Академический Документы
Профессиональный Документы
Культура Документы
Security Guide
SAP Knowledge
Management
Security Guide
Document Version 1.00 April 29, 2004
SAP AG
Neurottstrae 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com
notice.
vary.
any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any.
Any Java Source Code delivered with this product is only to be used
Institute of Technology.
Typographic Conventions
Type Style
Description
Example Text
Example text
EXAMPLE TEXT
Example text
Example text
<Example
text>
EXAMPLE TEXT
Icons
Icon
Meaning
Caution
Example
Note
Recommendation
Syntax
Contents
Knowledge Management Security Guide........................................5
1 Content Management Security Guide ...............................................5
1.1 Technical System Landscape ............................................................... 6
1.2 User Administration and Authentication.............................................. 7
1.3 Authorizations ........................................................................................ 8
1.4 Communication Channel Security ........................................................ 9
1.5 Data Storage Security .......................................................................... 11
1.6 Minimal Configuration ......................................................................... 12
1.7 Further Security-Relevant Information............................................... 13
1.8 Trace and Log Files.............................................................................. 14
1.9 Appendix............................................................................................... 14
The Knowledge Management security guide is therefore actually divided into two separate
security guides:
Guide
Target Groups
Technical consultants
System administrators
This document is not included as part of the installation guides, configuration guides,
technical operation manuals, or upgrade guides. Such guides are only relevant for a certain
phase of the software life cycle, whereas the security guides provide information that is
relevant for all time frames.
Title
Comment
701097
Contains information on
corrections to the
documentation after it has
been delivered.
599425
Guide
Technology components
such as the SAP Web
Application Server
Master guide
instguides
Technical infrastructure
guide
ti
Delivered?
Yes
Type
service
user
Default
Password
-
Detailed Description
Used for various tasks in
CM.
The service user has
write permissions to
create a personal folder
for every user in the
repository /userhome
and to create
configuration settings at
start up.
ice_service
Yes
service
user
Used to access
documents with the
content exchange
service.
index_service
Yes
service
user
notificator_service
Yes
service
user
subscription_service
Yes
service
user
timebasedpublish_
service
Yes
service
user
collaboration_service
Yes
service
user
Used by CM repository
services such as the
feedback and rating
services.
The service users have various system-wide permissions in CM, including resource
permissions such as reading, writing, and deleting, and removing locks on documents.
Service users are automatically created by the services in the user management of the J2EE
Engine. However, no authentication is possible. For more information, see Service Users
[SAP Library] in the KM administration guide.
Also refer to User Administration and Authentication [SAP NetWeaver Security Guide].
1.3 Authorizations
Roles
The following roles are used in Knowledge Management:
Role
Description
Content Manager
System Administrator
Content Administrator
You can delegate the task areas to other roles. For more information, see Delegated
Administration [SAP Library] in the portal administration guide.
ACLs
In addition to the roles concept, another authorization concept is used - access control lists
(ACLs).
By using repository managers that deal with various types of data storage (file system,
WebDAV server, and so on), CM uniformly manages content located in different repositories.
Initially, everybody has full control access to these contents. If a security manager is activated
for a repository, you can protect the contents of the repository with access control lists
(ACLs).
Permissions (ACLs) are inherited by subordinate folders from superordinate folders.
However, if you change permissions on a subordinate folder, the system creates a separate
ACL for this resource. From now on, changes made to the permissions for the superordinate
folder will no longer be transferred to the subordinate folder for which the system has created
a separate ACL.
