In this topic, security aspects are described that you need to consider from a CTS perspective when you use it to transport non-ABAP objects, such as additional communication destinations which must be secured, and roles for CTS+.
In general, the Security Guide for SAP NetWeaver AS for ABAP, especially the Security Aspects for the Change and Transport System, also apply to the transport of non-ABAP objects using the Change and Transport System (CTS). In addition, for all actions that take place on the AS Java, the Security Guides for SAP NetWeaver AS for Java also apply. The non-ABAP applications that you want to transport may specify their own security requirements that also apply.
Title | SAP Note | Comment |
---|---|---|
Secure deploy communication in NWDI and CTS+ | 1655851 |
If you are using SAP NetWeaver Development Infrastructure (NWDI) together with the enhanced Change and Transport System (CTS+), the deployment to any AS Java >= 7.10 should be done with a secure P4 connection. Update your AS Java to one of the Support Package levels specified in the SAP Note. See also the information about the DEPLOY_URL parameter in Parameters for Non-ABAP Transports. |
Enhancements in CTS+ Import Script Deployer | 1682508 |
If you use script-based deployment, implement this note to get the latest version of CTS+ Script Deployer. (We recommend that you always use the latest version.) Use this note if you cannot update to a release or SP level that is required to use SAP Note 1943569 . |
Enhanced Permission Concept for the Script Deployer | 1943569 | If you use script-based deployment, this note increases the security level by introducing a role that is required to execute the CTS+ Script Deployer. We recommend that you update CTS+ Script Deployer to a release or SP version that supports this role. |
Technical System Landscape: Export of non-ABAP Objects
Step | Description | Security Measures for the Step |
---|---|---|
1 | The communication between the non-ABAP source system and the CTS system is set up in one of the following ways:
For more information, see Connecting Further Applications with the Change and Transport System. For SAP applications, you usually find this information in the How To Guides on SCN: Resources on CTS+. |
The user used in the communication between the non-ABAP source system and the CTS system must have a copy of the role SAP_CTS_PLUS, plus
the enhancements assigned as described in SAP Note 1003674 . For authentication, we recommend that you use a ticket-based setup. For more information, see Authentication Assertion Tickets in the SAP NetWeaver Security Guide. If you use an RFC destination, make sure that it is configured in a secure way. For more information, see Transport Layer Security in the SAP NetWeaver Application Server for Java Security Guide. If you use the CTS Export Web Service, make sure that the CTS Export Web Service is configured in a secure way. (When configuring the export web service, you can select Communication Security and Authentication Settings.). For more information, see Transport Security for Web Services. Also make sure that the user has sufficient permissions to execute web services, for example using role SAP_BC_WEBSERVICE_CONSUMER. |
The communication destinations required for the import of non-ABAP objects vary depending on whether you use HTTP-based deployment on the target system (which does not require an AS Java) or not.
Technical System Landscape: Import of non-ABAP Objects using HTTP-based Deployment
Step | Description | Security Measures for the Step |
---|---|---|
1 | The communication between the Deploy Client on the AS ABAP and the import service of the non-ABAP target system is configured using an
HTTPS destination. On the AS ABAP, the HTTPS destination is configured in transaction SM59. For more information, see Establishing a Connection Using a Destination (SM59). It contains connection and authentication details for the import service of the non-ABAP target system. For more information, see Defining and Configuring Non-ABAP Systems and Parameters for Non-ABAP Transports. |
Make sure that the SM59 destination is configured as secure communication to the target system, if possible. This includes setting
SSL to Active, and specifiying the correct (secure) HTTPS port
as Service No. For more information, see Establishing a Connection Using a Destination (SM59) and the guides of the individual non-ABAP applications. The user used for deployment on the target system can make software changes to the target system and must therefore be protected. This user should have minimum privileges on the target system. CTS does not require own authorizations. The guides of the individual non-ABAP applications should specify the minimum authorizations that users must have. For SAP applications, you usually find this information in the How To Guides on SCN - Resources on CTS+. For authentication, we recommend that you use a ticket-based setup. For more information, see Authentication Assertion Tickets in the SAP NetWeaver Security Guide and the guides of the individual non-ABAP applications. |
Technical System Landscape: Import of non-ABAP Objects using AS Java
Step | Description | Security Measures for the Step |
---|---|---|
2a | The communication between the Deploy Web Service Client on the AS ABAP and the Deploy Web Service on the AS Java is configured using the
