SAPNetWeaver04 SecGuide KM

SAP NetWeaver 04
Security Guide
SAP Knowledge
Management
Security Guide
Document Version 1.00 April 29, 2004
SAP AG
Neurottstrae 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com
Copyright 2004 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and
The information contained herein may be changed without prior
other SAP products and services mentioned herein as well as their
notice.
respective logos are trademarks or registered trademarks of SAP AG

in Germany and in several other countries all over the world. All other
Some software products marketed by SAP AG and its distributors
product and service names mentioned are the trademarks of their
contain proprietary software components of other software vendors.
respective companies. Data contained in this document serves

informational purposes only. National product specifications may
Microsoft, Windows, Outlook, and PowerPoint are registered
vary.
trademarks of Microsoft Corporation.

These materials are subject to change without notice. These materials
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,
are provided by SAP AG and its affiliated companies ("SAP Group")
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,
for informational purposes only, without representation or warranty of
xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity,
any kind, and SAP Group shall not be liable for errors or
Tivoli, and Informix are trademarks or registered trademarks of IBM
omissions with respect to the materials. The only warranties for SAP
Corporation in the United States and/or other countries.
Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any.
Oracle is a registered trademark of Oracle Corporation.
Nothing herein should be construed as constituting an additional

warranty.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.
Disclaimer
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
Some components of this product are based on Java. Any code
VideoFrame, and MultiWin are trademarks or registered trademarks of
change in these components may cause unpredictable and severe
Citrix Systems, Inc.
malfunctions and is therefore expressively prohibited, as is any

decompilation of these components.
HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C, World Wide Web Consortium, Massachusetts
Any Java Source Code delivered with this product is only to be used
Institute of Technology.
by SAPs Support Services and may not be modified or altered in any

way.
Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used
Documentation in the SAP Service Marketplace
under license for technology invented and implemented by Netscape.
You can find this documentation at the following Internet address:

service.sap.com/securityguide
MaxDB is a trademark of MySQL AB, Sweden.
Typographic Conventions
Type Style
Description
Example Text
Words or characters quoted

from the screen. These include
field names, screen titles,
pushbuttons labels, menu
names, menu paths, and menu
options.
Cross-references to other
documentation
Example text
Emphasized words or phrases

in body text, graphic titles, and
table titles
EXAMPLE TEXT
Technical names of system

objects. These include report
names, program names,
transaction codes, table
names, and key concepts of a
programming language when
they are surrounded by body
text, for example, SELECT and
INCLUDE.
Example text
Output on the screen. This

includes file and directory
names and their paths,
messages, names of variables
and parameters, source text,
and names of installation,
upgrade and database tools.
Example text
Exact user entry. These are

words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example
text>
Variable user entry. Angle

brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT
Keys on the keyboard, for

example, F2 or ENTER.
Icons
Icon
Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP

Library documentation to help you
identify different types of information at
a glance. For more information, see
Help on Help General Information
Classes and Information Classes for
Business Information Warehouse on
the first page of any version of SAP
Library.
Knowledge Management Security Guide
Contents
Knowledge Management Security Guide........................................5
1 Content Management Security Guide ...............................................5
1.1 Technical System Landscape ............................................................... 6
1.2 User Administration and Authentication.............................................. 7
1.3 Authorizations ........................................................................................ 8
1.4 Communication Channel Security ........................................................ 9
1.5 Data Storage Security .......................................................................... 11
1.6 Minimal Configuration ......................................................................... 12
1.7 Further Security-Relevant Information............................................... 13
1.8 Trace and Log Files.............................................................................. 14
1.9 Appendix............................................................................................... 14
2 Search and Classification (TREX) Security Guide.........................15

2.1 Technical System Landscape ............................................................. 16
2.2 User Management and Authentication ............................................... 18
2.3 Network and Communication Security............................................... 18
2.4 Data Storage Security .......................................................................... 21
2.5 Security for Additional Applications .................................................. 22
2.6 Minimal Installation .............................................................................. 22
2.7 Trace and Log Files.............................................................................. 23
2.8 Appendix............................................................................................... 24
April 29, 2004

1 Content Management Security Guide
Knowledge Management Security

Guide
About this Guide
Knowledge Management comprises the following subcomponents:
Content Management (CM)
Search and Classification (TREX)
The Knowledge Management security guide is therefore actually divided into two separate
security guides:
Content Management Security Guide [Page 5]
Search and Classification (TREX) Security Guide [Page 14]

This guide does not replace the daily operations handbook that we
recommend customers create for their specific productive operations.
About this Guide

This guide describes security-relevant topics that affect the technical component Content
Management of the Knowledge Management platform.
As a component of SAP NetWeaverTM, the Knowledge Management Platform relies on the
components SAP Enterprise Portal and the J2EE Engine of the SAP Web Application Server.
The table below contains links to the security guides for these components.
Related Security Guides
Application
Guide
SAP Web Application

Server
SAP Web Application

Server Security Guide
SAP Enterprise Portal
Portal Platform Security

Guide
Most Relevant Sections or

Specific Restrictions
SAP Web AS Security
Guide for J2EE Technology
Why is security necessary?

