Unified Connectivity (UCON)

Overview
June 2021

PUBLIC
Agenda – UCON RFC Security Basic Scenario

Motivation and Scope

Basic Concepts

Coverage of New RFMs

How to Cope With the Restrictions of Productive Systems

Summary

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

UCON RFC Security Basic Scenario
Motivation and Scope
The Scope of UCON RFC Basic Connectivity

High-performing,
C for local high load scenarios,
across all ABAP Releases,
close integration into ABAP

RFC-Based Connectivity

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

UCON – A Simple Approach to Make RFC More Secure

Reduce the Overall Attack Surface of Your Remote-Enabled

Function Modules. Enhance RFC security by blocking the
access to a large number of RFMs !

▪ Facts:
– Most SAP ERP customers run just a limited number of the
business scenarios for which they need to expose some RFMs
– A lot of RFMs are only used to parallelize within a system.

▪ Solution
– Find out which RFMs need to be exposed for the scenarios of a
customer.
– Block the access to all other RFMs.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

The Basic Strategy of UCON to Solve These Problems

Reduce the number of RFMs exposed to the outside world.

Expose only and exactly those RFMs a customer needs to run their business scenarios.

A typical SAP
38000 RFMs in customer only needs
to expose a few
SAP ERP (incl.
hundred RFMs for
SAP NetWeaver) their business
scenarios

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

UCON RFC Security Basic Scenario
Basic Concepts
The UCON Way to Security: Expose Only Those Function Modules You Need
to the Outside World

…
R R R R R R R R R R R
F F F F F F F F F F F
M M M M M M M M M M M
1 2 3 4 5 6 7 8 9 .
10 11

Default Communication Assembly (CA)

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8

UCON Checks Do not Interfere with Calls Within the Same Client and System

Blocked for access

from outside –
Open for use in

…
parallel RFC inside
the same client in the
same system
R R R R R
F F F F F
M M M M M
1 3 5 7 …
.

SAP Business Suite

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9

UCON – An Additional Role/User-Independent Layer of Security Checks

User trying to access a RFM

RFM in no
CA?
No Access

yes

User User has

has authorization no
authorization?
for the relevant CA? No Access

yes Access to
RFM

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10

UCON Setup and Configuration

It is simple to set up and configure Unified Connectivity (UCON):

1. Set the UCON profile parameter UCON/RFC/ACTIVE to 1 to enable UCON runtime checks for RFMs in the
final phase.

2. Run the UCON setup to generate a default communication assembly (CA) and other required entities.

3. Choose a suitable duration of the logging and evaluation phase.

4. Schedule the batch job SAP_UCON_MANAGEMENT that selects and persists the RFC statistic records
required by the UCON phase tool on the database.

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 11

UCON RFC Security
Easy Customer Adoption in Three Steps

Logging of RFMs
Evaluation/ Runtime checks
called from
outside Simulation active

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12

UCON RFC Security
Easy Customer Adoption in Three Steps

Logging of RFMs
Evaluation/ RuntimeChecks
Runtime check
called from
outside
Simulation active active

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

Phase 1
Logging of RFC Connectivity Data

Tool support to use solid information instead of unreliable

data

•Use a dedicated tool set to collect the information you

need

Identify the RFMs you need to expose to run your business

scenarios
• Collect aggregated statistic data on which RFMs are
called in your system from outside
• Over a time period you can choose

At the end of phase 1, choose the RFMs you need and

assign them to the Default CA:
• Based on the statistical records, you decide which RFMs
should be accessed from outside and assign them to the
CA

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14

UCON RFC Security
Easy Customer Adoption in Three Steps

Logging of
Logging ofRFMs
RFMs
called
Evaluation/ RuntimeChecks
Runtime check
checks
called from
from
outside
outside Simulation
simulation active active

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15

Phase 2
Evaluation of the Data Logged

UCON should not interfere with productive customer

scenarios:
• Use the evaluation phase (phase 2) to simulate UCON
runtime checks
• Check completeness of RFMs you need to expose
• Put required RFMs into Default CA

Customizable duration of evaluation phase:

• Duration of evaluation phase depends on in-house
experience and knowledge

Check whether you have protected the right RFMs and

make necessary corrections

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16

UCON RFC Security
Easy Customer Adoption in Three Steps

Logging of
Logging ofRFMs
RFMs
called
Evaluation/ Runtimechecks
Runtime check
Checks
called from
from
outside
outside
Simulation
simulation active active

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 17

Phase 3
The RFMs in the System Are Protected by UCON

UCON runtime checks are now active:

• Only RFMs in the default CA are accessible from
outside
• RFM that are not in the Default CA are now protected
against any outside access

