs/BAPIs through a RFC binding library for the third party software, e.g. the language of your choice is PHP then you use the PHP RFC library found [here|http://saprfc.sourceforge.net/], if you have to connect from a .NET environment you might try to get the SAP .NET connector.
    anton
    PS: RTFM and/or using the search facilities here on SCN would help you a lot with your task.

  • Install RFC SDK on RedHat to Monitoring with Nagios.

    Hello Everyone,
    i'm trying to install the RFC SDK to connect this via Nagios with the Checch_sap.pl . this check needs to use sapinfo.
    Where i can find the RFC SDK with sapinfo?
    thank you very much in advance!

    Hello Everyone,
    i'm trying to install the RFC SDK to connect this via Nagios with the Checch_sap.pl . this check needs to use sapinfo.
    Where i can find the RFC SDK with sapinfo?
    thank you very much in advance!

  • RFC ; setting in SM59 to get data from NON SAP

    Dear ,
            i have  developed REMOTE ENABLED RFC which take input one serial no. from NON SAP  (i,e IPMS system ) and store in SAP database. so now i have to know how give setting in SM59 to get access my RFC by non sap.
    Edited by: manoj kv on Jul 30, 2008 12:38 PM

    Hi,
    Place the cursor on -> HTTP Connections to R/3 System
    Create Give description, connection type H,
    In technical settings give target host and path...

  • RFC SDK / RfcOpenEx / X509CERT Parameter

    Hello,
    I am trying to connect through the RFC API to an SAP system, which I normally use with my own certificate.
    Unfortunately the connection is unsuccessful and I get the following error message back:
         RFC Error Info : Group : 103 Key : RFC_ERROR_LOGON_FAILURE Message : No suitable SAP user found for X.509-client certificate
    My implementation is in PHP, but I created an equivalent code snippet in C,
    which would have the same meaning:
         1. client_cert contains the certificate of the SAP user.
         2. The connection parameters are as follows:
              ASHOST     = "...sap...system..."
              SYSNR          = "24"
              CLIENT          = "100"
              X509CERT     = client_cert
              GWHOST     = "...sap...system..."
              R3NAME     = "CSS"
              LANG          = "EN"
         handle = RfcOpenEx(connectionParameters);
         if (!handle) {
              printf("Connection failed. Error info: %s", RfcError());
         RfcClose(handle);
    As we see from the result, the connection really fails and the error
    description sais, that the system cannot find an user with such certificate.
    (I should remind you, that I cut off the BEGIN CERTIFICATE and END
    CERTIFICATE tags, as well as the white spaces in the certificate. If I don't
    do this, I get the message, that the maximum length of the parameter is
    exeeded, which now means for me, that the certificate could not be parsed).
    I would be very thankful if someone could help me to find the right
    solution. Since I don't have any idea what happens after the RFC SDK
    library's entry point and in the documentation is not specified in which
    format the certificate must be supplied, it is very hard for me to guess
    where and what is wrong. The error messages are also not very helpful in my
    situation, for I cannot figure out how to proceed.
    Thanks in advance for Your help!
    Best Regards,
    Vasil Bachvarov
    SAP

    Hi Aleksandra,
    if still open, this blog might help Setup data encryption between RFC Client and Web AS ABAP with SNC
    The error message sounds like the mapping of X.509 certificate to an ABAP user, using transaction SM30 with VUSREXTID, is probably incorrect, did you check that ? Rule based certificate mapping is also possible, should be even better option, using the transaction CERTRULE_MIG
    Hope this helps.
    Srdjan

  • SSO to non SAP applications

    Hi,
    I am trying to implement SSO to SAP and JAVA applications in the process i need to verify the "PSE" file downloaded from the keystore administration and to decrypt the "SSO2 Cookie" in order to do this i hv downloaded the SAPSSOEXT.DLL file and placed it in "C:\Windows:\System32". and registed the DLL file using "REGSVR32 C:\Windows:\System32sapsso.dll"
    But when i am executing the program i am getting the follwing error
    java.lang.UnsatisfiedLinkError: no sapssoext in java.library.path
            at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1682)
            at java.lang.Runtime.loadLibrary0(Runtime.java:822)
            at java.lang.System.loadLibrary(System.java:993)
            at SSO2Ticket.<clinit>(SSO2Ticket.java:38)
    at the line
    System.loadLibrary("sapssoext");
    Can some body please help me out how to add the downloaded dll file into java path.
    Thanks in Advance