The Content Management security measures described here prevent illegal access to
documents and settings and prevent them being manipulated illegally.
April 29, 2004

Target Groups
Technical consultants
System administrators
This document is not included as part of the installation guides, configuration guides,
technical operation manuals, or upgrade guides. Such guides are only relevant for a certain
phase of the software life cycle, whereas the security guides provide information that is
relevant for all time frames.
Important SAP Notes

Check regularly to see what SAP Notes are available about the security of the
application.
Important SAP Notes
SAP Note Number
Title
Comment
701097
SAP NetWeaver '04

Documentation
Contains information on
corrections to the
documentation after it has
been delivered.
599425
EP6: Permissions for

Knowledge Management
After the installation you

have to restrict permissions
for accessing folders and
documents.
1.1 Technical System Landscape

The table below tells you where you can find more information about the technical system
landscape.
More Information About the Technical System Landscape
Topic
Guide
Quick Link to the SAP

Service Marketplace
(service.sap.com)
Technology components
such as the SAP Web
Application Server
Master guide
instguides
Technical configuration, high

availability
Technical infrastructure
guide
ti
April 29, 2004

1.2 User Administration and Authentication

User Management
Knowledge Management, like the portal, uses the user management of the J2EE Engine,
since it doesnt have its own user management.
The following service users are used internally by Content Management:
User
cmadmin_service
Delivered?
Yes
Type
service
user
Default
Password
-
Detailed Description
Used for various tasks in
CM.
The service user has
write permissions to
create a personal folder
for every user in the
repository /userhome
and to create
configuration settings at
start up.
ice_service
Yes
service
user
Used to access
documents with the
content exchange
service.
index_service
Yes
service
user
Used for crawling and

indexing documents with
the index management
service.
notificator_service
Yes
service
user
Used by the inbox and

notification services.
subscription_service
Yes
service
user
Used by the subscription

service.
timebasedpublish_
service
Yes
service
user
Used by the timedependent publishing

service.
collaboration_service
Yes
service
user
Used by CM repository
services such as the
feedback and rating
services.
The service users have various system-wide permissions in CM, including resource
permissions such as reading, writing, and deleting, and removing locks on documents.
Service users are automatically created by the services in the user management of the J2EE
Engine. However, no authentication is possible. For more information, see Service Users
[SAP Library] in the KM administration guide.
Also refer to User Administration and Authentication [SAP NetWeaver Security Guide].
April 29, 2004

1.3 Authorizations
Roles
The following roles are used in Knowledge Management:
Role
Description
Content Manager
The Content Manager role enables the structuring and managing

of content of the KM platform.
This role must be assigned to relevant users after the installation.
For more information, see Assigning the Content Manager Role
[SAP Library] in the KM administration guide.
System Administrator
The SAP Enterprise Portal role now contains KM-specific

administration functions.
A system administrator carries out the configuration of the KM
platform (see System Administration [SAP Library] in the KM
administration guide).
Content Administrator
The Content Administrator role of SAP Enterprise Portal now

contains KM-specific content administration functions. It allows
direct access to all folders and documents that are stored in
internal or external repositories of the KM platform (see the Content
Management guide [SAP Library] in the KM documentation set).
You can delegate the task areas to other roles. For more information, see Delegated
Administration [SAP Library] in the portal administration guide.
ACLs
In addition to the roles concept, another authorization concept is used - access control lists
(ACLs).
By using repository managers that deal with various types of data storage (file system,
WebDAV server, and so on), CM uniformly manages content located in different repositories.
Initially, everybody has full control access to these contents. If a security manager is activated
for a repository, you can protect the contents of the repository with access control lists
(ACLs).
Permissions (ACLs) are inherited by subordinate folders from superordinate folders.
However, if you change permissions on a subordinate folder, the system creates a separate
ACL for this resource. From now on, changes made to the permissions for the superordinate
folder will no longer be transferred to the subordinate folder for which the system has created
a separate ACL.
You should restrict access permissions on the root nodes of security-relevant

repositories immediately after the installation in order to prevent documents
being read illegally by users hacking or guessing document URLs. Change
the ACLs for subordinate folders if the permissions for these folders are
different.
April 29, 2004

