Before You Start
Use
This section contains information that is basic if you want to ensure eCATT security. You find here links and references to further documentation. In addition, you find the description of how to allow eCATT in SAP systems. This configuration step is necessary to be able to work with eCATT at all.
Fundamental Security Guides
As is explained in the Technical System Landscape section, eCATT is built on SAP NetWeaver Application Server for ABAP.
Therefore, the SAP NetWeaver Application Server for ABAP Security Guide also applies to eCATT. This guide contains among others the RFC/ICF Security Guide which is necessary when it comes to network and communication security.
For a complete list of the available SAP Security Guides, see the SAP Service Marketplace at service.sap.com/securityguide.
Important SAP Notes
The most important SAP Notes that apply to the security of eCATT are shown in the table below.
|
SAP Note |
Title |
Comment |
|
496286 |
Security concept extended for CATT and eCATT |
Valid only for releases older than 6.20 SP 40 / 6.40 SP 03 |
|
728979 |
Missing security checks in eCATT function modules |
Valid only for releases older than 6.20 SP 01 |
Allowing eCATT in SAP Systemes
For being able to work with eCATT, the very first activity is to allow the use of eCATT in the corresponding SAP systems. In each SAP system that is involved (that means, every client system in which you want to run CATT procedures or eCATT test scripts as well as every test server), you must specify in the client settings that this should be allowed.
-
Start transaction SCC4.
You will see a list of all of the clients that have been set up in the system.
-
Choose Maintain, and acknowledge the warning that the table is cross-client.
-
Double-click the client in which you want to allow CATT or eCATT.
Depending on the release in which you are working, you will see one of two screens.
-
In older releases, in the Restrictions group box, select the check box Allows CATT processes to be started.
-
In newer releases, in the group box Restrictions when Starting CATT and eCATT, select one of the following entries:
-
eCATT and CATT Not Allowed
-
eCATT and CATT Allowed
-
eCATT and CATT Allowed for 'Trusted RFC' Only
-
eCATT Allowed; FUN/ABAP and CATT Not Allowed
-
eCATT Allowed; FUN/ABAP and CATT for 'Trusted RFC' Only
Since one of the main principles of eCATT is to run all test cases from a central test system, RFC communication is required to connect to the target systems. It is possible to restrict this RFC communication to trusted RFC, which prevents passwords from having to be stored in RFC destinations and transmitted over the network.
The FUN, ABAP and some of the ABAP Objects commands in eCATT pose a security problem, since the eCATT environment allows them to bypass normal security mechanisms.
-
With FUN, you can execute function modules remotely, even if they are not designated as remotely-enabled in their attributes.
-
The ABAP command (ABAP… ENDABAP) allows you to write and execute ABAP coding with just the authorization to create eCATT scripts (and not the full authorization for creating ABAP programs).
-
Some commands belonging to the ABAP Objects command group (CREATEOBJ, CALLMETHOD and CALLSTATIC) can also be executed remotely with eCATT.
Consequently, you may disable these features, or restrict them by allowing them only to run within a trusted RFC relationship.
-
-
Additional Information
For more information about specific topics, see the addresses on the SAP Service Marketplace as shown in the table below.
|
Content |
SAP Service Marketplace Address |
|
Security |
service.sap.com/security |
|
Security Guides |
service.sap.com/securityguide |
|
Related SAP Notes |
service.sap.com/notes |
|
Released platforms |
service.sap.com/platforms |
|
Network security |
service.sap.com/securityguide |
|
SAP Solution Manager |
service.sap.com/solutionmanager |