Date post: | 02-Jun-2018 |
Category: |
Documents |
Upload: | elkesunshine |
View: | 218 times |
Download: | 0 times |
of 24
8/10/2019 SAPNetWeaver04 SecGuide KM
1/24
SAP Knowledge
Management
Security Guide
Document Version 1.00 April 29, 2004
SAP NetWeaver 04
Security Guide
8/10/2019 SAPNetWeaver04 SecGuide KM
2/24
SAP AG
Neurottstrae 1669190 WalldorfGermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www sap com
Copyright 2004 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and
other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG
in Germany and in several other countries all over the world. All other
product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves
informational purposes only. National product specifications may
vary.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional
warranty.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,
xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity,
Tivoli, and Informix are trademarks or registered trademarks of IBM
Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Disclaimer
Some components of this product are based on Java. Any code
change in these components may cause unpredictable and severe
malfunctions and is therefore expressively prohibited, as is any
decompilation of these components.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C, World Wide Web Consortium, Massachusetts
Institute of Technology.
Any Java Source Code delivered with this product is only to be used
by SAPs Support Services and may not be modified or altered in any
way.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
Documentation in the SAP Service Marketplace
You can find this documentation at the following Internet address:service.sap.com/securityguide
MaxDB is a trademark of MySQL AB, Sweden.
8/10/2019 SAPNetWeaver04 SecGuide KM
3/24
Typographic Conventions Icons
Type Style Description
Example Text Words or characters quotedfrom the screen. These includefield names, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.
Cross-references to otherdocumentation
Example text Emphasized words or phrasesin body text, graphic titles, andtable titles
EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, tablenames, and key concepts of aprogramming language whenthey are surrounded by body
text, for example, SELECT andINCLUDE.
Exampl e t ext Output on the screen. Thisincludes file and directorynames and their paths,messages, names of variablesand parameters, source text,and names of installation,upgrade and database tools.
Example text Exact user entry. These arewords or characters that youenter in the system exactly as
they appear in thedocumentation.
Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.
EXAMPLE TEXT Keys on the keyboard, forexample, F2or ENTER.
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAPLibrary documentation to help youidentify different types of information ata glance. For more information, see
Help on HelpGeneral InformationClasses and Information Classes for
Business Information Warehouseonthe first page of any version of SAPLibrary.
8/10/2019 SAPNetWeaver04 SecGuide KM
4/24
Knowledge Management Security Guide
4 Apr il 29, 2004
Contents
Knowledge Management Security Guide........................................5
1 Content Management Security Guide ...............................................5
1.1 Technical System Landscape ............................................................... 6
1.2 User Administration and Authentication.............................................. 7
1.3 Authorizations ........................................................................................ 8
1.4 Communication Channel Securi ty ........................................................9
1.5 Data Storage Secur ity .......................................................................... 11
1.6 Minimal Configuration ......................................................................... 12
1.7 Further Securi ty-Relevant Information ............................................... 131.8 Trace and Log Files..............................................................................14
1.9 Appendix ............................................................................................... 14
2 Search and Classification (TREX) Security Guide.........................15
2.1 Technical System Landscape ............................................................. 16
2.2 User Management and Authentication ............................................... 18
2.3 Network and Communication Securi ty ............................................... 18
2.4 Data Storage Secur ity .......................................................................... 21
2.5 Securi ty for Addit ional Appl icat ions .................................................. 22
2.6 Minimal Installation ..............................................................................222.7 Trace and Log Files..............................................................................23
2.8 Appendix ............................................................................................... 24
8/10/2019 SAPNetWeaver04 SecGuide KM
5/24
Knowledge Management Security Guide
1 Content Management Security Guide
Apri l 29, 2004 5
Knowledge Management SecurityGuide
About this Guide
Knowledge Management comprises the following subcomponents:
Content Management (CM)
Search and Classification (TREX)
The Knowledge Management security guide is therefore actually divided into two separatesecurity guides:
Content Management Security Guide [Page 5]
Search and Classification (TREX) Security Guide [Page 14]
1 Content Management Security Guide
This guide does not replace the daily operations handbook that werecommend customers create for their specific productive operations.
