Content Server Interface

8/3/2019 Content Server Interface

http://slidepdf.com/reader/full/content-server-interface 1/13

SAP Cont ent Server

Sec ur i t y Guide

Docum ent V ersion 1.00 – Apri l 29, 2004

SAP Net Weaver ’04

Secur i ty Guide



SAP AGNeurottstraße 1669190 WalldorfGermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www.sap .com

© Copyright 2004 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and

other SAP products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of SAP AG

in Germany and in several other countries all over the world. All other

product and service names mentioned are the trademarks of their

respective companies. Data contained in this document serves

informational purposes only. National product specifications may

vary.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or

omissions with respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in the express

warranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

warranty.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,

MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,

xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity,

Tivoli, and Informix are trademarks or registered trademarks of IBM

Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Disclaimer

Some components of this product are based on Java™. Any code

change in these components may cause unpredictable and severe

malfunctions and is therefore expressively prohibited, as is any

decompilation of these components.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C®, World Wide Web Consortium, Massachusetts

Institute of Technology.

Any Java™ Source Code delivered with this product is only to be used

by SAP’s Support Services and may not be modified or altered in any

way.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

Documentation in the SAP Service Marketplace

You can find this documentation at the following Internet address:service.sap.com/securityguide

MaxDB is a trademark of MySQL AB, Sweden.



Typographic Convent ions Icons

Type Style Description

Example Text Words or characters quotedfrom the screen. These includefield names, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.

Cross-references to otherdocumentation

Example text Emphasized words or phrasesin body text, graphic titles, andtable titles

EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, tablenames, and key concepts of aprogramming language whenthey are surrounded by body

text, for example, SELECT andINCLUDE.

Example text Output on the screen. Thisincludes file and directorynames and their paths,messages, names of variablesand parameters, source text,and names of installation,upgrade and database tools.

Example text Exact user entry. These arewords or characters that youenter in the system exactly as

they appear in thedocumentation.

<Exampletext>

Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, forexample, F2 or ENTER.

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAPLibrary documentation to help youidentify different types of information ata glance. For more information, seeHelp on Help → General Information Classes and Information Classes for

Business Information Warehouse onthe first page of any version of SAP Library .



SAP Content Server Security Guide

4 April 29, 2004

Contents

SAP Content Server Security Guide................................................5

1 Introduction .........................................................................................5

2 User Administration and Authentication ..........................................7

2.1 User Management .................................................................................. 7

2.2 User Data Synchronization Unix ......................................................... 10

2.3 User Data Synchronization Windows................................................. 10

3 Communication Channel Security...................................................10

4 Network Security...............................................................................11

5 Data Storage Security.......................................................................12

6 Other Security-Relevant Information ..............................................12

7 Trace and Log Files ..........................................................................13




1 Introduction

April 29, 2004 5


1 Introduction

This guide does not replace the standard operations handbook that werecommend customers to use for creating specific productive operations.

About this Guide

The SAP Content Server and the SAP Cache Server were designed for managing largequantities of documents efficiently in diverse locations. These documents usually containconfidential information of considerable value to the company. To protect the documents

sufficiently enough, the various security measures are explained in this guide.

For simplicity the security settings are explained using the SAP Content Server. The settingsare valid for the cache server just the same and should also be made for the cache server.

Normally, the security procedure and settings for the SAP Content Server are independent ofthe operating system. Security measures that have different settings for Windows and Unixare described separately.

Why Is Security Necessary?

The data stored in the content server and cache server requires special protection againstunauthorized access, modification or deletion. A comprehensive protection could never be

guaranteed by one single security feature alone. This data can only be fully protected whenseveral security measures are working together at the same time on one specific aspect.

Target Groups

• Technical consultants

• System administrators

This document is not included as part of the Installation Guides, Configuration Guides,Technical Operation Manuals, or Upgrade Guides. These guides are only relevant for acertain phase of the software life cycle, whereby the Security Guides provide information thatis relevant for all time frames.




