The unrequired execution of remote-enabled function modules occurs via SOAP and the HTTP channel if a particular ICF service was activated incorrectly, or if the definition of an RFC authorization was not restrictive enough.
Other terms
SOAP, Simple Object Access Protocol, RFC, Remote Function Call, ICF, Internet Communication Framework, security
Reason and Prerequisites
If the service "/sap/bc/soap/rfc" is activated in transaction "SICF", it is possible to access remote-enabled function modules in the ABAP system if the user has the relevant authorizations (see Note 93254).
This may lead to a security risk for ABAP systems in internet or intranet scenarios (also see the standard passwords in Note 40689).
Also refer to Note 626073.
Solution
Check whether the service in your landscape is used for particular software solutions. If not, the following applies:
- For releases higher than 610: Deactivate the service "/sap/bc/soap/rfc" in transaction SICF.
- For Release 610: In the "SAP Authorization" field on the "Service Data" tab page, maintain an authorization value for the service "/sap/bc/soap/rfc", to which no user in the system is assigned. For more information about this, refer to the input help of the field.
If the use of this service is not known, you can find this out by analyzing the ICMan server log, for example. When ICMan logging is activated, you will find the server log entries in transaction "SMICM" -> "Goto" -> "HTTP Log". The documentation of the ICMan server log is on the SAP Help Portal, for example, for Release 620 at:
- In German: "http://help.sap.com/saphelp_webas620/helpdata/de/73/b5f99d019f11d5991400508b6b8b11/content.htm".
- In English: "http://help.sap.com/saphelp_webas620/helpdata/en/73/b5f99d019f11d5991400508b6b8b11/content.htm".
If the service "/sap/bc/soap/rfc" is used in your landscape for software solutions, check whether the authorizations that have been defined for the user that is used in the solution are restrictive enough.
As of Web Application Server 640 (that is, SAP NetWeaver 2004), use the Web Service Framework. For more information about migration, see "http://service.sap.com/connectors" -> "SOAP Processor" -> "Media Library" -> PDF document "SOAP Migration Guide 6.20 to 6.40". Among other things, the migration enables a dedicated activation or deactivation for each Web Service entry in the "SICF" transaction under "/sap/bc/srt".
Affected Releases
|
Take best sap mm online training | SAP SD Online Training from the professional of Pragna Technologies...
ReplyDeleteI am very greatful to you that you share very informative post with us...
ReplyDeleteSimple Finance Online Training | Hyderabad | SAP SD Online Training | Hyderabad
SAP Secrity training
ReplyDeleteoracle sql plsql training
go langaunage training
azure training
java training
salesforce training
hadoop training
Sap ABAP On Hana online online course
ReplyDeleteSAP Grc online course
SAP Secrity online course