logical port CTSDEPLOY and its destination. On the AS ABAP, the HTTPS destination CTSDEPLOY is configured in transaction SM59. For more information, see Configuring the CTS Deploy Web Service. It contains connection and authentication details for the AS Java that hosts the Deploy Web Service. If file transfer is configured using the TMS parameter CTS_FILE_PROVIDER_URI, a connection is used from the AS Java that hosts the Deploy Web Service to the AS ABAP where the transport files are located. Details of the JCo connection are defined in the TMS parameter CTS_FILE_PROVIDER_URI. If you use a dynamic JCo connection, you must configure the user and password for it. For more information, see Defining a Method for the File Transfer to the Target System. When using NWDI together with CM Services, the destination CTSCONFIG is configured as well. For more information, see Configuring the CTS Config Web Service. |
The SM59 destination CTSDEPLOY must be configured as a secure HTTPS destination. This includes
setting SSL to Active and specifiying the correct (secure) HTTPS port as
Service No. For more information, see Establishing a Connection Using a Destination (SM59). For authentication, we recommend that you use a ticket-based setup. For more information, see Authentication Assertion Tickets in the SAP NetWeaver Security Guide. When configuring CTSDEPLOY use a user with minimum privileges on the AS Java that hosts the Deploy Web Service. The guides of the individual non-ABAP applications should specify the minimum authorizations that users must have. For SAP applications, you usually find this information in the How To Guides on SCN - Resources on CTS+. CTS does not require own authorizations. The system from where the files are retrieved should have the same security level as the system where the Deploy Web Service runs. If you use the TMS parameter DEPLOY_DATA_SHARE, set the access authorizations to the Deploy Data Share in such a way that only the <SID>ADM of the ABAP back-end system has write and read authorization. <SID>ADM of the AS JAVA should only have read authorization for the Deploy Data Share. This means that only the systems involved should have minimum authorizations only. If the connection from the AS Java back to the Deploy Web Service Client on the AS ABAP is configured using the TMS parameter CTS_FILE_PROVIDER_URI, use a static JCo destination, if possible, since this does not require the transfer of user and password to the Deploy Web Service on the AS Java. For more information about the authorizations that are required for the user used for the JCo connection, see Defining a Method for the File Transfer to the Target System. Make sure that it is configured in a secure way. For more information, see Transport Layer Security in the SAP NetWeaver Application Server for Java Security Guide. If you use NWDI, the destination CTSCONFIG must be configured as a secure HTTPS destination, in the same way as described for CTSDEPLOY. |
2b | Communication between the Deploy Web Service and the import service of the non-ABAP target system uses the URI, user, and password as
configured when creating the target system in the AS ABAP of the CTS system. For more information, see Defining and Configuring Non-ABAP Systems and Parameters for Non-ABAP Transports. |
The user used for deployment on the target system can make software changes to the target system and must therefore be protected. This
user should have minimum privileges on the target system. CTS does not require own authorizations. The guides of the
individual non-ABAP applications should specify the minimum authorizations that users must have. For SAP applications,
you usually find this information in the How To Guides on SCN -Resources on CTS+. If you use NWDI, see SAP Note 1655851 . Make sure that secure communication to the target system is used, if possible. For example, use HTTPS for URLs, or P4S for deployments using Deploy Controller. For more information, see the guides of the individual non-ABAP applications. If you use script deployment for further applications that are connected with CTS, make sure that the deploy script has "execute" permissions only for the user under which the AS JAVA runs and that the "CtsScripts" directory has restricted permissions for other users not involved in the deployment and setup process. Also make sure that the deploy user is assigned role SAP_CTS_SCRIPT_DEPLOY. If you use the TMS parameter DEPLOY_OUTBOX or DEPLOY_OUTBOX-<APPLICATION_TYPE>: This directory contains files to be deployed. It must be secured in such a way as required by the files that are to be deployed. |
In addition to the roles available for CTS, the following roles exist for CTS+:
Role | Short Description | More information |
---|---|---|
SAP_CTS_PLUS | Minimum authorization for a user who wants to use the full export functions of CTS+. | This role contains authorizations for the following functions:
For information about additional authorizations required for the export functions of CTS+, see SAP Note 1003674 . |
SAP_CTS_SCRIPT_DEPLOY | On AS JAVA: Permission to trigger the execution of the CTS+ Script Deployer. This is only required if your application uses script deployment. | 1943569 |
For more information about other roles used for CTS, see CTS Roles and Authorizations.