Used Technologies
The following technologies are used for communication:
HTTP/HTTPS
WebDAV
ICE
JDBC on OpenSQL
Browser
WebDAV Client
ICE Subscriber
HTTP(S)+
WebDAV
HTTP(S)
HTTP(S)+
ICE
Knowledge Management
Directory with
Configuration
Data
HTTP(S)
CM
JDBC auf
OpenSQL
TRE
X )
HTTP(S
HTTP(S)
Web Repository
HTTP(S)+WebDAV
WebDAV Repository
DBMS with
CM Database
* Operation system-dependent
For example, NetBIOS, NFS
IIOP
Communication
Channel/Log
Transmitted
Data
Comments
CM and DBMS
with CM database
JDBC on OpenSQL
Documents,
metadata
CM and TREX
HTTP or HTTPS
Search
requests,
search results,
index data,
classification
data
CM and directory
with configuration
data on the portal
server
Operation systemdependent.
Configuration
data
CM and
repositories
Depends on the
implementation (see
table below).
Documents,
metadata
ICE subscriber
und ICE provider
(CM)
Documents,
metadata
WebDAV client
and WebDAV
server (CM)
Documents,
metadata
Browser and
portal with
installed KM
HTTP or HTTPS
(HTML)
documents
Communication Technology
Type of Authentication
Web repository
HTTP, HTTPS
WebDAV repository
File-system repository
and CM repository
(DBFS and FSDB
modes)
Operating system-dependent.
Dependent on operating
system and configuration.
WINDOWS - Example:
NetBIOS, TCP/IP
UNIX - Example: NFS
10
IIOP
WINDOWS - Example:
SMB using TCP/IP
IIOP-specific
In the case of Web and WebDAV repositories, the combination of HTTP and
Basic Authentication is seen as unsafe because passwords are to all intents
and purposes transmitted in plaintext. However, the authentication type used
is controlled by the remote server: If a remote server uses Basic
Authentication, the server is not configured to be secure. If this is the case,
use another type of authentication such as Digest Authentication.
See also:
Content Management Configuration [SAP Library]
Repositories and Repository Managers [SAP Library]
Storage Location
Protected by
Permissions at operating
system level.
CM portal content
(worksets and iView
templates)
CM content (folders
and files)
Service data
Permissions at operating
system level, ACLs.
11
If the client PC is also being used by another user, delete the content from the
temporary directories and the browser cache when you have finished your
work.
12
Use
Used for the Local Editing
function.
Comments
If your security policy rules out ActiveX,
you can use a Java applet instead.
For more information, see Online and
Local Editing [SAP Library] in the KM
administration guide.
JavaScript
Java
13
com.sapportals.wcm.repository.security.SecurityAudit$Log.
severity = DEBUG
For more information on logging, see KM Log [SAP Library] in the KM administration guide.
1.9 Appendix
Related Security Guides
You can find more information about the security of SAP NetWeaverTM under Security [SAP
Library].
Related Information
For more information about topics related to security, see the links in the table below.
Quick Links to Related Information
Content
instguides
notes
Network security
network
securityguide
Technical infrastructure
ti
solutionmanager
14
Guide
Content Management
Target Groups
Technical consultants
System administrators
This document is not included as part of the installation guides, configuration guides,
technical operation manuals, or upgrade guides. Such guides are only relevant for a certain
phase of the software life cycle, whereas the security guides provide information that is
relevant for all time frames.
15
Title
583396
620169
656042
701097
701701
Comment
Contains information on
corrections to the
documentation after it
has been delivered.
16
Queue server
Preprocessor
Name server
HTTP/HTTP S
Java Client
ABAP Client
HTTP/HTTP S
RFC/SNC
SAP-Gateway
TCP/IP
Web Server
TREX extension
RFC-Server
TCP/IP
Queue Server
TCP/IP
Index Server
Name
Server
TREX engines
TCP/IP
TCP/IP
Queues
Indexes
TRE X
components
TRE X
data storages
Preprocessor
Other
components
TREX is based on a client/server architecture. The client software is integrated into the
application that uses the TREX functions, and allows access to the TREX servers. The TREX
servers execute the requests of the clients: They index and classify documents and respond
to search queries.
TREX offers an ABAP and a Java client. This allows ABAP and Java applications to use
TREX functions. ABAP and Java applications communicate with the TREX servers using
different protocols and components.
