Security for the Enhanced Change and Transport System (CTS+)

Before you start

In general, the Security Guide for SAP NetWeaver AS for ABAP, especially the Security Aspects for the Change and Transport System, also apply to the transport of non-ABAP objects using the Change and Transport System (CTS). In addition, for all actions that take place on the AS Java, the Security Guides for SAP NetWeaver AS for Java also apply. The non-ABAP applications that you want to transport may specify their own security requirements that also apply.

Important SAP Notes

Title	SAP Note	Comment
Secure deploy communication in NWDI and CTS+	1655851	If you are using SAP NetWeaver Development Infrastructure (NWDI) together with the enhanced Change and Transport System (CTS+), the deployment to any AS Java >= 7.10 should be done with a secure P4 connection. Update your AS Java to one of the Support Package levels specified in the SAP Note. See also the information about the DEPLOY_URL parameter in Parameters for Non-ABAP Transports.
Enhancements in CTS+ Import Script Deployer	1682508	If you use script-based deployment, implement this note to get the latest version of CTS+ Script Deployer. (We recommend that you always use the latest version.) Use this note if you cannot update to a release or SP level that is required to use SAP Note 1943569 .
Enhanced Permission Concept for the Script Deployer	1943569	If you use script-based deployment, this note increases the security level by introducing a role that is required to execute the CTS+ Script Deployer. We recommend that you update CTS+ Script Deployer to a release or SP version that supports this role.

Title

SAP Note

Comment

Secure deploy communication in NWDI and CTS+

1655851

If you are using SAP NetWeaver Development Infrastructure (NWDI) together with the enhanced Change and Transport System (CTS+), the deployment to any AS Java >= 7.10 should be done with a secure P4 connection.

Update your AS Java to one of the Support Package levels specified in the SAP Note.

See also the information about the DEPLOY_URL parameter in Parameters for Non-ABAP Transports.

Enhancements in CTS+ Import Script Deployer

1682508

If you use script-based deployment, implement this note to get the latest version of CTS+ Script Deployer. (We recommend that you always use the latest version.)

Use this note if you cannot update to a release or SP level that is required to use SAP Note 1943569 Information published on SAP site .

Enhanced Permission Concept for the Script Deployer

1943569

If you use script-based deployment, this note increases the security level by introducing a role that is required to execute the CTS+ Script Deployer. We recommend that you update CTS+ Script Deployer to a release or SP version that supports this role.

Securing Communication Destinations Required for the Export of Non-ABAP Objects

Technical System Landscape: Export of non-ABAP Objects

Figure 1: Communication destinations required for export of non-ABAP objects

Step	Description	Security Measures for the Step
1	The communication between the non-ABAP source system and the CTS system is set up in one of the following ways: Using an RFC destination (JCo destination of type RFC called sap.com/com.sap.tc.di.CTSserver) which is configured on the AS JAVA of the non-ABAP source system. This applies to non-ABAP objects of SAP applications that are closely coupled to CTS, such as NWDI, System Landscape Directory (SLD), or Process Integration (PI). For more information, see Configuring Export Destinations. Using the CTS Export Web Service (EXPORT_CTS_WTS), which is configured on the AS ABAP of the CTS system using transaction SOAMANAGER. This applies to non-ABAP applications that are closely coupled to CTS and which typically do not run on AS JAVA. This requires the CTS plug-in to be installed in the system. For more information, see Connecting Further Applications with the Change and Transport System. For SAP applications, you usually find this information in the How To Guides on SCN: Resources on CTS+.	The user used in the communication between the non-ABAP source system and the CTS system must have a copy of the role SAP_CTS_PLUS, plus the enhancements assigned as described in SAP Note 1003674 . For authentication, we recommend that you use a ticket-based setup. For more information, see Authentication Assertion Tickets in the SAP NetWeaver Security Guide. If you use an RFC destination, make sure that it is configured in a secure way. For more information, see Transport Layer Security in the SAP NetWeaver Application Server for Java Security Guide. If you use the CTS Export Web Service, make sure that the CTS Export Web Service is configured in a secure way. (When configuring the export web service, you can select Communication Security and Authentication Settings.). For more information, see Transport Security for Web Services. Also make sure that the user has sufficient permissions to execute web services, for example using role SAP_BC_WEBSERVICE_CONSUMER.