1 Introduction

Important SAP Notes

Check regularly which SAP Notes about the security of the application areavailable.

Important SAP Notes

SAP Note Number Title

212394 DBM, DBA and Domain User Initial Password

361123 SAP Content Server and Security

433727 Cache Server and Security

586895 SAP Content Server for UNIX (Composite SAP note)

612463 SAP Content Server for Windows (Composite SAP note)

6 April 29, 2004




2 User Administration and Authentication


2.1 User Management

User Management Tools

Tool Detailed Description Prerequisites

DBMCLI, SAPDBM-GUI Command line andinteractive administrationtools for the SAP database

SAP DB instance must beinstalled and used with theSAP Content Server

Commands of the

operating system

Add/Delete/Modify user

entries

To operate, the SAP Content Server for UNIX requires the following users and groups:

• Operation system user without administrator privileges. SAP recommends that youcreate a separate user and home directory for each SAP Content Server, so thatseparate server instances can be operated. SAP recommends the naming convention:<sid>cs or <sid>csc. But you could still use any other name. (See also the InstallationGuide.)

If documents are created in file system repositories, the created repository objects,without exception, belong to the user with the user ID, under which the content server

processes are running.• The <sid>cs/csc user must be a member of the user group sapsys.

• Additional content server administrators can be created. All administrators must belongto the same group, which must be declared as the administration security group in thecontent server for UNIX. (See below).

The SAPDB database for UNIX requires the following system users and groups:

• A database user, so that the content server can log on to an SAP DB instance toaccess the repositories created there. The default database user is SAPR3 and thedefault password is SAP. You can define an alternative user and an encryptedpassword in the relevant configuration parameters on the content server.

• To operate the SAP database other operating system users are required. One is thesapdb user, under which the SAP DB software is installed. Each SAP DB instance alsoneeds its own user to whom all instance-dependent files (devspaces, logspaces, etc.)will later belong. The following name format is used for this: sqd<sid>. All SAP DBusers must be members of the sapsys group.

• If they do not already exist, all users and the sapsys group required to operate the SAPDatabase are generated automatically by the installation program for the SAP DB.

April 29, 2004 7





The SAP Content Server for Windows requires the following users for its operation:

• When the operating system is started up, the Microsoft Internet Information Server (MSIIS) is started as the “World Wide Web“ system service.For Windows 2000 the WWW service is started with the user “SYSTEM“. For Windows2003 the user is “NETWORK SERVICE“. These users are set up in the operatingsystem and cannot be changed.

• Like the Microsoft Internet Information Server, the SAPDB instance for Windows isstarted as the system service. So a separate user is not required for the SAPDBinstance.

SAPDB Database user Windows and UNIX:

• So that the content server can log on to an SAP DB instance to access the repositoriescreated there, during the installation the default database user SAPR3 with defaultpassword SAP is created. The default password can be changed in reportRSCMSPWS and transferred encrypted to the content server. Report RSCMSPWSdoes NOT change the password in the database – this step has to be done separately.

Refer to notes 212394 and 661852.

The SAP Content Server is administered at runtime exclusively via URLs. To avoidunauthorized administration, the SAP Content Server has an AdminSecurity function. Assoon as AdminSecurity is activated, the content server demands a user/passwordauthentication (basic authentication) for all administration commands.

AdminSecurity features for UNIX:

• Depending on the configuration, the user/password combination sent by the client ischecked either against an NIS user database or against the local file/etc/password.

• To prevent users with operating system access from inadvertently executingadministration commands, the administrator user must belong to anAdminSecurityGroup.

The AdminSecurityGroup can be freely assigned by the system administrator – it doesnot have to be the same group as the user group under which the SAP Content Serverwas installed. Depending on the user/password combination, the group is checkedeither against the NIS group database or the local file/etc/group.

The profile parameter AuthService determines which user/group data is used for theauthentication.

• The configuration parameters AdminSecurityGroup and AuthService are available forUNIX only.