ABAP applications communicate with TREX servers using the RFC protocol. This
communication takes place using an SAP gateway and an RFC server.
Java applications communicate with TREX using the HTTP or HTTPS protocol. This
communication takes place using a Web server that is enhanced with TREX-specific
functions.
RFC and Web servers have similar functions: They receive the requests of the application,
convert them to a TREX-internal format, and send them on to the responsible TREX server.
The table below tells you where you can find more information about the technical system
landscape.
17
Guide/Tool
Authorizations
The clients that access the TREX servers identify and authorize themselves with the TREX
server in question using client certification (TREX Java Client TREX Web Server / Portal
Web Server TREX Preprocessor). The TREX preprocessor identifies itself to the portal Web
server using the SAP Logon ticket. As a TREX server only allows access to an authenticated
client, granular configuration of the secure access of the individual clients to the TREX
servers is possible.
18
HTTP/HTTPS
TCP/IP (TREXNet)
RFC/SNC
SSL
HTTP/HTTP S
Java Client
ABAP Client
HTTP/HTTP S
RFC/SNC
SAP Gateway
TCP/IP
Web Server
TREX extension
RFC-Server
TCP/IP
Queue Server
TCP/IP
Index Server
Name
Server
TREX engines
TCP/IP
TCP/IP
Queues
Indexes
TRE X
components
TRE X
data storages
Preprocessor
Other
components
Communication between the TREX Java client and the TREX Web server, and between the
Portal Web server and the TREX preprocessor, takes place using HTTP/HTTPS. All other
communication between the TREX components (name, index, queue, and Web server) takes
place using a TREX-specific protocol (TREXNet) that is based on TCP/IP.
Communication Channels of TREX Components
TREX Component
Communication Technology
Type of Authentication
Java client
HTTP/HTTPS
Client certification
ABAP client
RFC/SNC
HTTP/HTTPS
Preprocessor
Client certification
Client certification
TCP/IP (TREXNet)
Queue server
TCP/IP (TREXNet)
Index server
TCP/IP (TREXNet)
Data Storage
The data that the TREX queue server (queues) and the TREX index server and its search
engines (search index, text-mining index, and attribute-engine index) access are not stored in
a database. They are stored on the file system in special directories.
19
Data Transfer
The communication between the TREX preprocessor and the portal Web server is used to
call up and transmit document content from the repositories of the application using TREX
(for instance, SAP Enterprise Portal). The TREX Java client is used to transmit search
requests and commands (for instance, create a link) from the application to the TREX index
server. The Java client also transmits the search results, responses to commands, and
document content. This takes place in a similar way to the communication of an R/3
application with TREX using the TREX ABAP client and RFC. The data (search requests,
search results, document content, and commands) is protected by securing the
communication channels and the certification of communication partners.
Network Security
The TREX servers, components, and indexes can be distributed among various network
segments using a scaling and load-balancing concept.
Note that no validated scaling concept is available for TREX 6.1 SP1.
When the TREX installation takes place, using SAPinst, the ports for the TREX servers are
calculated as follows on the basis of the selected number for the TREX instance being
installed:
30000 + 100 * <instance_number> + <current_number>
The method of calculation ensures that the ports do not clash with another TREX instance on
the same host. The ports can be configured individually.
If you chose the instance number 48, the ports will be as follows:
Preprocessor 34802
Communication Destinations
When the TREX installation takes place, you create one or more RFC destinations of the
connection type T so that the application can communicate with TREX. You choose the
activation type Start or Activation when you create the RFC destination. The activation type
determines how the SAP Gateway communicates with the RFC server.
In addition to the RFC connection, TREX uses HTTP/HTTPS for the communication between
TREX components and the application using TREX. The ports used for this are described
under Networks Security.