Step

Description

Security Measures for the Step

1

The communication between the non-ABAP source system and the CTS system is set up in one of the following ways:

Using an RFC destination (JCo destination of type RFC called sap.com/com.sap.tc.di.CTSserver) which is configured on the AS JAVA of the non-ABAP source system. This applies to non-ABAP objects of SAP applications that are closely coupled to CTS, such as NWDI, System Landscape Directory (SLD), or Process Integration (PI). For more information, see Configuring Export Destinations.
Using the CTS Export Web Service (EXPORT_CTS_WTS), which is configured on the AS ABAP of the CTS system using transaction SOAMANAGER. This applies to non-ABAP applications that are closely coupled to CTS and which typically do not run on AS JAVA. This requires the CTS plug-in to be installed in the system.

For more information, see Connecting Further Applications with the Change and Transport System. For SAP applications, you usually find this information in the How To Guides on SCN: Resources on CTS+ Information published on SAP site .

The user used in the communication between the non-ABAP source system and the CTS system must have a copy of the role SAP_CTS_PLUS, plus the enhancements assigned as described in SAP Note 1003674 Information published on SAP site

.

For authentication, we recommend that you use a ticket-based setup. For more information, see Authentication Assertion Tickets in the SAP NetWeaver Security Guide.

If you use an RFC destination, make sure that it is configured in a secure way. For more information, see Transport Layer Security in the SAP NetWeaver Application Server for Java Security Guide.

If you use the CTS Export Web Service, make sure that the CTS Export Web Service is configured in a secure way. (When configuring the export web service, you can select Communication Security and Authentication Settings.). For more information, see Transport Security for Web Services.

Also make sure that the user has sufficient permissions to execute web services, for example using role SAP_BC_WEBSERVICE_CONSUMER.

Securing Communication Destinations Required for the Import of Non-ABAP Objects

The communication destinations required for the import of non-ABAP objects vary depending on whether you use HTTP-based deployment on the target system (which does not require an AS Java) or not.

Technical System Landscape: Import of non-ABAP Objects using HTTP-based Deployment

Figure 2: Communication destinations required for import of non-ABAP objects using HTTP-based deployment (without AS Java)

Step	Description	Security Measures for the Step
1	The communication between the Deploy Client on the AS ABAP and the import service of the non-ABAP target system is configured using an HTTPS destination. On the AS ABAP, the HTTPS destination is configured in transaction SM59. For more information, see Establishing a Connection Using a Destination (SM59). It contains connection and authentication details for the import service of the non-ABAP target system. For more information, see Defining and Configuring Non-ABAP Systems and Parameters for Non-ABAP Transports.	Make sure that the SM59 destination is configured as secure communication to the target system, if possible. This includes setting SSL to Active, and specifiying the correct (secure) HTTPS port as Service No. For more information, see Establishing a Connection Using a Destination (SM59) and the guides of the individual non-ABAP applications. The user used for deployment on the target system can make software changes to the target system and must therefore be protected. This user should have minimum privileges on the target system. CTS does not require own authorizations. The guides of the individual non-ABAP applications should specify the minimum authorizations that users must have. For SAP applications, you usually find this information in the How To Guides on SCN - Resources on CTS+. For authentication, we recommend that you use a ticket-based setup. For more information, see Authentication Assertion Tickets in the SAP NetWeaver Security Guide and the guides of the individual non-ABAP applications.

Step

Description

Security Measures for the Step

1

The communication between the Deploy Client on the AS ABAP and the import service of the non-ABAP target system is configured using an HTTPS destination.

On the AS ABAP, the HTTPS destination is configured in transaction SM59. For more information, see Establishing a Connection Using a Destination (SM59).

It contains connection and authentication details for the import service of the non-ABAP target system.

For more information, see Defining and Configuring Non-ABAP Systems and Parameters for Non-ABAP Transports.

Make sure that the SM59 destination is configured as secure communication to the target system, if possible. This includes setting SSL to Active, and specifiying the correct (secure) HTTPS port as Service No. For more information, see Establishing a Connection Using a Destination (SM59) and the guides of the individual non-ABAP applications.

The user used for deployment on the target system can make software changes to the target system and must therefore be protected. This user should have minimum privileges on the target system. CTS does not require own authorizations. The guides of the individual non-ABAP applications should specify the minimum authorizations that users must have. For SAP applications, you usually find this information in the How To Guides on SCN - Resources on CTS+ Information published on SAP site .

For authentication, we recommend that you use a ticket-based setup. For more information, see Authentication Assertion Tickets in the SAP NetWeaver Security Guide and the guides of the individual non-ABAP applications.

