CUSTOMER

Security Guide
SAP Engineering Control Center 5.2
DOCUMENT HISTORY

Note
Before you start the implementation, make sure you have the latest version of this document.
This guide is valid as of SAP Engineering Control Center 5.2.6.0
The latest version is available on SAP Service Marketplace at
https://help.sap.com/viewer/p/SAP_ENGINEERING_CONTROL_CENTER

Version Date Change

1.0 2019-05-29 Initial creation

2.0 2020-07-02 Change of template

3.0 2021-04-29 New chapter „JAVA IMPLEMENTATIONS IN SAP

ECTR“ added

4.0 2022-07-14 Change of template

2
TABLE OF CONTENTS
1 INTRODUCTION ..................................................................................................................................... 4
1.1 TARGET GROUP .................................................................................................................................... 4
1.2 WHY IS SECURITY NECESSARY? ....................................................................................................... 4
2 BEFORE YOU START ............................................................................................................................ 5
3 TECHNICAL SYSTEM LANDSCAPE .................................................................................................... 7
3.1 USAGE .................................................................................................................................................... 7
4 SECURITY ASPECTS FOR DATA, IN THE FLOW OF DATA AND IN PROCESSES ......................... 8
5 JAVA IMPLEMENTATIONS IN SAP ECTR ......................................................................................... 12
6 DATA PROTECTION ............................................................................................................................ 13
6.1 HANDLING OF PERSONAL DATA....................................................................................................... 13
6.2 BLOCKING OF PERSONAL DATA....................................................................................................... 13
6.3 DELETING OF PERSONAL DATA ....................................................................................................... 13

Security Guide 3
1 INTRODUCTION

This guide does not replace the Administrator's or Operations Guides that are available for production
operation.

1.1 Target Group

 Technology consultants
 Security consultants
 System administrators
This document is not part of installation guides, configuration guides, technical manuals or upgrade guides.
These guides are only relevant for a certain phase of the software life cycle. The security guide provides
information for all phases of the life cycle.

1.2 Why is Security Necessary?

Security requirements increase with the increasing use of distributed systems and the internet for managing
business data. In a distributed system, you have to be sure that your data and processes meet the
requirements of your company. Furthermore, unauthorized persons must not be able to access to critical
information. User errors, carelessness or attempts to manipulate the system must not result in a loss of data
or processing time. These security requirements also apply to the SAP ECTR.

About this Document

The Security Guide provides an overview of security-relevant information for SAP ECTR.

Overview of the Main Sections

The Security Guide consists of the following main sections:

 Before you Start
This section contains information about the reasons why security is necessary and how the document is
used as well as references to other security guides that form the basis for this Security Guide. Relevant
SAP Notes are also listed.
 Technical System Landscape
This section provides an overview of the technical components and communication paths that SAP
ECTR uses.
 Security Aspects for Data, in the Flow of Data and in Processes
This section provides an overview of the security aspects of the most frequently used processes within
SAP ECTR.

Security Guide 4
2 BEFORE YOU START

SAP ECTR is based on SAP ERP 6.0 EHP5. Hence the corresponding security guides also apply to SAP
ECTR.

Underlying Security Guides

Security guide of the scenario, Most important sections or specific restrictions

application or component

SAP ERP 6.0 EHP5 https://help.sap.com/viewer/product/SAP_ERP/6.05.17/en-US

SAP NetWeaver https://help.sap.com/viewer/p/SAP_NETWEAVER_740

A complete list of available SAP Security Guides is available on SAP Service Marketplace at
http://service.sap.com/securityguide.

Important SAP Notes

The following table shows the most important SAP notes regarding the security of SAP ECTR.
Title SAP Note

SAPHTTP and SSL 506314

Access to Content Server via HTTPS 712330

Subsequent Introduction of the Security 792366

Level for Documents (URL Signature)

CAD Services: DUPEC Problem and 1904365

Additional Message

ACC Integration in CAD Desktop: 1895895

Enhancement for new RFCs (EA-APPL)

ACC Integration in CAD Desktop: 1893807

Enhancement for new RFCs (PLMWUI)

CDESK_SRV_GET_FILE_UPLOAD_URL: 1957344
Check can be Deactivated

CAD Services: Hierarchy Explosion 1926438

Workflow: Unify Access to Configuration 1830685

WF Notify: User Decision with Automatic 1964571

Notification Not Supported

CAD Services: Improvements to 1982509

Troubleshooting

Security Guide 5
 Title SAP Note

CDESK: CAD user group not set to default 2028915

value if user does not belong to a user
group for group maintenance in
Customizing

Update capability of the KPRO DMS 810391

Update capability of the KPRO DMS 942227

Modified report DMS_KPRO_CHECK1 for 942228

KPRO update

DIR has Files with Several Active Content 1302899

Versions

A list of additional security relevant SAP HotNews and SAP Notes is also available on SAP Service
Marketplace at https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html.

