Register Login

Trusted/trusting Relationship between two SAP systems

Problems may occur when setting up a trust relationship

(trusted/trusting system relationship) between two SAP systems and when using this relationship. The following runtime errors occur:

"No authorization to log on as a trusted system (Trusted RC = #)."

or

"No authorization to log on as a trusted system (L-RC=A T-RC=B)"

Note the following:

  • L-RC displays the output value for the logon (L as in logon).
     
  • T-RC displays the output value for the trust relationship (T as in trust).
     
  • You must take output values A and B for the target system (trusting ABAP system) from the text for the ABAP runtime error "CALL_FUNCTION_SINGLE_LOGIN_REJ".

When you set up a trust relationship between a trusted system (client C00) and a trusting system (server S00), the destination TRUSTING_SYSTEM@S00 is automatically created in system C00. This destination is required for administrative tasks and must not be used or deleted in productive scenarios. Always use transaction SM59 to set up a separate destination (for example: S00_TRUSTED) for the productive scenario.

If you do not define any logon data in the destination S00_TRUSTED (which is used productively) on the trusted system C00 for the trusting system S00, the system will attempt to log on to the target system S00 with the user who is logged on to the system C00 (the user name corresponds to SY-UNAME, client, and language) as is the case for every RFC call. Therefore, if the client or the language of the trusting system do not correspond to those of the trusted system, you must define the client and the language in the destination. If the logon is carried out using the same user name, you must set the field "RFC_EQUSER" to Y (for YES) in the authorization object S_RFCACL for the users in the trusting system.

Note the following:

As of SAP_BASIS Release 7.02, when establishing a trust relationship, the installation number of the calling system is used in addition to the system ID if this function is available in the calling system (that is, its SAP_BASIS release is Release 7.02 or higher). For trusted relationships that include the installation number in addition to the system ID in transaction SMT1, the trusted RFC authorizations based on the authorization object S_RFCACL must be adjusted so that the field RFC_INFO contains the installation number of the calling system (that is, the trusted system). The installation number of the calling system is displayed per system in transaction SMT1.

Example for releases before Release 7.02:

RFC_SYSID : C00
RFC_CLIENT: M_1
RFC_USER  : ' '
RFC_EQUSER: Y (for Yes)
RFC_TCODE : *
RFC_INFO  : *
ACTVT     : 16

Example for releases as of Release 7.02:

RFC_SYSID : C00
RFC_CLIENT: M_1
RFC_USER  : ' '
RFC_EQUSER: Y (for Yes)
RFC_TCODE : *
RFC_INFO  : 0120061532 (that is, installation number of the calling system)
ACTVT     : 16

You can also enter a user (U_2) in the destination S00_TRUSTED, which is then used when working in the trusting system S00. In this case, in the trusting system, you must set the field "RFC_EQUSER" to N (for NO) in the authorization object S_RFCACL for this user. For security reasons, you must also maintain the S_RFCACL fields RFC_CLIENT, RFC_USER, and (if required) RFC_TCODE:

  • RFC_CLIENT: List of clients from which the logon can be carried out.
     
  • RFC_USER: List of all users in the trusted system, who are allowed to use the user U_2 to log on.
     
  • RFC_TCODE: List of all transactions from which calls into the trusting system can be made in the trusted system using the destination.

This prevents misuse of this destination.

Example:

If the user U_1 under client M_1 in the trusted system C00 is to work under the user U_2 with client M_2 in the trusting system S00 using a trusted/trusting relationship, the user (U_2, M_2) in the system S00 must have an authorization object S_RFCACL that has the following settings:

RFC_SYSID : C00
RFC_CLIENT: M_1
RFC_USER  : U_1
RFC_EQUSER: N
RFC_TCODE : *
RFC_INFO  : *
ACTVT     : 16

You can maintain the settings listed above using transaction PFCG (Role Maintenance) on the server system S00. Detailed information about role maintenance is available at: [http://help.sap.com/saphelp_nw04/helpdata/en/52/6714a9439b11d1896f0000e8322d00/frameset.htm]

When you maintain and assign the S_RFCACL authorizations, note that you should not use any generic values (such as '*') for RFC_SYSID, RFC_CLIENT, and RFC_USER. This is because all users who meet these criteria regarding RFC_CLIENT and RFC_USER can call RFC modules from the calling system without hindrance using the user who was entered in the destination S00_TRUSTED.