20
On UNIX: /usr/sap/trex_<instance_number>
On Windows: <disk_drive>:\usr\sap\trex_<instance_number>
The queues and indexes are then stored in the subdirectories /index and /queue. The
paths to the directories are determined by SAP_RETRIEVAL_PATH when TREX is installed. In
the case of a distributed scenario, the system itself is responsible for the distributed storage
of the data for the queues and indexes (not the case for TREX 6.1 SP1). The data is not
stored temporarily anywhere else.
Level of Protection
The TREX installation is created by a root user that specifies a TREX user during the
installation. This TREX user has read and write access for the directories that are created.
You need a separate UNIX or Windows user for every TREX instance that you install. You
specify this user later on during the TREX installation. SAPinst makes sure that the user is
owner of all files and directories that belong to the TREX instance. On UNIX, the user cannot
have root permissions, and on Windows, it must have administration permissions. This
means that customers can decide at file-system level on who and how the data used by
TREX is accessed.
The TREX setup program creates the Web site SAP_TREX_<instance_number> on the Web
server. This causes an anonymous user for access to the Web site to be defined. This
anonymous user is called IUSR_<host_name> by default. The anonymous user needs to
have Full Control permission for the TREX directory.
You can ensure this in the following ways:
Variant 1: You determine the anonymous user entered in the properties for the Web
site SAP_TREX_<instance_number>. You give this user Full Control access to the
TREX directory and to all contained files and sub-directories.
Variant 2: You change the anonymous user in the properties for the Web site
SAP_TREX_<instance_number>. Instead of using the default setting
IUSR_<host_name>, you enter a local user that has Full Control access for the TREX
directory.
For more information on the user permissions given during the TREX installation, see the
TREX installation guide at service.sap.com/instguides SAP NetWeaver
Release 04 Installation Search and Classification (TREX) 6.1 Installation Guide.
21
Comments
External
External
SAPinst
SAP internal
SAP Gateway
SAP internal
The Microsoft Internet Information Server (IIS) and the Apache Web-Server, which
communicate on Windows and UNIX with the CM Java client as TREX Web servers, both
have their own validated security concepts that are referred to in the configuration of TREX
security.
During the SAPinst TREX installation, the required permissions are given for the Microsoft
Internet Information Server (IIS) (see Data Storage Security [Page 20] Level of
Protection). You can use the cryptography tool SAPGENPSE to configure secure
communication between the TREX preprocessor and the portal Web server, and between the
TREX Web server and the TREX name server. You obtain the cryptography tool
SAPGENPSE as part of the SAP Cryptographic Library from the SAP Service Marketplace.
The cryptography tool OpenSSL is used for the secure configuration of the Apache Web
Server. You use a build process to generate the tool OpenSSL and the library mod_SSL.so,
both of which you need for the secure communication of the Apache Web server.
For more information on the user permissions given during the TREX installation, see
the TREX installation guide at service.sap.com/instguides SAP NetWeaver
Release 04 Installation Search and Classification (TREX) 6.1 Installation
Guide.
For more information on the configuration of TREX security, see the SAP Library at
22
The TREX servers are only used by Java applications. In this case, only execute the
installation steps necessary for an HTTP connection.
The TREX servers are only used by ABAP applications. In this case, only execute the
installation steps necessary for an RFC connection.
The TREX servers are used by Java and ABAP applications. In this case, execute the
installation steps necessary for an HTTP and RFC connection.
SAPinst Tool
The SAPinst tool can also be deleted after the installation. However, this deletes important
information on the installation that could be needed if a terminated TREX installation needs to
be continued.
23
The trace level must be set in the corresponding TREX configuration file.
2.8 Appendix
Related Security Guides
You can find more information about the security of SAP applications on the SAP Service
Marketplace, using the quick link security. Security guides are available using the quick link
securityguide.
Related Information
For more information about topics related to security, see the links in the table below.
Quick Links to Related Information
Content
instguides
notes
Released platforms
platforms
Network security
network
ibc
securityguide
Technical infrastructure
ti
solutionmanager
Checklists
The TREX installation guide contains checklists for the following scenarios:
24