Security Guide 6
3 TECHNICAL SYSTEM LANDSCAPE

3.1 Usage
For more information on the technical system landscape refer to the sources listed in the following table.
Topic Guide/tool Quick Link to the SAP Help Portal or SDN

System Operations Guide https://help.sap.com/viewer/p/SAP_ENGINEERING_CONTROL_CENTER

landscape

Security Guide 7
4 SECURITY ASPECTS FOR DATA, IN THE FLOW OF DATA AND IN PROCESSES

The following figure provides an overview of the following processes for SAP ECTR:
 Save
 Take into editing mode
 Password processing

Save

The following figure provides an overview of saving.

Step Description Security Measure

1 The user stores a Not relevant

document in SAP
ECTRr.

2 The URL for the Not relevant

document is
requested.

Security Guide 8
 Step Description Security Measure

3 SAP returns the RFC

saving URL

4 Data transfer to the Transfer protocol HTTPS

content server with
URLs

5 The content server Transfer protocol HTTPS

sends an http-
Response to SAP
ECTR.

6 The data transfer to RFC

the content server is
confirmed in SAP.

7,8 Return to SAP ECTR. RFC

Take into editing mode

The following figure provides an overview of taking into editing mode.

Security Guide 9
 Step Description Security Measure

1 The user starts editing Not relevant

a document in SAP
ECTRr.

2 The URL for the Not relevant

document is
requested.

3 SAP returns the RFC

editing URL.

4 Data transfer to the Transfer protocol HTTPS

content server with
URLs.

5 The content server Transfer protocol HTTPS

sends an http-
Response to SAP
ECTR.

6 The data transfer to RFC

the content server is
confirmed in SAP.

7,8 Return to SAP ECTR. RFC

Password processing

The following figure provides an overview of password processing.

Security Guide 10
 Step Description Security Measure

1 The user logs on with The password is not displayed when entered
the user data.

2 Transfer of logon data SNC / RFC, passwords are encrypted

to SAP JCo and
forward to the SAP
system for checking.

3 Feedback whether the RFC

logon was successful
and the session object
is for the currently
valid session.

4 Feedback to user. Not relevant

Security Guide 11
5 JAVA IMPLEMENTATIONS IN SAP ECTR

Several Java implementations exist. SAP ECTR is based on SAP JVM and SAP JVM is in turn based on
Java SE 8. Java implementations other than those provided by SAP are not tested and therefore not
supported.
SAP pays attention to security in its Java implementations. No browser add-ins are used. Only various .dll
and .exe files are saved on the hard disk. An installation does not take place. The mentioned files are only
called with user rights at runtime.

Security Guide 12
6 DATA PROTECTION

Data protection is associated with numerous legal requirements and data protection concerns. In addition to
compliance with the general data protection laws, compliance with industry-specific legislation in various
countries must be observed. This Guide describes how you can support compliance with legal regulations
and data protection.
This section and all other sections in this Guide do not indicate whether these features and functions are the
best way to support business, industry, regional, or country-specific requirements. In addition, this Guide
does not provide advice or recommendations on additional features that would be required in an
environment; data protection decisions must be made on a case-by-case basis and in compliance with the
given system landscape and applicable regulatory requirements.

6.1 Handling of personal data

For information on how personal data is handled in SAP, please read the SAP note 2627073 and the chapter
"Deleting Personal Data" in this Guide.

6.2 Blocking of personal data

It is not possible to block the output of personal data, such as the user name in log files.

6.3 Deleting of personal data

In SAP ECTR, personal data is backed up in various places.
To locate and delete the data, search for the following preference variables in the configuration files:

Variable Configuration File

PLM_DATAROOT %PLM_INSTDIR%\customize\config\plm_initialize.bat

PLM_TEMPBASE %PLM_INSTDIR%\customize\config\plm_initialize.bat

PLM_COMMONDIR %PLM_INSTDIR%\customize\config\plm_setenv.bat

PLM_LOGDIR %TEMP%\SAP\ECTR\%PLM_INSTID%\logs

Data can also be stored in the following files, depending on the customizing:

Directory File Name

%PLM_INSTDIR%\customize\config\ attributes-from-sap.xml

%PLM_INSTDIR%\customize\config\ attributes-to.sap.xml

In addition, personal data may be stored in the temporary Windows folder. To find them, please enter %TEMP%
in your Windows Explorer.
Deleting this data has no effect on SAP ECTR operation. However, if the log files are deleted, SAP SE can
no longer track errors.

Security Guide 13
www.sap.com/contactsap

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/copyright for additional trademark information and notices.