AdminSecurity features for Windows:

• The system uses the user/password combination sent by the client to check whetherthe file ContentServer.INI can be opened. When the content server is installed, this file,which needs special protection, is assigned to all the users in the “administrators“group. Local and domain administrators are given the same authorizations. Inparticular, fully-qualified domain users can be passed to the SAP Content Server forWindows for the authentication check.

8 April 29, 2004





Overview of the required users

System User Group Delivered? Type Default

Password

Detailed

DescriptionUNIXLocal/NIS

<sid>cs<sid>csc

sapsys(recommended)

Must becreated byAdministratorbeforeInstallation

TechnicalUser

No default Runtime user forthe SAP ContentServer,SAP ContentServer Cache

UNIXLocal/NIS

sapdb sapsys(mandatory)

Yes TechnicalUser

Asked duringinstallation

Technical userthat owns allSAP DB software

UNIXLocal/NIS

sqd<sid> sapsys(mandatory)

Yes TechnicalUser

Asked duringinstallation

Runtime user forSAPDB instance

UNIXLocal/NIS

Administrator(no namingconvention)

Member ofAdminSecurity-Group(any valid usergroup)

No Administrator No default See above

WindowsLocal/ Domain

Any Member ofadministrators

No Administrator No default See above

SAPDBInstance

SAPR3 N/A YES DB-User SAP See above

SAPDBInstance

control N/A Yes DB-User control DatabaseManager User(DBM user) formonitoring andmanaging thedatabase system

SAPDBInstance

superdba N/A Yes DB-User admin DatabaseAdministrationUser (DBA User)creates newusers and is theowner of thesystem tables

SAPDBInstance

domain N/A Yes DB-User domain Domain user isresponsible forthe maintenanceof the systemtables

April 29, 2004 9




3 Communication Channel Security

2.2 User Data Synchronization UnixAll the operating system users and groups listed above are normally assigned to one host. Itcould however arise depending on demand, that several content server instances on differenthosts access the repositories. These repositories do not have to be located on the same host,they may be distributed across several hosts. As well as this, some repositories may belocated in the file system and others in one or more database instances.

In cases where operating system users, passwords, and groups have to be synchronizedacross several hosts, the Network Information Service (NIS) should be used. You must followthe security notes supplied by the respective software providers to set up a secure NISenvironment.

To authenticate administration commands, the SAP Content Server can check the receivedpassword against an NIS database. The default domain is always used for this. Thepassword is verified against the passwd.byname map and the group.byname map.

2.3 User Data Synchronization WindowsUser names and groups are distributed using the Microsoft domain concept. The principles ofthe domain concept comply with the Network Information Service.

3 Communication Channel Security

Definition

This section is valid both for the Windows and UNIX versions of the SAP Content Server....

• The SAP Content Server is an enhancement of the employed Web server. The entiredata transfer between the client and the Web server is processed through HTTP. It isthe task of the Web server to provide the secure HTTP (HTTPS) protocol. Refer to theconfiguration instructions for the Web server. Usually HTTPS requires an appropriateport to be activated on the Web (443). If you want to use HTTPS, this must be set up inthe Customizing transaction, OAC0, for the relevant repositories.

• Provided the documents are stored in a database instance, the SAP Content Serveruses the ODBC protocol to communicate with the database server.

10 April 29, 2004




4 Network Security

4 Network SecurityThis section is valid both for the windows and UNIX versions of the SAP Content Server.

• You can operate the content server in a different network segment to that of thedatabase. It is important that the Content Storage Host can be reached via anappropriate route. The content server and the database server communicate entirelythrough the ODBC protocol. The ports, 7200/sql30 and 7210/sql6, must be opened onthe database server.

• Especially in configurations where you want to access documents from the extranet,special security measures are necessary:

The content server should be set up in the demilitarized zone (DMZ).

The content server has exclusive access to local repositories that managedocuments held temporarily for accessing from the extranet. These documentsshould ideally be stored in an SAP DB instance. You should definitely changethe password for the database user.