About this Guide
This guide describes security-relevant topics that affect the technical component ContentManagement of the Knowledge Management platform.
As a component of SAP NetWeaverTM
, the Knowledge Management Platform relies on thecomponents SAP Enterprise Portal and the J2EE Engine of the SAP Web Application Server.The table below contains links to the security guides for these components.
Related Security Guides
Appl ication Guide Most Relevant Sections orSpecific Restrictions
SAP Web ApplicationServer
SAP Web ApplicationServer Security Guide
SAP Web AS SecurityGuide for J2EE Technology
SAP Enterprise Portal Portal Platform SecurityGuide
Why is security necessary?
The Content Management security measures described here prevent illegal access todocuments and settings and prevent them being manipulated illegally.
8/10/2019 SAPNetWeaver04 SecGuide KM
6/24
Knowledge Management Security Guide
1 Content Management Security Guide
Target Groups
Technical consultants
System administrators
This document is not included as part of the installation guides, configuration guides,technical operation manuals, or upgrade guides. Such guides are only relevant for a certainphase of the software life cycle, whereas the security guides provide information that isrelevant for all time frames.
Important SAP Notes
Check regularly to see what SAP Notes are available about the security of theapplication.
Important SAP Notes
SAP Note Number Title Comment
701097 SAP NetWeaver '04Documentation
Contains information oncorrections to thedocumentation after it hasbeen delivered.
599425 EP6: Permissions forKnowledge Management
After the installation youhave to restrict permissionsfor accessing folders anddocuments.
1.1 Technical System LandscapeThe table below tells you where you can find more information about the technical systemlandscape.
More Information About the Technical System Landscape
Topic Guide Quick Link to the SAPService Marketplace(service.sap.com)
Technology componentssuch as the SAP WebApplication Server
Master guide instguides
Technical configuration, highavailability
Technical infrastructureguide
ti
6 Apr il 29, 2004
8/10/2019 SAPNetWeaver04 SecGuide KM
7/24
Knowledge Management Security Guide
1 Content Management Security Guide
1.2 User Administration and Authentication
User Management
Knowledge Management, like the portal, uses the user management of the J2EE Engine,since it doesnt have its own user management.
The following service users are used internally by Content Management:
User Delivered? Type DefaultPassword
Detailed Description
cmadmin_service Yes serviceuser
- Used for various tasks inCM.
The service user has
write permissions tocreate a personal folderfor every user in therepository / user homeand to createconfiguration settings atstart up.
ice_service Yes serviceuser
- Used to accessdocuments with thecontent exchangeservice.
index_service Yes service
user
- Used for crawling and
indexing documents withthe index managementservice.
notificator_service Yes serviceuser
- Used by the inbox andnotification services.
subscription_service Yes serviceuser
- Used by the subscriptionservice.
timebasedpublish_service
Yes serviceuser
- Used by the time-dependent publishingservice.
collaboration_service Yes serviceuser
- Used by CM repositoryservices such as thefeedback and ratingservices.
The service users have various system-wide permissions in CM, including resourcepermissions such as reading, writing, and deleting, and removing locks on documents.Service users are automatically created by the services in the user management of the J2EEEngine. However, no authentication is possible. For more information, see Service Users[SAP Library]in the KM administration guide.
Also refer to User Administration and Authentication [SAP NetWeaver Security Guide].
Apri l 29, 2004 7
8/10/2019 SAPNetWeaver04 SecGuide KM
8/24
Knowledge Management Security Guide
1 Content Management Security Guide
1.3 Authorizations
Roles
The following roles are used in Knowledge Management:
Role Description
Content Manager The Content Manager role enables the structuring and managingof content of the KM platform.
This role must be assigned to relevant users after the installation.For more information, seeAssigning the Content Manager Role[SAP Library]in the KM administration guide.
System Administrator The SAP Enterprise Portal role now contains KM-specificadministration functions.
A system administrator carries out the configuration of the KMplatform (see System Administration [SAP Library]in the KMadministration guide).