See also:
Permissions [SAP Library]
Security Managers [SAP Library]
ACL Security Manager [SAP Library]
Service ACL Service [SAP Library]
1.4 Communication Channel Security

Various channels of communication and technologies are used between subcomponents and
data sources of the Knowledge Management Platform.
Used Technologies
The following technologies are used for communication:
HTTP/HTTPS
WebDAV
ICE
JDBC on OpenSQL
Operating system-dependent technologies
Browser
WebDAV Client
ICE Subscriber
HTTP(S)+
WebDAV
HTTP(S)
HTTP(S)+
ICE
SAP J2EE Engine

(Portal Server)
Knowledge Management
Directory with
Configuration
Data
HTTP(S)
CM
JDBC auf
OpenSQL
TRE
X )
HTTP(S
HTTP(S)
Web Repository
HTTP(S)+WebDAV
WebDAV Repository
DBMS with
CM Database
* Operation system-dependent
For example, NetBIOS, NFS
IIOP
April 29, 2004
File System Repository

Lotus Notes Repository

Components and Communication Channels
Communication
Between
Communication
Channel/Log
Transmitted
Data
Comments
CM and DBMS
with CM database
JDBC on OpenSQL
Documents,
metadata
CM and TREX
HTTP or HTTPS
Search
requests,
search results,
index data,
classification
data
CM and directory
with configuration
data on the portal
server
Operation systemdependent.
Configuration
data
WINDOWS Example: NetBIOS

UNIX - Example: NFS
CM and
repositories
Depends on the
implementation (see
table below).
Documents,
metadata
ICE subscriber
und ICE provider
(CM)
ICE using HTTP or

HTTPS.
Documents,
metadata
WebDAV client
and WebDAV
server (CM)
HTTP or HTTPS with

WebDAV extension.
Documents,
metadata
Browser and
portal with
installed KM
HTTP or HTTPS
(HTML)
documents
You can use

database
management
systems such as
ORACLE and
MICROSOFT
In the case of cluster

installations of CM,
the directory with the
configuration data is
made available on
the database server.
Use for exchanging

content packages.
Technologies for Repositories

External Repositories
Communication Technology
Type of Authentication
Web repository
HTTP, HTTPS
HTTP Basic Authentication,

HTTP Digest Authentication
WebDAV repository
HTTP, HTTPS with WebDAV

extension
HTTP Basic Authentication,

HTTP Digest Authentication
File-system repository
and CM repository
(DBFS and FSDB
modes)
Operating system-dependent.
Dependent on operating
system and configuration.
WINDOWS - Example:
NetBIOS, TCP/IP
UNIX - Example: NFS
Lotus Notes repository
10
IIOP
WINDOWS - Example:
SMB using TCP/IP
IIOP-specific
April 29, 2004

In the case of Web and WebDAV repositories, the combination of HTTP and
Basic Authentication is seen as unsafe because passwords are to all intents
and purposes transmitted in plaintext. However, the authentication type used
is controlled by the remote server: If a remote server uses Basic
Authentication, the server is not configured to be secure. If this is the case,
use another type of authentication such as Digest Authentication.
See also:
Content Management Configuration [SAP Library]
Repositories and Repository Managers [SAP Library]
1.5 Data Storage Security

Data in CM
Various types of data are used in Content Management. They are stored in different places.
Data in Content Management
Type of Data
Configuration data
Storage Location
Protected by
Folder hierarchies in the file

system of the portal server (see
Content Management
Configuration [SAP Library])
Permissions at operating
system level.
CM portal content
(worksets and iView
templates)
Portal catalog (database)
Security concepts of the

portal (roles), security
concepts of DBMS.
CM content (folders
and files)
Internal repositories [SAP Library]

(such as /documents)

portal (roles), security
concepts of DBMS,
permissions at operating
system level.
File system repository /etc.
Access to the portal is

controlled by the role
concept.
Service data
Database, directory with

configuration data in the file
system.