Technical System Landscape: Import of non-ABAP Objects using AS Java

Figure 3: Communication destinations required for import of non-ABAP objects using AS Java

Step	Description	Security Measures for the Step
2a	The communication between the Deploy Web Service Client on the AS ABAP and the Deploy Web Service on the AS Java is configured using the logical port CTSDEPLOY and its destination. On the AS ABAP, the HTTPS destination CTSDEPLOY is configured in transaction SM59. For more information, see Configuring the CTS Deploy Web Service. It contains connection and authentication details for the AS Java that hosts the Deploy Web Service. If file transfer is configured using the TMS parameter CTS_FILE_PROVIDER_URI, a connection is used from the AS Java that hosts the Deploy Web Service to the AS ABAP where the transport files are located. Details of the JCo connection are defined in the TMS parameter CTS_FILE_PROVIDER_URI. If you use a dynamic JCo connection, you must configure the user and password for it. For more information, see Defining a Method for the File Transfer to the Target System. When using NWDI together with CM Services, the destination CTSCONFIG is configured as well. For more information, see Configuring the CTS Config Web Service.	The SM59 destination CTSDEPLOY must be configured as a secure HTTPS destination. This includes setting SSL to Active and specifiying the correct (secure) HTTPS port as Service No. For more information, see Establishing a Connection Using a Destination (SM59). For authentication, we recommend that you use a ticket-based setup. For more information, see Authentication Assertion Tickets in the SAP NetWeaver Security Guide. When configuring CTSDEPLOY use a user with minimum privileges on the AS Java that hosts the Deploy Web Service. The guides of the individual non-ABAP applications should specify the minimum authorizations that users must have. For SAP applications, you usually find this information in the How To Guides on SCN - Resources on CTS+. CTS does not require own authorizations. The system from where the files are retrieved should have the same security level as the system where the Deploy Web Service runs. If you use the TMS parameter DEPLOY_DATA_SHARE, set the access authorizations to the Deploy Data Share in such a way that only the `<SID>`ADM of the ABAP back-end system has write and read authorization. `<SID>`ADM of the AS JAVA should only have read authorization for the Deploy Data Share. This means that only the systems involved should have minimum authorizations only. If the connection from the AS Java back to the Deploy Web Service Client on the AS ABAP is configured using the TMS parameter CTS_FILE_PROVIDER_URI, use a static JCo destination, if possible, since this does not require the transfer of user and password to the Deploy Web Service on the AS Java. For more information about the authorizations that are required for the user used for the JCo connection, see Defining a Method for the File Transfer to the Target System. Make sure that it is configured in a secure way. For more information, see Transport Layer Security in the SAP NetWeaver Application Server for Java Security Guide. If you use NWDI, the destination CTSCONFIG must be configured as a secure HTTPS destination, in the same way as described for CTSDEPLOY.
2b	Communication between the Deploy Web Service and the import service of the non-ABAP target system uses the URI, user, and password as configured when creating the target system in the AS ABAP of the CTS system. For more information, see Defining and Configuring Non-ABAP Systems and Parameters for Non-ABAP Transports.	The user used for deployment on the target system can make software changes to the target system and must therefore be protected. This user should have minimum privileges on the target system. CTS does not require own authorizations. The guides of the individual non-ABAP applications should specify the minimum authorizations that users must have. For SAP applications, you usually find this information in the How To Guides on SCN -Resources on CTS+. If you use NWDI, see SAP Note 1655851 . Make sure that secure communication to the target system is used, if possible. For example, use HTTPS for URLs, or P4S for deployments using Deploy Controller. For more information, see the guides of the individual non-ABAP applications. If you use script deployment for further applications that are connected with CTS, make sure that the deploy script has "execute" permissions only for the user under which the AS JAVA runs and that the "CtsScripts" directory has restricted permissions for other users not involved in the deployment and setup process. Also make sure that the deploy user is assigned role SAP_CTS_SCRIPT_DEPLOY. If you use the TMS parameter DEPLOY_OUTBOX or DEPLOY_OUTBOX-`<APPLICATION_TYPE>`: This directory contains files to be deployed. It must be secured in such a way as required by the files that are to be deployed.

Step

Description

Security Measures for the Step

2a

The communication between the Deploy Web Service Client on the AS ABAP and the Deploy Web Service on the AS Java is configured using the logical port CTSDEPLOY and its destination.

On the AS ABAP, the HTTPS destination CTSDEPLOY is configured in transaction SM59. For more information, see Configuring the CTS Deploy Web Service.

It contains connection and authentication details for the AS Java that hosts the Deploy Web Service.

If file transfer is configured using the TMS parameter CTS_FILE_PROVIDER_URI, a connection is used from the AS Java that hosts the Deploy Web Service to the AS ABAP where the transport files are located. Details of the JCo connection are defined in the TMS parameter CTS_FILE_PROVIDER_URI. If you use a dynamic JCo connection, you must configure the user and password for it. For more information, see Defining a Method for the File Transfer to the Target System.

