The Purpose of this page is to provide a guide (step-by-step) of setting up a Trusted/Trusting Relationship between two SAP ABAP systems.
This page explains from the scratch all the steps required to setting up a Trusted/Trusting Relationship between two SAP ABAP systems. It reinforces the authorization necessary to a user be able to access both systems. Also, it explains how both Remote Function Call (RFC) destinations (server and client) that are necessary to establish the trusted connection must be created.
Creating your RFC USER
First of all, you will need to create a user that will be used in your Trusted Relationship. This can be done in transaction /SU01. Then, you need to assign the authorization object S_RFCACL to this user (notice that as of release 4.0B, for security reasons, SAP_RFCACL is NOT included in SAP_ALL or SAP_NEW).
When assigning S_RFCACL authorization to this user, you can use the value “*” to RFC_CLIENT field. By doing this, those user who fulfil the criteria regarding RFC_CLIENT and RFC_USER can properly call the target system. Notice that, if the same user is always used in both systems for Trusted/Trusting Relationship, the RFC_USER value can be set as ' ' (blank).
Creating your Servers Destinations
After the RFC USER is created, you will need to create your servers destinations.
In transaction /SM59, create your RFC destination to the second system (< SECONDSYSTEM _SID>_BACK, for example) and only fulfil the “Technical Settings” of this destination. Notice that in the “Logon & Security” tab you must NOT change the “Trusted System” option to “Yes”. Do a “Connection Test” to see if the destination could reach successfully the second system. Then, go to transaction /SMT1 and create an entry to this RFC destination with the RFC USER created previously and save it.
At last, you will need to perform the same steps described previously (“Creating your RFC_USER” and “Creating your Servers Destinations”) in the second system.
Creating your Clients Destinations
The final step to set up your Trusted/Trusting Relationship is to create the clients destinations. To do that, go to transaction /SM59 in the first system and create a RFC Destination to the second system (<SECONDSYSTEM_SID>CLNT<CLIENT_NUMBER>, for example).
After filling the “Technical Settings”, as you did in the “Creating your Servers Destinations” step, you will need to fill the “Logon & Security” tab (notice that this step should not be done to the servers destinations).
In the “Logon & Security” tab, change the “Trusted System” option from “No” to “Yes”. In the logon area, mark the checkbox “Current User” and fill the “Client” field. Then, save the destination. Do a “Connection Test” and an “Authorization Test” (Utilities -> Test -> Authorization Test) to see if you have built the first system accordingly. If there is no error, you should be able to do a “Remote Logon” to the second system.
Finally, perform the same steps above to create the client destination in the second system to finish the setup of your Trusted/Trusting Relationship.
If you face any issue during the process of setting up your Trusted/Trusting Relationship, such as:
- Connection Test fails;
- Authorization Test fails;
- Remote Logon fails.
- Under certain conditions an RFC or HTTP connection to an SAP system might be established even though incomplete authentication information is passed.
Then, please check the link and notes of the Related Content section.
SAP Note 128447: Trusted/Trusting systems
SAP Note 1627901: Authorization group for Trust Relationship
SAP Note 1491645: Unauthenticated system access via RFC or HTTP
SAP Note 63347: List: CPIC error codes