DBMS, permissions at
operating system level.
Customer and systemexternal content

(folders and files)
External repositories [SAP Library]

remote server, ACLs,
permissions.
Customer and systemexternal content

(folders and files)
Internal repositories (database, file

system)
Permissions at operating
system level, ACLs.
April 29, 2004
11

Temporary Data on the Client PC

Note that CM-specific Internet files are stored on the client PC when the portal is called.
When you use the function Edit Locally, the content of the document in question is stored in a
temporary directory on the client PC. When you upload the document to KM, it is deleted from
the client PC when the program used to edit it is terminated. If you do not terminate the
program, or if the document is locked, it is not deleted from the client PC.
If the client PC is also being used by another user, delete the content from the
temporary directories and the browser cache when you have finished your
work.
1.6 Minimal Configuration

Functionality Restrictions
Depending on the users of your system, you may want to restrict functionality as well as
access permissions.
Deactivating Repository Services

By default, the CM repository documents is delivered for storing documents and metadata.
For a minimal configuration, you deactivate the repository services that you do not need (for
example, the discussion service for creating discussions) in the configuration of this
repository manager. If you integrate your own repositories, you should also reduce the
number of repository services to a minimum. However, you should not change the
configuration of repository managers that are used system-internally.
For more information, see Repositories and Repository Managers [SAP Library] and
Repository Services [SAP Library] in the administration guide.
Deactivating Interface Commands

The flexible user interface of the KM platform provides you with interface commands for
carrying out operations. For a minimal configuration, you should deactivate interface
commands that cause changes, including commands for checking objects in (Upload, Create
New Text File. Create New HTML File), commands for editing objects (Edit Locally, Edit
Online) and commands for deleting objects.
For more information, see User Interface Commands [SAP Library] in the administration
guide.
12
April 29, 2004

1.7 Further Security-Relevant Information

Active Code
Various types of active code are used in the KM platform. This is executed on the client host
in the Web browser.
Active Code
ActiveX
Use
Used for the Local Editing
function.
Comments
If your security policy rules out ActiveX,
you can use a Java applet instead.
For more information, see Online and
Local Editing [SAP Library] in the KM
administration guide.
JavaScript
Used by the HTMLB

software component (for
example, for client-side
check of entries and for
generating popup menus).
JavaScript is also used extensively for

the component SAP Enterprise Portal.
Java
Java applets are used for

Local Editing and for the
XML Forms Builder
application.
If your security policy rules out Java

applets, you cannot use the XML Forms
Builder.
The Local Editing function can also be
used with ActiveX.
Anonymous Users and Creation of Documents

Content Management allows users to create documents in the portal. Typical examples of
features in which users can create documents are functions for uploading documents, editing
documents online, providing feedback, joining in discussions, or writing reviews. By default,
users create these documents using an HTML editor. In portals that allow anonymous users
to access the portal from the Internet, we strongly recommend that anonymous users not be
allowed to create documents in HTML, as they may abuse this privilege.
For this reason, we recommend that you prevent anonymous users from creating documents
by granting them read permissions only on all documents and folders. In the flexible user
interface, layout sets for anonymous users should not contain any menu entries for actions
that involve creating documents.
Additionally, it is possible to configure discussions, reviews, and feedback to use a text editor
instead of an HTML editor. We recommend that you make this setting. You can do this by
setting an indicator in the relevant service.
For more information on how to set this indicator in the discussion service, see Collaboration
Services [SAP Library] in the KM administration guide. Use the same procedure for
comments and feedback.
April 29, 2004
13

1.8 Trace and Log Files

The system writes log information of the Knowledge Management Platform to the file
knowledgemanagement.*.log (* is a value between 0 and 9).
You activate audit logging for ACLs by including the audit logging class
com.sapportals.wcm.repository.security.SecurityAudit$Log in the
configuration file logging.properties and setting the required level of detail.
com.sapportals.wcm.repository.security.SecurityAudit$Log.
severity = DEBUG
For more information on logging, see KM Log [SAP Library] in the KM administration guide.
1.9 Appendix
You can find more information about the security of SAP NetWeaverTM under Security [SAP
Library].
Related Information
For more information about topics related to security, see the links in the table below.
Quick Links to Related Information
Content
Quick Link on the SAP Service Marketplace

(service.sap.com)
Master guide, installation guides, and

upgrade guides
instguides
Related SAP Notes
notes
Network security
network
securityguide
ti
SAP Solution Manager
solutionmanager
14
April 29, 2004

2 Search and Classification (TREX) Security Guide
2 Search and Classification (TREX)

Security Guide
This guide does not replace the daily operations handbook that we
recommend customers create for their specific productive operations.
About this Guide

This guide describes security-relevant topics that affect the technical component Search and
Classification of the Knowledge Management (KM) Platform. KM is a component of SAP
Netweaver. It is used for managing unstructured information.
Application
Guide
SAP Web Application Server 6.40
SAP Web Application Server Security Guide
SAP Enterprise Portal 6.0
Portal Platform Security Guide
Content Management
Content Management Security Guide [Page 5]
Why is Security Necessary?