Less than 5% of all RFMs need to be exposed in a typical

customer system:
• Out of a total of 38,000 RFMs in an SAP ERP system,
only a few hundred are required and exposed for
productive customer connectivity

Massive reduction of RFC attack surface for the average

customer system

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 18

Prerequisites for the Different Security Layers

Access to RFMs

UCON
runtime
checks

S_RFC
checks

Access to RFMs

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 19

Efforts Required for the Different Security Layers

Access to RFMs

UCON
runtime
checks

S_RFC
checks

Access to RFMs

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 20

UCON Protection After the Initial UCON Security Classification

Check-Active Phase

Blocked RFMs/ UCON-

Blocked RFMs from initial UCON set-up protected RFMs from
other, new transports or
installations
37,000++

100 ++

Default CA
SAP Business Suite

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21

UCON RFC Security Basic Scenario
Coverage of New Remote-Enabled Function Modules
UCON Protection After Initial Security Classification

Check-active Phase

Protected/
Development blocked
RFMs

Default Communication
Assembly
Exposed RFMs

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 23

New RFMs Arrive at a UCON-Protected System

Check-active phase

Development

Over time: New RFMs in

transports, SPs, EhPs …

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 24

New RFMs on Their Way to UCON Protection – Logging Phase

New RFMs are

automatically Logging phase
assigned to the
logging phase Evaluation phase
Access allowed

Check-active phase

Access blocked
UCON protection

Access allowed

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 25

New RFMs on Their Way to UCON Protection – Evaluation Phase

Logging phase

Evaluation phase

Check-active phase Access allowed

Access blocked
UCON protection

Access allowed

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 26

New RFMs Have Achieved UCON Protection – Check-Active Phase

Logging phase

Evaluation phase

Check-active phase

Access blocked
UCON protection

Access allowed

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 27

The Ever-Growing Scope of UCON Protection

Blocked RFMs
Blocked RFMs from initial UCON set-up from other, new
transports or
installations

Default CA
SAP Business Suite

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 28

UCON RFC Security Basic Scenario
How to Cope with the Restrictions of Productive Systems
UCON and the Restrictions in a Productive System
Challenges

PROD
Authorizations and system change options in
Productive Systems are not sufficient for UCON Assignment of relevant RFMs
Operations to default CA and UCON
phases

Collection UCON
of RFC call Phase
statistics Tool
and UCON
protection

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 30

UCON and the Restrictions in a Productive System
Solution

DEV PROD

Assignment of Delegate
UCON Collection
relevant RFMs
of RFC call
to default CA operations
statistics
and UCON to DEV and UCON
phases
protection
UCON UCON
Phase Phase
Tool Tool

Slide 31
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 31
UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV - Step 1

DEV PROD

Import RFC call statistics from

PROD to DEV
1 .csv
UCON RFC call
UCON
Phase Tool statistics Phase Tool

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 32

UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV - Step 2

DEV PROD

Import RFC call statistics from

PROD to DEV
1 .csv
UCON RFC call
UCON
Phase Tool statistics Phase Tool

2 Assign relevant RFMs to

default CA and to next phase

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 33

UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV - Step 3

DEV PROD

Import RFC call statistics from

PROD to DEV
1 .csv
UCON RFC call
UCON
Phase Tool statistics Phase Tool

2 Assign relevant RFMs to

default CA and to next phase

3 R3Trans
UCON Phase and CA assignment of UCON
Phase Tool RFMs Phase Tool

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 34

UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV in a Nutshell

DEV PROD

Assignment of
Collection
relevant RFMs
of RFC call
to default CA
statistics
and UCON
and UCON
phases
protection
UCON UCON
Phase RFC call Phase
Tool statistics Tool

Phase and CA
assignment of RFMs

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 35

UCON RFC Security Basic Scenario
Summary
UCON – Summary

It is simple to set up and configure Unified Connectivity (UCON)

• The UCON framework offers a simple, straightforward approach for enhancing the security of
your RFCs. It allows you to minimize the number of RFMs on ABAP-based servers exposed
to other clients and systems, reducing the available attack surface in your RFC
communications.

• The UCON phase tool guides and supports the administrator in the three-step setup and the
three-phased process.

• UCON covers new function modules entering the system via Support Packages,
Enhancement Packages, transports, or new developments.

• UCON is fully enabled for life-cycle management to ensure consistent RFC security
across your system landscape.
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 37
Where to Find More Information

Unified Connectivity (UCON)

https://wiki.scn.sap.com/wiki/x/0jS7Gg

SAP NetWeaver Security Community

https://community.sap.com/topics/security

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 38

Follow us

www.sap.com/contactsap

© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/trademark for additional trademark information and notices.