Content Administrator The Content Administrator role of SAP Enterprise Portal nowcontains KM-specific content administration functions. It allowsdirect access to all folders and documents that are stored ininternal or external repositories of the KM platform (see the ContentManagement guide [SAP Library]in the KM documentation set).
You can delegate the task areas to other roles. For more information, see DelegatedAdministration [SAP Library] in the portal administration guide.
ACLs
In addition to the roles concept, another authorization concept is used - access control lists(ACLs).
By using repository managers that deal with various types of data storage (file system,WebDAV server, and so on), CM uniformly manages content located in different repositories.Initially, everybody has full control access to these contents. If a security manager is activatedfor a repository, you can protect the contents of the repository with access control lists(ACLs).
Permissions (ACLs) are inherited by subordinate folders from superordinate folders.However, if you change permissions on a subordinate folder, the system creates a separate
ACL for this resource. From now on, changes made to the permissions for the superordinatefolder will no longer be transferred to the subordinate folder for which the system has createda separate ACL.
You should restrict access permissions on the root nodes of security-relevantrepositories immediately after the installation in order to prevent documentsbeing read illegally by users hacking or guessing document URLs. Changethe ACLs for subordinate folders if the permissions for these folders aredifferent.
8 Apr il 29, 2004
8/10/2019 SAPNetWeaver04 SecGuide KM
9/24
Knowledge Management Security Guide
1 Content Management Security Guide
See also:
Permissions [SAP Library]
Security Managers [SAP Library]
ACL Security Manager [SAP Library]
Service ACL Service [SAP Library]
1.4 Communication Channel SecurityVarious channels of communication and technologies are used between subcomponents anddata sources of the Knowledge Management Platform.
Used Technologies
The following technologies are used for communication: HTTP/HTTPS
WebDAV
ICE
JDBC on OpenSQL
Operating system-dependent technologies
DBMS with
CM Database
Web Repository
Lotus Notes Repository
File System Repository
WebDAV Repository
HTTP(S)+WebDAV
JDBC aufOpenSQL
WebDAV Client
HTTP(S)
HTTP(S)CM HTTP(S) TREX
Knowledge Management
SAP J2EE Eng ine
(Portal Server)
Browser ICE Subscriber
HTTP(S)+ICE
HTTP(S)
HTTP(S)+WebDAV
* Operation system-dependent
IIOP
For example, NetBIOS, NFS
Directory withConfiguration
Data
*
Apri l 29, 2004 9
8/10/2019 SAPNetWeaver04 SecGuide KM
10/24
Knowledge Management Security Guide
1 Content Management Security Guide
Components and Communication Channels
CommunicationBetween
CommunicationChannel/Log
TransmittedData
Comments
CM and DBMSwith CM database
JDBC on OpenSQL Documents,metadata
You can usedatabasemanagementsystems such asORACLE
and
MICROSOFT
CM and TREX HTTP or HTTPS Searchrequests,search results,index data,classificationdata
CM and directorywith configurationdata on the portalserver
Operation system-dependent.
WINDOWS
-Example:
NetBIOS
UNIX - Example: NFS
Configurationdata
In the case of clusterinstallations of CM,the directory with theconfiguration data ismade available onthe database server.
CM andrepositories
Depends on theimplementation (seetable below).
Documents,metadata
ICE subscriberund ICE provider
(CM)
ICE using HTTP orHTTPS.
Documents,metadata
Use for exchangingcontent packages.
WebDAV clientand WebDAVserver (CM)
HTTP or HTTPS withWebDAV extension.
Documents,metadata
Browser andportal withinstalled KM
HTTP or HTTPS (HTML)documents
Technologies for Repositories
External Repositories Communication Technology Type of Authentication
Web repository HTTP, HTTPS HTTP Basic Authentication,HTTP Digest Authentication
WebDAV repository HTTP, HTTPS with WebDAVextension
HTTP Basic Authentication,HTTP Digest Authentication
File-system repositoryand CM repository(DBFS and FSDBmodes)
Operating system-dependent.
