Setting up a trusted RFC connection

As a SAP Administrator I often get questions on trusted RFC connections. I also noticed on
the SDN forums that there are often questions regarding the setup.
All in all it’s not that hard but it’s like that with a lot of configurations and setups, you just
have to know how to do it properly and it will cause less issues.
A trusted connection between SAP systems means you can logon across system boundaries
without a password transfer.
First you have transaction SM59 where you need to define a RFC connection towards the
target system you want to enable as trusted in your source system.
For example:
On your source SAP system AA1 you want to setup a trusted RFC towards target system
BB1. When it is done it would mean that when you are logged onto AA1 and your user has
enough authorization in BB1, you can use the RFC connection and logon to BB1 without
having to re-enter user and password .
In transaction SM59 on AA1 define an R3 type RFC connection(connection type 3) towards
BB1.

Maintain the technical settings tab

Next go to the logon & security tab
Fill in details for logon

Choose the right option in MDMP & Unicode (is your target Unicode yes or no). We assume
BB1 is Unicode in this example as it will be like that for most SAP system with a recent
release level.
Now you can first test this RFC connection to see if it works, if you run into problems you
need to fix them before continuing.

This can be done using Utilities -> Connection Test, Authorization Test and Unicode Test

Now the R3 RFC connection is made, we can continue to the next step. Go to transaction
SMT1 and click the create button.
Fill in the previously created RFC connection name
Click yes

Now click the Maintain Destination button

This will take you back into SM59 destination BB1CLNT100
Change the Trusted System option to yes in the logon & security tab.

Yes
Remove the user from the logon and select “Current User”.

Result in SM59 destination BB1CLNT100

Setting the trusted system to yes and so on can be done directly when creating the RFC
connection in SM59 but maintaining the destination when creating the entry in SMT1 avoids
more issues in my opinion (you already know up front the connection itself works when you
enter SMT1).
Save the RFC connection
Now you have a trusted RFC connection. The current user flag checked means that the RFC
connection will use the user-id of the person who is logged on and wants to use the RFC
connection. This is for security reasons, you should not fill in a user/pass in a trusted RFC
connection as it can be abused by other users that way.
The necessary authorization to actually use this RFC connection has to be set in the target
SAP system BB1 and of course in the client where the RFC is pointing to (client 100 in this
example). Object S_RFCACL is the authorization object which needs to be maintained in
BB1 client 100 for the user-ids that have to be able to use the trusted RFC connection from
AA1 to BB1 client 100.
The specifics for S_RFCACL depend on the SAP release version. For this a SAP note exists
which has details on what should be set:
Note 128447 - Trusted/trusting systems
Once you have created your trusted RFC you should also see BB1 in transaction SMT1 on
SAP system AA1 and AA1 in transaction SMT2 (trusting SAP systems) on SAP system BB1.
You can repeat the steps (switch AA1 and BB1) to configure a trusted RFC connection from
BB1 to AA1 if wanted.