    HIi check this Link
    Hope it will be usefull.
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d0c78148-12de-2a10-27bf-960acc753aab
    Also use this link
    Single Sign-On to Non-SAP Java Applictions with SAPSSOEXTthanks
    Rewards r welcome
    Edited by: Mayank  Saxena on Sep 6, 2008 1:24 PM

  • How to integrate non-sap application with sap netweaver trial abap

    Hi, I currently have with me SAP Netweaver ABAP trial and Mini SAP BASIS 4.6 D. What i want to do is to see how can i integrate my non-SAP application with SAP.
    I am confused as to if using SAP Netweaver ABAP trial, will i be able to establish that. Can anyone guide me in this regard.I want to connect using JCO basically, want to write a java client that will be talking with the SAP application. Provide me a starting point.
    Will i require a Deployed SAP application as well to do this, or will Netweaver ABAP Trial do the job, will i also have to expose the business objects using BAPI.
    Please help.
    Please point out the right forum to post the question if this is not the right one.
    Thanks

    Hey
    Please post this question in ABAP forum
    ABAP Development
    Thanx
    Aamir

  • Use non-SAP components with ABAP

    Hello, i need to use a non-SAP component (DLL) in my ABAP program. This
    program have to make calls to functions of this DLL.
    is this possible in ABAP??
    Thanks

    Welcome to SDN.
    Yes this is possible. the dll has to be registered in all the local machines where the ABAP program will run.
    check out this weblog where Tomas shows how to use the windows media player control in ABAP.
    /people/thomas.jung3/blog/2005/05/11/using-classic-activex-controls-in-the-abap-control-framework
    /people/thomas.jung3/blog/2004/09/01/using-net-windows-controls-in-the-abap-control-framework
    Regards
    Raja

  • SAP 4.7 Interface through RFC with non-sap system

    We have SAP 4.7 instance and no XI and currently we are looking at following solutions using SAP connector, need following infrormation:
    1. Which standard connector can be used ?
    2. How Master Data to be replicated from SAP system to non-sap system( Outbound) ?
    3. How Transactional data from non-sap sytem to SAP system ( Inbound)?
    We need the above input considering that we don't have XI
    regards

    hi ,
      Can you tell me which other non-sap system you are using
    either it is  dot net or some other
    Regards
    Deepak .

  • How to integrate the portal system with non-sap system

    Hi Gurus,
    How to integrate Portal system with non-SAP system?
    I know few ways .......Using Usermapping UIDPW method.
    Using Appintegrator .....and using Business repository objects in JCA?
    Is there anyother way to integrate if so please give me the names and steps for integrating it?
    Thanks in Advance,
    Dharani

    Hi Dharani,
    You can get information from the following links:
    http://help.sap.com/saphelp_nw04s/helpdata/en/43/d08b00d73001b4e10000000a11466f/frameset.htm
    https://www.sdn.sap.com/irj/sdn/thread?threadID=744043
    SAP CONNECTORS:- Basically Connectors are like middlewares , that we use to connect to the backend system including Non SAP systems also. Will try to explain it to u with some examples of SAP Connectors:-
    a) SAP Business Connectors:-
    A middleware application based on the B2B integration server from webMethods.
    The SAP Business Connector enables both bi-directional synchronous communication and asynchronous communication between SAP applications and SAP and non-SAP applications.
    The SAP Business Connector makes all SAP functions that are available via BAPIs or IDocs accessible to business partners over the Internet as an XML-based service.
    The SAP Business Connector uses the Internet as a communication platform and XML or HTML as the data format. It integrates non-SAP products by using an open, non-proprietary technology.
    b) SAP Java Connector:-
    SAP Java Connector (SAP JCo) is a middleware component that enables the development of SAP-compatible components and applications in Java. SAP JCo supports communication with the SAP Server in both directions: inbound calls (Java calls ABAP) and outbound calls (ABAP calls Java).
    SAP JCo can be implemented with Desktop applications and with Web server applications.
    SAP JCo is used as an integrated component in the following applications:
    1) SAP Business Connector, for communication with external Java applications
    2) SAP Web Application Server, for connecting the integrated J2EE server with the ABAP environment.
    SAP JCo can also be implemented as a standalone component, for example to establish communication with the SAP system for individual online (web) applications.
    To Know more go through,
    SAP Java Connectors
    II) ALE Concept:-
    ALE is not restricted to communication between SAP systems, it can also be used for connecting SAP Systems to non-SAP systems.
    By using IDocs as universal information containers, ALE can reduce the number of different application interfaces to one single interface that can either send IDocs from an SAP system or receive IDocs in an SAP system.
    SAP certified Translator Programs can convert IDoc structures into customer-defined structures.
    Alternatively, the RFC interface for sending and receiving IDocs can be used in non-SAP systems.
    In both cases you need the RFC Library of the RFC Software Development Kit (RFC-SDK).
    This link gives a great insight into landscape for Connectivity to Non-SAP systems:-
    SAP to Non-SAP systems
    III) Communication Between SAP Systems and External (Non-SAP) Systems using RFC:-
    When you use RFC for communication with an external (non-SAP) system, you can also implement the SAP Java Connector or the SAP .Net Connector for the conversion of data. However, there are no specific security requirements for these components, since they only perform internal system conversion functions.
    The additional security recommendations for communication with external systems in this section make particular reference to cases where an external system is used as a server (SAP calls the external system). If you use an external system as a client (the external system calls SAP), the appropriate SAP-specific security mechanisms are implemented on the SAP side.
    This link explains in detail all the security considerations you need to take for connecting to an External Non SAP system like, User administration, Network Security etc.
    Communication Between SAP Systems and External (Non-SAP) Systems using RFC
    Hope this helps,
    Regards,
    Rudradev Devulapalli
    Reward the points if helpful

