Skip to Content

CTS+ from Solman to Java: transport fails 403 forbidden

Hi all

We've set up CTS+ as per all the documentation, configured the CTSDEPLOY port, the CTSDEPPLOY RFC and connection settings and users in STMS, and the destination sap.com/com.sap.tc.di.CTSserver in PO back to SolMan.

A 'Transport Tool' check completes successfully on both DEV and QA PO systems from Solman; i.e. connects to SDM URL/XI URL ok etc.

However when we try and import a transport into QA PO we get a return code 12 and this error:

Start deployment of SLD Deploy Webservice environment DeployProxy (vendor: 'sap.com', name: 'tc/cts/appl', scV: 'sap.com', scN: 'LM-CTS', location: 'SAP AG', counter: '7.5008.2017052413 0221.0000', R: '7.50', SP: '8', PL: '0', change number: '7', appl-level:0) called. J2EE server is PTD. Communication data provided connection:https:// . co.uk:44332 user:NWDI_CTSADM password:filled properties:empty deployType:SLD applicationT ype:null Begin deployment (2017-10-04 12:34:26.0458 +0:00) Import Event (ID:00163E2CCA941EE7AAA00B74A5100C27) properties: key:SESSION USER value:CTSSRVUSER key:TARGETSYSTEMID value:PTQ Transport Request (ID:PTDK900001 description:Products/Software Components of PTD) properties: key:OWNER value:184961 key:DESCRIPTION value:Products/Software Components of PTD key:TARGETSYSTEM value:/PTQAS/ TransportEntity (ID:00163E2CCA941ED7AA82B213E01EEB65 content:/usr/sap/trans/data/PTDK900001/sld_sc_20171003_08334115300813356587220 00.zip deployType:SLD applicationType:null) properties:empty TransportEntity (ID:00163E2CCA941ED7AA82B213E01EEB65) status set to 'PROCESSING'. Connection Error:Forbidden TransportEntity (ID:00163E2CCA941ED7AA82B213E01EEB65) status set to 'ERROR'. HTTP Response code:'403' meaning 'Forbidden'

The CTSSRVUSER user in PO (DEV and QA) has the roles:

SAP_CTS_DEPLOY
SAP_XI_CMS_SERV_USER

NWDI_CTSADM had:

SAP_XI_CONFIGURATOR_J2EE
SAP_XI_CMS_SERV_USER
SAP_XI_DEVELOPER_J2EE

And we also gave it:

SAP_XI_CONFIG_FILE_OS_CMD_J2EE
SAP_SLD_DEVELOPER
SAP_SLD_CONFIGURATOR

The Log Viewer in both PO systems shows successful login and authentication for CTSSRVUSER and NWDI_CTSADM.

The CTSSRVUSER user in SolMan (used in the destination sap.com/com.sap.tc.di.CTSserver from PO) has SAP_ALL.

The file referenced exists and can be read by both Solman and the PO systems.

So what gives? Where's the problem?

Thanks in advance!

Ross

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Oct 17, 2017 at 10:25 AM

    Finally got to the bottom of this by checking the security audit logs under /usrsap/SID/J00/j2ee/cluster/server3/log/system

    Found error:

    #BC-JAS-SEC-UME#com.sap.security.core.sda#C000C0A8021E0881000000010000539C#2091353000000004#sap.com/com.sap.lcr#com.sap.security.core.util.SecurityAudit#NWDI_CTSADM#1418##00163E2CCA941EE7ACE29C9BB2F861B4#E0EB593938390030E0059E5B3942FF57#434796E8B31511E7C63800000061BA8E#1#Thread[HTTP Worker [@1632449821],5,Dedicated_Application_Thread]#Plain## Permission check failed| ACCESS.ERROR| USER.PRIVATE_DATASOURCE.un:NWDI_CTSADM| | Application=[sap.com/com.sap.lcr*sld], Message=[The user does not have rights to access relative URL '/Admin' with HTTP method 'GET']#

    NWDI_CTSADM had all the roles it was supposed to have....

    So added it to the Administrators group.

    And that fixed it!

    Where's that in the documentation?!

    Add comment
    10|10000 characters needed characters exceeded