A further content server located in the Intranet has access to the databaserepositories in the demilitarized zone through ODBC. This requires thatrepositories are manually entered in the configuration file of the content server.In particular you must ensure that the content server knows that the password ofthe database user has been changed.

With this internal content server the documents requested in the extranet cannow temporarily be placed in the database instance of the DMZ, simply bycopying them into a DMZ repository.

Then the URL required for accessing them can be given to the extranet client.The other way round, the extranet client can check documents into the DMZrepository. Using an appropriate workflow the application can then copy thesedocuments from the DMZ into an internal repository, and even carry out securitychecks (virus check, etc) beforehand.

Only by using the procedure outlined above, can you, exclude access throughthe DMZ from the extranet into the intranet. Extranet clients are allowed HTTPaccess to the content server in the DMZ, but the whole document transferbetween the intranet and DMZ is controlled from the intranet. These controlmechanisms and the entire workflow effort associated with it is the responsibilityof the application and is not contained in the SAP Basis layer KPro.

April 29, 2004 11




5 Data Storage Security

5 Data Storage Security• All documents must be stored in repositories. These repositories may be located either

in a database instance or in directory hierarchies in the file system.

• When documents are checked in, they are stored in repositories. If an error occursduring a transaction, the database transaction mechanism, rollback, is used. Thismechanism is not available if the documents are stored in the file system.

• Document data or fragments are not stored temporarily on the hard disk at any time.

• If documents are stored in the file system, you must follow the conventions of therespective operating systems when assigning access rights: Under UNIX all files arecreated with the access rights rw, rw, rw (i.e. 666), directories are created with therights rwx, rwx, rwx (i. e. 777). All other restrictions must be made using the relevant“umask“ reductions. Furthermore, the user with the effective UID, under which the

server processes run, becomes the owner of all objects in the repository.

Under Windows all the file system objects inherit the predefined access rights of therepository root directory. This directory must be created manually (in both Windowsand UNIX). The current user becomes the owner of the root directory and of all therepositories contained in this directory.

• In addition to the documents and repositories, all the configuration data of the SAPContent Server is stored in a configuration file. The name and address of the path tofind this file is different for Windows and for Unix.

Under UNIX the file is called cs.conf (or csc.conf for the cache server). After thecontent server has been installed, the file is located in directory $HOME/conf. Though

you can redefine the name and path of the configuration file in the environment variableCSConfigPath (CSCConfigPath for the cache server), or by setting this variable in theconfig section of the Web server, (provided this is permitted). Variable definitions in theweb server configuration will precede the environment variables. In every case theaccess rights for the file cs.conf/csc.conf should be restricted to only the owner havingread and write access and group members having only read access. Other usersshould not be able to read the configuration files. These access rights (640) are set bythe installation program.

6 Other Security-Relevant Information• This section is relevant for all operating systems.

• For URL signatures the default setting in the SAP System is “activated“. So that thecontent server can check the signatures, each SAP System wanting to use repositoriesmust send the public key in the form of a certificate to the content server. Eachcertificate must be activated separately and the signature check for the relevantrepositories must be activated on explicitly. These settings can be made in transactionCSADMIN. Here you can also deactivate and delete activated certificates.

• URL signatures are activated and deactivated in the same way for the Windows andUNIX content servers.

12 April 29, 2004




7 Trace and Log Files

7 Trace and Log FilesThe SAP Content Server has extensive trace facilities. They are different for Windows andUNIX:

Under UNIX you can extend or restrict the scope of trace reports in the parameterTraceLevel in the configuration file cs.conf (csc.conf). You can find out which trace classesare currently available from the notes in cs.conf (csc.conf). Keep in mind that if you set verylow trace levels, the size of the log files will be very large, which could impair the performanceof the whole server. The Web server also has a master trace level which must be set in theWeb server configuration. The master trace makes the final decision about which messagesare recorded in the trace file.

Under Windows there are no restrictions for the scope of the trace. Here all the tracemessages are always recorded in the file CS_Trace.txt, provided the profile parameterFullTrace=1 is set.

April 29, 2004 13

Documents

Content Server Interface