  • Call RFC on non ABAP-Host

    Hi experts,
    we try to integrate a machine into SAP.
    Therefore we want to use RFC-Communication.
    This means, the machine will call RFC-FMs on SAP.
    I know that this works and I only need to create a "normal" RFC-FM.
    But how can I call a RFC-FM on the machine out of SAP?
    Do I need to make a an RFC-FM like in ABAP but the destination is the machine (which is defined in SM59)?
    Kind regards

    Hi ,
    Please learn this link Connections to Non-SAP Systems (SAP Library - ALE Programming Guide)
    http://help.sap.com/saphelp_nw04/helpdata/en/52/16aafa543311d1891c0000e8322f96/content.htm
    You can take a look into idocs. For idocs processing you require RFC Library of the RFC Software Development Kit (RFC-SDK) on the non sap system side for processing RFC's.
    Regards,
    Sivaganesh

  • ABAP to FTP connect to non SAP UNIX system

    Greetings~
    I'm looking for a way (via function modules and/or BAPI) to transfer data in flat files from an SAP UNIX system to a non-SAP UNIX system using an ABAP program. I see FM's FTP_CONNECT and FTP_COMMAND however these seem to only work with UNIX systems running SAP as they require RFC_DESTINATION information. Anybody know which (if any) FM's can be used without the necessity of the target system running SAP/RFC?
    Thanks!