Search and Classification (TREX) enables you to configure secure communication between
TREX and the applications that use TREX (for example, SAP Enterprise Portal and SAP
Customer Relationship Management). The Secure Sockets Layer protocol (SSL protocol) with
client authentication is used for secure communication between TREX components
(preprocessor and Web server) and other applications that access TREX using the TREX
Java client and the TREX ABAP client.
TREX is a search and classification engine that is used to search in structured and
unstructured data and documents. When documents are indexed and document content is
searched by TREX, content containing personal or confidential information is also
transmitted. The TREX security aspects prevent illegal access to, and manipulation of,
documents and settings, and serve to ensure that data protection regulations are met.
Target Groups
Technical consultants
System administrators
This document is not included as part of the installation guides, configuration guides,
technical operation manuals, or upgrade guides. Such guides are only relevant for a certain
phase of the software life cycle, whereas the security guides provide information that is
relevant for all time frames.
April 29, 2004
15

Important SAP Notes

Check regularly to see what SAP Notes are available about the security of the
application.
Important SAP Notes
SAP Note Number
Title
583396
TREX 6.0/6.1: Preprocessing fails with

return code 6403
620169
TREX 6.0/6.1: Cryptographic Software

for Apache Web Server
656042
TREX 6.0/6.1: TREX Web Page not

accessible after update
701097
SAP NetWeaver '04 Documentation
701701
TREX 6.1:Providing Certificates for

TREX Java Client
Comment
Contains information on
corrections to the
documentation after it
has been delivered.
2.1 Technical System Landscape

Search and Classification (TREX) includes the following central components:
16
Java client and ABAP client
Web server with TREX extension
Queue server
Preprocessor
Index server with the TREX engines
Name server
April 29, 2004

The graphic below shows the individual TREX components and how they communicate.
HTTP/HTTP S
Application using TREX
Java Client
ABAP Client
HTTP/HTTP S
RFC/SNC
SAP-Gateway
TCP/IP
Web Server
TREX extension
RFC-Server
TCP/IP
Queue Server
TCP/IP
Index Server
Name
Server
TREX engines
TCP/IP
TCP/IP
Queues
Indexes
TRE X
components
TRE X
data storages
Preprocessor
Other
components
TREX is based on a client/server architecture. The client software is integrated into the
application that uses the TREX functions, and allows access to the TREX servers. The TREX
servers execute the requests of the clients: They index and classify documents and respond
to search queries.
TREX offers an ABAP and a Java client. This allows ABAP and Java applications to use
TREX functions. ABAP and Java applications communicate with the TREX servers using
different protocols and components.
ABAP applications communicate with TREX servers using the RFC protocol. This
communication takes place using an SAP gateway and an RFC server.
Java applications communicate with TREX using the HTTP or HTTPS protocol. This
communication takes place using a Web server that is enhanced with TREX-specific
functions.
RFC and Web servers have similar functions: They receive the requests of the application,
convert them to a TREX-internal format, and send them on to the responsible TREX server.
The table below tells you where you can find more information about the technical system
landscape.
April 29, 2004
17

More Information About the Technical System Landscape
Topic
Guide/Tool
TREX components and

infrastructure
TREX installation guide
Quick Link to the SAP

Service Marketplace
(service.sap.com)
Instguides
2.2 User Management and Authentication

User Management
User management is administrated by the application using TREX (for example, SAP
Enterprise Portal or SAP Business Information Warehouse). TREX does not have its own
user management. For more information on user management in SAP NetWeaver, see
User Authentication and Single Sign-On [SAP Library].
Integration into Single Sign-On Environments

TREX is integrated into the SAP Enterprise Portal single sign-on environment. This means
that TREX identifies itself to the portal using an SAP Logon ticket. For more information on
client authentication, see Configuration of the TREX Security Settings [SAP Library].
Authorizations
The clients that access the TREX servers identify and authorize themselves with the TREX
server in question using client certification (TREX Java Client TREX Web Server / Portal
Web Server TREX Preprocessor). The TREX preprocessor identifies itself to the portal Web
server using the SAP Logon ticket. As a TREX server only allows access to an authenticated
client, granular configuration of the secure access of the individual clients to the TREX
servers is possible.
2.3 Network and Communication Security

