Skip to Content

CTS+ from Solman to Java: transport fails 403 forbidden

Oct 04, 2017 at 02:35 PM


avatar image

Hi all

We've set up CTS+ as per all the documentation, configured the CTSDEPLOY port, the CTSDEPPLOY RFC and connection settings and users in STMS, and the destination in PO back to SolMan.

A 'Transport Tool' check completes successfully on both DEV and QA PO systems from Solman; i.e. connects to SDM URL/XI URL ok etc.

However when we try and import a transport into QA PO we get a return code 12 and this error:

Start deployment of SLD Deploy Webservice environment DeployProxy (vendor: '', name: 'tc/cts/appl', scV: '', scN: 'LM-CTS', location: 'SAP AG', counter: '7.5008.2017052413 0221.0000', R: '7.50', SP: '8', PL: '0', change number: '7', appl-level:0) called. J2EE server is PTD. Communication data provided connection:https:// . user:NWDI_CTSADM password:filled properties:empty deployType:SLD applicationT ype:null Begin deployment (2017-10-04 12:34:26.0458 +0:00) Import Event (ID:00163E2CCA941EE7AAA00B74A5100C27) properties: key:SESSION USER value:CTSSRVUSER key:TARGETSYSTEMID value:PTQ Transport Request (ID:PTDK900001 description:Products/Software Components of PTD) properties: key:OWNER value:184961 key:DESCRIPTION value:Products/Software Components of PTD key:TARGETSYSTEM value:/PTQAS/ TransportEntity (ID:00163E2CCA941ED7AA82B213E01EEB65 content:/usr/sap/trans/data/PTDK900001/sld_sc_20171003_08334115300813356587220 deployType:SLD applicationType:null) properties:empty TransportEntity (ID:00163E2CCA941ED7AA82B213E01EEB65) status set to 'PROCESSING'. Connection Error:Forbidden TransportEntity (ID:00163E2CCA941ED7AA82B213E01EEB65) status set to 'ERROR'. HTTP Response code:'403' meaning 'Forbidden'

The CTSSRVUSER user in PO (DEV and QA) has the roles:




And we also gave it:


The Log Viewer in both PO systems shows successful login and authentication for CTSSRVUSER and NWDI_CTSADM.

The CTSSRVUSER user in SolMan (used in the destination from PO) has SAP_ALL.

The file referenced exists and can be read by both Solman and the PO systems.

So what gives? Where's the problem?

Thanks in advance!


10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Ross Armstrong Oct 17, 2017 at 10:25 AM

Finally got to the bottom of this by checking the security audit logs under /usrsap/SID/J00/j2ee/cluster/server3/log/system

Found error:[HTTP Worker [@1632449821],5,Dedicated_Application_Thread]#Plain## Permission check failed| ACCESS.ERROR| USER.PRIVATE_DATASOURCE.un:NWDI_CTSADM| | Application=[*sld], Message=[The user does not have rights to access relative URL '/Admin' with HTTP method 'GET']#

NWDI_CTSADM had all the roles it was supposed to have....

So added it to the Administrators group.

And that fixed it!

Where's that in the documentation?!

10 |10000 characters needed characters left characters exceeded