    Hi Joseph,
    Please refer the below program.
    REPORT  ZHR_T777A_FEED.
    tables: t777a.                        "Building Addresses
    Internal Table for  Building table.
    data: begin of it_t777a occurs 0,
            build like t777a-build,       "Building
            stext like t777a-stext,       "Object Name
            cname like t777a-cname,       "Address Supplement (c/o)
            ort01 like t777a-ort01,       "City
            pstlz like t777a-pstlz,       "Postal Code
            regio like t777a-regio,       "Region (State, Province, County)
          end of it_t777a.
    Internal Table for taking all fields of the above table in one line
    separated by ‘|’(pipe).
    data: begin of it_text occurs 0,
          text(131),
          end of it_text.
    Constants: c_key  type i value 26101957,
               c_dest   type rfcdes-rfcdest value 'SAPFTPA'.
    data: g_dhdl type i,      "Handle
          g_dlen type i,      "pass word length
          g_dpwd(30).         "For storing password
    Selection Screen Starts
    SELECTION-SCREEN BEGIN OF BLOCK blk1 WITH FRAME TITLE TEXT-001.
    parameters: p_user(30) default 'XXXXXXX'          obligatory,
                p_pwd(30)  default 'XXXXXXX'          obligatory,
                p_host(64) default 'XXX.XXX.XX.XXX'   obligatory.
    SELECTION-SCREEN END OF BLOCK blk1.
    SELECTION-SCREEN BEGIN OF BLOCK blk2 WITH FRAME TITLE TEXT-002.
    parameters: p_file like rlgrap-filename default 't777a_feed.txt'.
    SELECTION-SCREEN END OF BLOCK blk2.
    Password not visible.
    at Selection-screen output.
      loop at screen.
        if screen-name = 'P_PWD'.
          screen-invisible = '1'.
          modify screen.
        endif.
      endloop.
    g_dpwd  = p_pwd.
    Start of selection
    start-of-selection.
    To fetch the data records from the table T777A.
      select build stext cname ort01 pstlz regio
             from t777a
             into table it_t777a.
    Sort the internal table by build.
      if not it_t777a[] is initial.
        sort it_t777a by build.
      endif.
    Concatenate all the fields of above internal table records in one line
    separated by ‘|’(pipe).
      loop at it_t777a.
        concatenate it_t777a-build it_t777a-stext it_t777a-cname
                    it_t777a-ort01 it_t777a-pstlz it_t777a-regio
                    into it_text-text separated by '|'.
        append it_text.
        clear it_text.
      endloop.
    To get the length of the password.
      g_dlen = strlen( g_dpwd ).
    Below Function module is used to Encrypt the Password.
      CALL FUNCTION 'HTTP_SCRAMBLE'
        EXPORTING
          SOURCE      = g_dpwd          "Actual password
          SOURCELEN   = g_dlen
          KEY         = c_key
        IMPORTING
          DESTINATION = g_dpwd.         "Encyrpted Password
    *Connects to the FTP Server as specified by user.
      Call function 'SAPGUI_PROGRESS_INDICATOR'
        EXPORTING
          text = 'Connecting to FTP Server'.
    Below function module is used to connect the FTP Server.
    It Accepts only Encrypted Passwords.
    This Function module will provide a handle to perform different
    operations on the FTP Server via FTP Commands.
      call function 'FTP_CONNECT'
        EXPORTING
          user            = p_user
          password        = g_dpwd
          host            = p_host
          rfc_destination = c_dest
        IMPORTING
          handle          = g_dhdl
         EXCEPTIONS
            NOT_CONNECTED.
      if sy-subrc ne 0.
        format color col_negative.
        write:/ 'Error in Connection'.
      else.
        write:/ 'FTP Connection is opened '.
      endif.
    **Transferring the data from internal table to FTP Server.
      CALL FUNCTION 'FTP_R3_TO_SERVER'
        EXPORTING
          HANDLE         = g_dhdl
          FNAME          = p_file
          CHARACTER_MODE = 'X'
        TABLES
          TEXT           = it_text
        EXCEPTIONS
          TCPIP_ERROR    = 1
          COMMAND_ERROR  = 2
          DATA_ERROR     = 3
          OTHERS         = 4.
      IF SY-SUBRC <> 0.
        MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
                WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
      ELSE.
        write:/ 'File has created on FTP Server'.
      ENDIF.
    Call function 'SAPGUI_PROGRESS_INDICATOR'
        EXPORTING
          text = 'File has created on FTP Server'.
    To Disconnect the FTP Server.
      CALL FUNCTION 'FTP_DISCONNECT'
        EXPORTING
          HANDLE = g_dhdl.
    To Disconnect the Destination.
      CALL FUNCTION 'RFC_CONNECTION_CLOSE'
        EXPORTING
          destination = c_dest
        EXCEPTIONS
          others      = 1.
    Regards,
    Kumar Bandanadham.

  • Consuming ABAP Web Service in Non SAP system

    Hi
    I have created an ABAP web service form the RFC and configured it in the SOAMANAGER. I have tested it in Web Service Navigator using the URL and it is working fine.
    Now I am trying to access it from the Non SAP system using Java Code. I am able to access the WSDL using the URL from the step 1 but not able to receive any output when providing inputs.
    So I am not sure if I am missing any configuration on the Provider System (SAP) or on the Consumer system (Non SAP) to access the web service. As far I have not configured anything on the consumer system. Please let me know how to consume the web service in the Non SAP system.
    Thank you,
    Rohit

    not necessarily an answer to your question, but i find that when creating SAP web services, before we create the code for consuming them, I always test them with the SOAPUI package. with this test suite you can import the WSDL, and run individual tests, seeing the input, output, exceptions, etc. This is a good way to check the connection, the flow and the service logic, before writing any code. This will also let you know whether it is a WS issue, or an issue with your code.
    just a thought, from someone who has been there...
    http://www.soapui.org is where you can find the SOAPUI. It helped me out a lot.
    Dave

Maybe you are looking for