Communication Channel Security
Used Technologies
The following technology is used for communication between the individual TREX
components and between TREX and the applications that use TREX:
18
HTTP/HTTPS
TCP/IP (TREXNet)
RFC/SNC
SSL
April 29, 2004

The graphic below shows the individual TREX components and how they communicate.
HTTP/HTTP S
Application using TREX
Java Client
ABAP Client
HTTP/HTTP S
RFC/SNC
SAP Gateway
TCP/IP
Web Server
TREX extension
RFC-Server
TCP/IP
Queue Server
TCP/IP
Index Server
Name
Server
TREX engines
TCP/IP
TCP/IP
Queues
Indexes
TRE X
components
TRE X
data storages
Preprocessor
Other
components
Communication between the TREX Java client and the TREX Web server, and between the
Portal Web server and the TREX preprocessor, takes place using HTTP/HTTPS. All other
communication between the TREX components (name, index, queue, and Web server) takes
place using a TREX-specific protocol (TREXNet) that is based on TCP/IP.
Communication Channels of TREX Components
TREX Component
Communication Technology
Type of Authentication
Java client
HTTP/HTTPS
Client certification
ABAP client
RFC/SNC
Web server with TREX

extension
HTTP/HTTPS
Preprocessor
With other TREX components,

using TCP/IP (TREXNet).
With portal Web server, using
HTTP/HTTPS.
With other TREX components,

using TCP/IP (TREXNet).
Name server
TCP/IP (TREXNet)
Queue server
TCP/IP (TREXNet)
Index server
TCP/IP (TREXNet)
Data Storage
The data that the TREX queue server (queues) and the TREX index server and its search
engines (search index, text-mining index, and attribute-engine index) access are not stored in
a database. They are stored on the file system in special directories.
April 29, 2004
19

Data Transfer
The communication between the TREX preprocessor and the portal Web server is used to
call up and transmit document content from the repositories of the application using TREX
(for instance, SAP Enterprise Portal). The TREX Java client is used to transmit search
requests and commands (for instance, create a link) from the application to the TREX index
server. The Java client also transmits the search results, responses to commands, and
document content. This takes place in a similar way to the communication of an R/3
application with TREX using the TREX ABAP client and RFC. The data (search requests,
search results, document content, and commands) is protected by securing the
communication channels and the certification of communication partners.
Network Security
The TREX servers, components, and indexes can be distributed among various network
segments using a scaling and load-balancing concept.
Note that no validated scaling concept is available for TREX 6.1 SP1.
When the TREX installation takes place, using SAPinst, the ports for the TREX servers are
calculated as follows on the basis of the selected number for the TREX instance being
installed:
30000 + 100 * <instance_number> + <current_number>
The method of calculation ensures that the ports do not clash with another TREX instance on
the same host. The ports can be configured individually.
If you chose the instance number 48, the ports will be as follows:
Name server 34801
Preprocessor 34802
Index server 34803
Queue server 34804
HTTP server 34805

The configuration of firewall settings depends on whether TREX is within the technical system
landscape. If this is the case, you must use the configuration to ensure that the firewall is
permeable to the ports of the TREX servers in both directions for TCP/IP (not for UDP).
Communication Destinations
When the TREX installation takes place, you create one or more RFC destinations of the
connection type T so that the application can communicate with TREX. You choose the
activation type Start or Activation when you create the RFC destination. The activation type
determines how the SAP Gateway communicates with the RFC server.
In addition to the RFC connection, TREX uses HTTP/HTTPS for the communication between
TREX components and the application using TREX. The ports used for this are described
under Networks Security.
20
April 29, 2004

2.4 Data Storage Security

Data Storage Location
The data that the TREX queue server (queues) and the TREX index server and its search
engines (search index, text-mining index, and attribute-engine index) access are stored on
the file system in special directories. SAPinst creates the following directory for the TREX
instance being installed:
On UNIX: /usr/sap/trex_<instance_number>
On Windows: <disk_drive>:\usr\sap\trex_<instance_number>
The queues and indexes are then stored in the subdirectories /index and /queue. The
paths to the directories are determined by SAP_RETRIEVAL_PATH when TREX is installed. In
the case of a distributed scenario, the system itself is responsible for the distributed storage
of the data for the queues and indexes (not the case for TREX 6.1 SP1). The data is not
stored temporarily anywhere else.
Type of Data Access