When using NWDI together with CM Services, the destination CTSCONFIG is configured as well.

For more information, see Configuring the CTS Config Web Service.

The SM59 destination CTSDEPLOY must be configured as a secure HTTPS destination. This includes setting SSL to Active and specifiying the correct (secure) HTTPS port as Service No. For more information, see Establishing a Connection Using a Destination (SM59).

For authentication, we recommend that you use a ticket-based setup. For more information, see Authentication Assertion Tickets in the SAP NetWeaver Security Guide.

When configuring CTSDEPLOY use a user with minimum privileges on the AS Java that hosts the Deploy Web Service. The guides of the individual non-ABAP applications should specify the minimum authorizations that users must have. For SAP applications, you usually find this information in the How To Guides on SCN - Resources on CTS+ Information published on SAP site . CTS does not require own authorizations.

The system from where the files are retrieved should have the same security level as the system where the Deploy Web Service runs.

If you use the TMS parameter DEPLOY_DATA_SHARE, set the access authorizations to the Deploy Data Share in such a way that only the <SID>ADM of the ABAP back-end system has write and read authorization. <SID>ADM of the AS JAVA should only have read authorization for the Deploy Data Share. This means that only the systems involved should have minimum authorizations only.

If the connection from the AS Java back to the Deploy Web Service Client on the AS ABAP is configured using the TMS parameter CTS_FILE_PROVIDER_URI, use a static JCo destination, if possible, since this does not require the transfer of user and password to the Deploy Web Service on the AS Java. For more information about the authorizations that are required for the user used for the JCo connection, see Defining a Method for the File Transfer to the Target System. Make sure that it is configured in a secure way. For more information, see Transport Layer Security in the SAP NetWeaver Application Server for Java Security Guide.

If you use NWDI, the destination CTSCONFIG must be configured as a secure HTTPS destination, in the same way as described for CTSDEPLOY.

2b

Communication between the Deploy Web Service and the import service of the non-ABAP target system uses the URI, user, and password as configured when creating the target system in the AS ABAP of the CTS system.

For more information, see Defining and Configuring Non-ABAP Systems and Parameters for Non-ABAP Transports.

The user used for deployment on the target system can make software changes to the target system and must therefore be protected. This user should have minimum privileges on the target system. CTS does not require own authorizations. The guides of the individual non-ABAP applications should specify the minimum authorizations that users must have. For SAP applications, you usually find this information in the How To Guides on SCN -Resources on CTS+ Information published on SAP site

.

If you use NWDI, see SAP Note 1655851 Information published on SAP site .

Make sure that secure communication to the target system is used, if possible. For example, use HTTPS for URLs, or P4S for deployments using Deploy Controller. For more information, see the guides of the individual non-ABAP applications.

If you use script deployment for further applications that are connected with CTS, make sure that the deploy script has "execute" permissions only for the user under which the AS JAVA runs and that the "CtsScripts" directory has restricted permissions for other users not involved in the deployment and setup process. Also make sure that the deploy user is assigned role SAP_CTS_SCRIPT_DEPLOY.

If you use the TMS parameter DEPLOY_OUTBOX or DEPLOY_OUTBOX-<APPLICATION_TYPE>: This directory contains files to be deployed. It must be secured in such a way as required by the files that are to be deployed.

Roles

In addition to the roles available for CTS, the following roles exist for CTS+:

Role	Short Description	More information
SAP_CTS_PLUS	Minimum authorization for a user who wants to use the full export functions of CTS+.	This role contains authorizations for the following functions: Creating transport requests Changing transport requests Uploading files in the transport system Releasing transport requests For information about additional authorizations required for the export functions of CTS+, see SAP Note 1003674 .
SAP_CTS_SCRIPT_DEPLOY	On AS JAVA: Permission to trigger the execution of the CTS+ Script Deployer. This is only required if your application uses script deployment.	1943569

Role

Short Description

More information

SAP_CTS_PLUS

Minimum authorization for a user who wants to use the full export functions of CTS+.

This role contains authorizations for the following functions:

Creating transport requests
Changing transport requests
Uploading files in the transport system
Releasing transport requests

For information about additional authorizations required for the export functions of CTS+, see SAP Note 1003674 Information published on SAP site .

SAP_CTS_SCRIPT_DEPLOY

On AS JAVA: Permission to trigger the execution of the CTS+ Script Deployer. This is only required if your application uses script deployment.

1943569

More Information

How To... Implement CTS+ for Your Application
For more information about other roles used for CTS, see CTS Roles and Authorizations.