cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Question regarding TMS for copying cofiles & datafiles

Former Member

on ‎10-05-2015 1:15 AM

0 Kudos

Greetings! Please help me find the answer to a question about the secure way of automating the copying of transport (cofiles and data files) in SAP ABAP systems if the requirements do not permit /usr/sap/trans to be NFS mounted from prod in one data center to QA and DEV in another data center. The second url below from SAP talks about a more secure option of using rfc connections in TMS for allowing its automation to copy transport files from dev to qa to production. However, this requires opening firewall ports and so some colleagues feel that this approach is risky and instead prefer rsync to sync up the transport directory for the client. I have read rsync's man page at the first url below and to me this appears to be more risky in terms of the broad scope of things that can be done through it, including the ability to overwrite any file in any directory owned by adm. It still requires ports to be open versus the limited scope of opening rfc ports that SAP recommends. Please advise and let me know if there is any document or white paper at SAP that delves into the security aspect of this rfc connection solution for more security conscious customers. Regards, Shekhar http://linux.die.net/man/1/rsync   https://help.sap.com/saphelp_nw70/helpdata/en/c4/6045377b52253de10000009b38f889/frameset.htm

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎10-07-2015 11:35 PM
0 Kudos

Hi Ankit: Thanks for the feedback. We had set it up using Domain Links as described in SAP's URL mentioned in my original post. It was working fine but had to be dismantled due to security concerns around the open firewall port to allow the data transfer through RFC connections of TMS. It appears to me that SAP's approach here will be more secure than implementing rsync to sync up the transport directory across the non-prod and prod data centers/systems but I need evidence to convince stakeholders.

This is why I have requested for some technical details such as a white paper or document that goes into the details of SAP's solution based on RFC connection for more security conscious customers. Regards,

Shekhar

Show replies
Show replies
Former Member
‎10-08-2015 7:29 AM
0 Kudos

Automating the move while not having any ports open will be nearly impossible.  There is one compromise that you might be able to make with the security folks.  That would be the potential of using SNC (Secure Network Communication) across the RFC's. 

Easier than that, even could be the use of RFC whitelists within the SAP system.  These whitelists specify that only traffic from <x> source can be accepted via RFC's.  By locking this down, and showing it to your security folks, that might help you with your case.

Once the RFC's can get secured, there are a few different ways to automate the synchronization.  One thing that I like to do is to use transport groups for the two different locations.  When you do this, and a transport from group A goes into the queue of group B, a green arrow icon will show that will allow you to pull the file into group B's DIR_TRANS. 

We've even gone one step further, and found the program that performs the sync.  We run this program hourly, and it keeps everything in sync just fine.  The name of the report is RSTMSTIQ. 

Also, could SFTP be an option, as it's encrypted, and you could schedule it as needed. 

Those are some thoughts, I hope that helps!

MM

former_member186066
Participant
‎10-07-2015 5:22 PM
0 Kudos

Hi Shekhar,

You can try configuring domain links between systems.

We have the same implemented in our landscape and it works fine.

Regards,
Ankit

Show replies
Show replies
Former Member
‎10-06-2015 10:30 PM
0 Kudos

Hi Brindavan: Thanks for the feedback about using NFS but this is not an option here due to security and stability concerns with a very security conscious client.

Hi Prithviraj: Thanks for the information regarding blog. We are aware of a similar mechanism but want to avoid the overhead in copying the files over manually.

This is why I am more interested in understanding the security concerns around using the RFC connection option that SAP recommends, as mentioned in my original post, since it automates the copying of the relevant files, as compared to using a solution based on rsync. To me, SAP's recommended approach sounds more secure but am I missing something? Regards,

Shekhar

Show replies
Show replies
Brindavan_M
Contributor
‎10-05-2015 11:03 AM
0 Kudos

Hi ,

There is no risky for transport related files. I woked one of the project which have one file system "/usr/sap/trans" which is mouneted to all system dev and qua and prd for transport worked very well. only we faced issue during upgrade becasue of EPS/in that also can be resloved that we created new EPS directory for each system.

Thanks,

Show replies
Show replies
Former Member
‎10-06-2015 8:42 AM
0 Kudos

Hi Shekhar,

Please go through below blog if this is what you're looking for.

Copy Transport Requests to local file system - Basis Corner - SCN Wiki

Here you can copy the data/cofiles to your local desktop and transfer in the best supported method allowed by your client.

Hope this helps.

Regards,

Prithviraj.

Ask a Question