Only read access to data takes place for search requests. If new documents are added to the
data set, the indexes and queues must be changed and enhanced. This takes place using
write, delete, or change access.
Level of Protection
The TREX installation is created by a root user that specifies a TREX user during the
installation. This TREX user has read and write access for the directories that are created.
You need a separate UNIX or Windows user for every TREX instance that you install. You
specify this user later on during the TREX installation. SAPinst makes sure that the user is
owner of all files and directories that belong to the TREX instance. On UNIX, the user cannot
have root permissions, and on Windows, it must have administration permissions. This
means that customers can decide at file-system level on who and how the data used by
TREX is accessed.
The TREX setup program creates the Web site SAP_TREX_<instance_number> on the Web
server. This causes an anonymous user for access to the Web site to be defined. This
anonymous user is called IUSR_<host_name> by default. The anonymous user needs to
have Full Control permission for the TREX directory.
You can ensure this in the following ways:
Variant 1: You determine the anonymous user entered in the properties for the Web
site SAP_TREX_<instance_number>. You give this user Full Control access to the
TREX directory and to all contained files and sub-directories.
Variant 2: You change the anonymous user in the properties for the Web site
SAP_TREX_<instance_number>. Instead of using the default setting
IUSR_<host_name>, you enter a local user that has Full Control access for the TREX
directory.
For more information on the user permissions given during the TREX installation, see the
TREX installation guide at service.sap.com/instguides SAP NetWeaver
Release 04 Installation Search and Classification (TREX) 6.1 Installation Guide.
April 29, 2004
21

2.5 Security for Additional Applications

The following applications are delivered with the TREX installation.
Additonal Applications
Application
Comments
Microsoft Internet Information Server (IIS)
External
Apache Web Server
External
SAPinst
SAP internal
SAP Gateway
SAP internal
The Microsoft Internet Information Server (IIS) and the Apache Web-Server, which
communicate on Windows and UNIX with the CM Java client as TREX Web servers, both
have their own validated security concepts that are referred to in the configuration of TREX
security.
During the SAPinst TREX installation, the required permissions are given for the Microsoft
Internet Information Server (IIS) (see Data Storage Security [Page 20] Level of
Protection). You can use the cryptography tool SAPGENPSE to configure secure
communication between the TREX preprocessor and the portal Web server, and between the
TREX Web server and the TREX name server. You obtain the cryptography tool
SAPGENPSE as part of the SAP Cryptographic Library from the SAP Service Marketplace.
The cryptography tool OpenSSL is used for the secure configuration of the Apache Web
Server. You use a build process to generate the tool OpenSSL and the library mod_SSL.so,
both of which you need for the secure communication of the Apache Web server.
For more information on the user permissions given during the TREX installation, see
the TREX installation guide at service.sap.com/instguides SAP NetWeaver
Release 04 Installation Search and Classification (TREX) 6.1 Installation
Guide.
For more information on the configuration of TREX security, see the SAP Library at
help.sap.com\NW04 SAP NetWeaver Information Integration

Knowledge Management Security Configuration Configuration of the TREX
Security Settings [SAP Library].
2.6 Minimal Installation

Minimal Installation and Required Components
A minimal TREX system consists of one TREX instance (one installation of the server
software). You can use a minimal TREX system as a demo, test, and productive system.
The TREX servers (queue server, index server, preprocessor, and name server) can be used
by one or more applications. When you are installing TREX, you need to know the type of
application and communication protocol. There are the following possibilities:
22
The TREX servers are only used by Java applications. In this case, only execute the
installation steps necessary for an HTTP connection.
The TREX servers are only used by ABAP applications. In this case, only execute the
installation steps necessary for an RFC connection.
April 29, 2004

The TREX servers are used by Java and ABAP applications. In this case, execute the
installation steps necessary for an HTTP and RFC connection.
The documents to be indexed are sent by an ABAP application to TREX. The

search takes place using a Web application (Java application). In this
scenario, both an RFC and an HTTP connection are needed.
For more information on a minimal TREX installation, see the TREX installation guide at
service.sap.com/instguides SAP NetWeaver Release 04 Installation
Search and Classification (TREX) 6.1 Installation Guide.
TREX Test Package

New TREX releases are always tested internally using a predefined test package with a
standard test landscape and with verifiable test data. In particular, the handling of mass data
(mass tests), load restrictions (stress tests), and the performance of TREX are checked. The
test package calls test atoms in the form of Python scripts that test the basic functionality of
TREX and are stored in the directory <TREX_Directory>\python_support.
When you have installed TREX you execute the Python script runInstallationTest.py
that is used to test the basic functions of TREX. This script calls a subset of TREX test atoms
to check the functional correctness of TREX. If the Python script is executed successfully, you
know that TREX has been installed properly, the configuration files contain the necessary
entries, and the TREX servers are running.
TREX Administration Tools

