rfc/callback_security_method before Release 7.40

As of Basis Release 7.40, SAP offers a standard solution for saving RFC callback calls using positive lists. But if you are using lower version than Release 7.40 then you need to do manual steps to configure “rfc/callback_security_method” on your SAP system.

As you can see, there is not a “Generate RFC Callback Positive Lists” button in transaction SM59 if you are using SAP release lower than 7.40

rfc/callback_security_method before Release 7.40

In this case, SAP offers the below steps as a solution ;

1. Set the profile parameter rfc/callback_security_method = 1 (default value).

2. Use transaction SM19 to activate the Security Audit Log, and add the audit events DUI (RFC callback executed), DUJ (RFC callback rejected), and DUK (RFC callback executed in simulation mode)

3. After some time, run the program RSAU_SELECT_EVENTS in transaction SE38, choose “Selection by Individual Events”, and enter the values DUI, DUJ, and DUK.
The system issues a list of all RFC destinations that were used to execute callbacks.

4. Make manually entries in the following tables using transaction SE16 according to RSAU_SELECT_EVENTS output.

In RFCCBWHITELIST_A, one entry:
Field DESTINATION = enter the RFC destination to be secured here.
Field ACTIVE_FLAG = “X”

In RFCCBWHITELIST, one entry for each combination of called and called back function:
Field DESTINATION = enter the RFC destination to be secured here.
Field CALLED_FM = enter the name of the function called in the target system.
Field CALLED_BACK_FM = enter the name of the function that is allowed to be called back from the target system to this system.

I assumed that, you have already completed step 1 and 2 according to previous article“rfc/callback_security_method”

So, we can continue with the step 3 , go to transaaction SE38 and execute the report “RSAU_SELECT_EVENTS ”

rfc/callback_security_method before Release 7.40

Choose Audit Messages “DUI”, “DUJ” and “DUK”

rfc/callback_security_method before Release 7.40

Select time restrictions (from the date you have activated SM19 logs) and execute the report

rfc/callback_security_method before Release 7.40

Now you can get the list of all RFC destinations that were used to execute callbacks

rfc/callback_security_method before Release 7.40

According to SAP, we need to edit tables RFCCBWHITELIST_A and RFCCBWHITELIST with the RFC informations

which we have got from the report RSAU_SELECT_EVENTS

rfc/callback_security_method before Release 7.40

But probably you can not do this because of the message “Table maintenance not allowed for table RFCCBWHITELIST_A”

rfc_callback_low740_07

Detail information ;

rfc_callback_low740_08

In this case, we need to continue with the below steps.

As we said before, we have got the RFC list from the report RSAU_SELECT_EVENTS now we have to configure related RFC definations manually from SM59

Before this, better to check table RFCCBWHITELIST entries via SE16

rfc/callback_security_method before Release 7.40

rfc/callback_security_method before Release 7.40

After this information, go to SM59 and open the related RFC defination in edit mode, select the “whitelist active” selection to activate “Callback Whitelist” area and add the “Called Function Module” informations

rfc/callback_security_method before Release 7.40

rfc/callback_security_method before Release 7.40

after this, let’s check the table RFCCBWHITELIST entries via SE16

rfc/callback_security_method before Release 7.40

rfc/callback_security_method before Release 7.40

As you can see, our entries were inserted in the table, finally we can change the parameter  “rfc/callback_security_method” with the value 3

“RFC Callback Check Secure” fully activated.

rfc/callback_security_method before Release 7.40

Leave a Reply


7 + = eight

Blogroll