S 4.273 Secure use of the SAP Java Stack software deployment

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The Java stack uses its own software deployment procedure, which differs from the ABAP stack transport system. The Software Deployment Manager (SDM) is used to install new software in the JAVA stack. The SDM is designed as a client/server application so that changes can also be installed remotely. In addition to the general requirements (see S 2.221 Change management), the following must be taken into consideration from a security perspective in the context of software deployment:

• A concept for the deployment of SAP software must have been planned and drawn up. The software deployment concept must take the special requirements of Java into consideration, since the Java stack uses different procedures and tools than the ABAP stack.
• The responsibilities for the testing, validation, and approval process must be defined.
• Developers or other persons must not be allowed to deploy software directly to the productive systems from the development environment. It must be considered that the SAP development environment may load software directly into the Java stack. This must be prevented by implementing the corresponding technical safeguards (e.g. using a firewall).
• The Software Deployment Manager (SDM) service used for software deployment must be operated securely. Older versions of the SDM offer only minimal security, since they only support one user and do not allow other users to be granted authorisation to deploy software.
• The SDM server component should not run continuously and should only be started when needed.

Sources of SAP documentation can be found in S 2.341 Planning the use of SAP.

Review questions:

• Is there a concept for SAP software deployment aligned with the special requirements of Java?
• Have responsibilities and processes been established guaranteeing the security regarding SAP software deployment?
• Are technical safeguards taken in order to prevent software deployments directly from the development environment into the productive SAP system?