The authorization for the user U_1 who was entered in the destination S00_TRUSTED can be checked in advance in the trusting system S00 using the function module AUTHORITY_CHECK_TRUSTED_SYSTEM.

Note:

As of SAP_BASIS Release 7.02, the parameter "LICENSE_NR" was added to the function module AUTHORITY_CHECK_TRUSTED_SYSTEM. This parameter expects the installation number of the calling system if the trust relationship with a system also includes the installation number.

Authorization errors that occur when using an RFC destination for which the 'Trusted Systems' indicator is set are documented with the following message:

"No authorization to log on as a trusted system (Trusted RC = #)."

In this case, the trusted return code # (# = 0, 1, 2, 3) has the following relevance:
0   Invalid logon data (user and client) for the trusting
    system.
    Solution: In the server system (trusting system), create the user
    in the relevant client.
1  The calling system is not a trusted system, or the
    security key for the system is invalid.
    Solution: Recreate the trusted system (see
    documentation).
2   In the trusting system, the user has no authorization that contains
    the authorization object S_RFCACL, or a logon was carried out using one of the protected users 'DDIC' or 'SAP*'.

    Solution: Either provide the user with the relevant
    authorization, or use neither of the protected
    users 'DDIC' or 'SAP*'.
3   The time stamp of the logon data is invalid.
    Solution:  Check the system time on the client host and on the
    server host and check the validity date of the logon data. The
    system times of both systems must be synchronized.

IMPORTANT NOTE:
If an RFC destination is marked as a 'trust relationship', each authorization triggers a RABAX (ABAP exception). This RABAX contains a detailed error documentation.

Procedure to analyze the error:

  • Call transaction ST22 (ABAP Runtime Error) and select the required selection period.
     
  • Choose the relevant entry under the user SAPSYS and the program name CALL_FUNCTION_SYSCALL_ONLY. The section 'How to correct the error' provides all the information required to correct the error.

Remarks:

  •  If you want to use SAProuter(s) to set up a trust relationship to a trusting system, you must manually enter the SAProuter string for the target host in the generated RFC destination "TRUSTING_SYSTEM@ ".
     
  • Since the generated RFC destination "TRUSTING_SYSTEM@ " is a cross-client destination, the system terminates the test in transaction SMT2 and displays the following error text and short dump in the target system (trusting ABAP system):

                        "No authorization to log on as a trusted system (L-RC=A T-RC=0)."
                        
           This error text means that the following occurred during the two-step test:

    The check of the trusted logon was successful (Trusted RC=0).
         
    Logging the user on to the target system in a different client failed because the authorization S_RFCACL was missing for the user in the target system or because the user does not exist in the target client.

    Solution: Navigate to transaction SMT2 and choose an ABAP system by double-clicking. You can now maintain the generated RFC destination by choosing "Maintain destination". When you are within the generated RFC destination, choose the "Administration" tab page and deselect the "Destination not modifiable" checkbox. By entering the SAP client in the generated RFC destination, you can correct the problem with the error text and the display of the ABAP runtime error in the trusting system.

                        Alternatively, you can use transaction SMT2 to perform a one-off test between trusted and trusting ABAP systems in a joint SAP client (the Single Sign-On test in transaction SMT2 for all clients is not required).
     
  • In addition, refer to Note 204039.
     
  • The settings of the generated destination TRUSTING_SYSTEM@S00 in the trusted system may be incorrect if the SAP host name contains the character '_' (such as "my_host"). This problem is solved with Support Package SAPKB46D09 (see below). For earlier releases, you can manually implement the required changes for correcting the problem as specified below.
     
  •  If the ABAP runtime error "CALL_FUNCTION_SINGLE_LOGIN_REJ" with the reason:
                        "No authorization to log on as a trusted system (T-RC=1)"
                                      
    occurs and you are using the version levels mentioned below in the RFC Trusting ABAP system, implement the ABAP correction in Note 1579570.

Basis Release Support Package Kernel patch No.

            46C SAPKB46C62 2570 or higher

            620 SAPKB62069 359  or higher

            640 SAPKB64028 359 or higher

            700 SAPKB70024 285 or higher

            701 SAPKB70108 117 or higher

            710 SAPKB71012 231 or higher

            711 SAPKB71107 117 or higher

            702 SAPKB70206 68 or higher

            720 SAPKB72005 68 or higher

            730 SAPKB73001 68 or higher

       


×