TREX provides various administration tools for administrating the TREX servers. Some of
them can be found in the TREX installation directory
(/usr/sap/trex_<instance_numbmer>: TrexGui.exe; TrexQueueClient.exe)
and others are located in the Python support directory
(\usr\sap\trex_11\python_support: topoView.py, TrexAdminTool.py usw)..
You can delete these test and administration tools without restricting the TREX functions, but
for supportability reasons we do not recommend that you do so.
SAPinst Tool
The SAPinst tool can also be deleted after the installation. However, this deletes important
information on the installation that could be needed if a terminated TREX installation needs to
be continued.
2.7 Trace and Log Files

With a standard configuration, TREX writes all error messages that arise during routine
operation to trace and alert files. The TREX daemon, the individual TREX servers, and other
TREX components all write their own trace files.
These trace files contain error messages that the index server, name server, preprocessor,
queue server, and Web server return during routine operation. With the standard
configuration, the trace files only contain error messages.
April 29, 2004
23

If you set a higher trace level, the entire content of the documents being processed can be
written to the trace files. The SAP Logon ticket ticket might also appear in a trace file
when tracing the TREX preprocessor.
However, these trace files are protected for the following reasons:
Only administrators have permission to access the TREX trace directories.
The trace level must be set in the corresponding TREX configuration file.
2.8 Appendix
You can find more information about the security of SAP applications on the SAP Service
Marketplace, using the quick link security. Security guides are available using the quick link
securityguide.
Related Information
For more information about topics related to security, see the links in the table below.
Quick Links to Related Information
Content
Quick Link on the SAP Service

Marketplace
(service.sap.com)
Master guide, installation guides, upgrade

guides, and solution management guides
instguides
Related SAP Notes
notes
Released platforms
platforms
Network security
network
ibc
securityguide
ti
SAP Solution Manager
solutionmanager
Checklists
The TREX installation guide contains checklists for the following scenarios:
TREX installation with HTTP connection
TREX installation with RFC connection
TREX installation with HTTP and RFC connections
The TREX installation guide is located at service.sap.com/instguides SAP

NetWeaver Release 04 Installation Search and Classification (TREX) 6.1 Installation
Guide.
24
April 29, 2004

SAPNetWeaver04 SecGuide KM

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SAPNetWeaver04 SecGuide KM

Загружено:

Авторское право:

Доступные форматы

SAP NetWeaver 04

Copyright 2004 SAP AG. All rights reserved.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and

The information contained herein may be changed without prior

other SAP products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of SAP AG

Some software products marketed by SAP AG and its distributors

product and service names mentioned are the trademarks of their

contain proprietary software components of other software vendors.

respective companies. Data contained in this document serves

Microsoft, Windows, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

are provided by SAP AG and its affiliated companies ("SAP Group")

MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,

for informational purposes only, without representation or warranty of

xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity,

Tivoli, and Informix are trademarks or registered trademarks of IBM

Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

Nothing herein should be construed as constituting an additional

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Some components of this product are based on Java. Any code

VideoFrame, and MultiWin are trademarks or registered trademarks of

change in these components may cause unpredictable and severe

Citrix Systems, Inc.

malfunctions and is therefore expressively prohibited, as is any

HTML, XML, XHTML and W3C are trademarks or registered

by SAPs Support Services and may not be modified or altered in any

Java is a registered trademark of Sun Microsystems, Inc.

Documentation in the SAP Service Marketplace

under license for technology invented and implemented by Netscape.

You can find this documentation at the following Internet address:

MaxDB is a trademark of MySQL AB, Sweden.

Words or characters quoted

Emphasized words or phrases

Technical names of system

Output on the screen. This

Exact user entry. These are

Variable user entry. Angle

Keys on the keyboard, for

Additional icons are used in SAP

Knowledge Management Security Guide

2 Search and Classification (TREX) Security Guide.........................15

April 29, 2004

Knowledge Management Security Guide

Knowledge Management Security

Content Management (CM)

Search and Classification (TREX)

Content Management Security Guide [Page 5]

Search and Classification (TREX) Security Guide [Page 14]

1 Content Management Security Guide

About this Guide

SAP Web Application

SAP Web Application

SAP Enterprise Portal

Portal Platform Security

Most Relevant Sections or

Why is security necessary?

April 29, 2004

Knowledge Management Security Guide

Important SAP Notes

SAP NetWeaver '04

EP6: Permissions for