WINDOWS
- Example:
NetBIOS, TCP/IP
UNIX - Example: NFS
Dependent on operatingsystem and configuration.
WINDOWS- Example:
SMB using TCP/IP
Lotus Notes repository IIOP IIOP-specific
10 Apr il 29, 2004
8/10/2019 SAPNetWeaver04 SecGuide KM
11/24
Knowledge Management Security Guide
1 Content Management Security Guide
In the case of Web and WebDAV repositories, the combination of HTTP andBasic Authentication is seen as unsafe because passwords are to all intentsand purposes transmitted in plaintext. However, the authentication type used
is controlled by the remote server: If a remote server uses BasicAuthentication, the server is not configured to be secure. If this is the case,use another type of authentication such as Digest Authentication.
See also:
Content Management Configuration [SAP Library]
Repositories and Repository Managers [SAP Library]
1.5 Data Storage Security
Data in CM
Various types of data are used in Content Management. They are stored in different places.
Data in Content Management
Type of Data Storage Location Protected by
Configuration data Folder hierarchies in the filesystem of the portal server (seeContent ManagementConfiguration [SAP Library])
Permissions at operatingsystem level.
Access to the portal iscontrolled by the roleconcept.
CM portal content(worksets and iViewtemplates)
Portal catalog (database) Security concepts of theportal (roles), securityconcepts of DBMS.
CM content (foldersand files)
Internal repositories [SAP Library]
(such as / document s)
File system repository / et c.
Security concepts of theportal (roles), securityconcepts of DBMS,permissions at operatingsystem level.
Service data Database, directory withconfiguration data in the filesystem.
Security concepts of theDBMS, permissions atoperating system level.
Customer and system-external content(folders and files)
External repositories [SAP Library] Security concepts of theremote server, ACLs,permissions.
Customer and system-external content(folders and files)
Internal repositories (database, filesystem)
Permissions at operatingsystem level, ACLs.
Apri l 29, 2004 11
8/10/2019 SAPNetWeaver04 SecGuide KM
12/24
Knowledge Management Security Guide
1 Content Management Security Guide
Temporary Data on the Client PC
Note that CM-specific Internet files are stored on the client PC when the portal is called.
When you use the function Edit Locally, the content of the document in question is stored in atemporary directory on the client PC. When you upload the document to KM, it is deleted fromthe client PC when the program used to edit it is terminated. If you do not terminate theprogram, or if the document is locked, it is not deleted from the client PC.
If the client PC is also being used by another user, delete the content from thetemporary directories and the browser cache when you have finished yourwork.
1.6 Minimal Configuration
Functionality Restric tions
Depending on the users of your system, you may want to restrict functionality as well asaccess permissions.
Deactivating Repository Services
By default, the CM repository documents is delivered for storing documents and metadata.For a minimal configuration, you deactivate the repository services that you do not need (forexample, the discussion service for creating discussions) in the configuration of thisrepository manager. If you integrate your own repositories, you should also reduce the
number of repository services to a minimum. However, you should not change theconfiguration of repository managers that are used system-internally.
For more information, see Repositories and Repository Managers [SAP Library]andRepository Services [SAP Library]in the administration guide.
Deactivating Interface Commands
The flexible user interface of the KM platform provides you with interface commands forcarrying out operations. For a minimal configuration, you should deactivate interfacecommands that cause changes, including commands for checking objects in (Upload, CreateNew Text File. Create New HTML File), commands for editing objects (Edit Locally, EditOnline) and commands for deleting objects.
For more information, see User Interface Commands [SAP Library]in the administrationguide.
12 Apr il 29, 2004
8/10/2019 SAPNetWeaver04 SecGuide KM
13/24
Knowledge Management Security Guide
1 Content Management Security Guide
1.7 Further Security-Relevant Information
Active Code
Various types of active code are used in the KM platform. This is executed on the client hostin the Web browser.
Active Code Use Comments
ActiveX Used for the Local Editingfunction.
If your security policy rules out ActiveX,you can use a Java applet instead.
For more information, see Online andLocal Editing [SAP Library]in the KMadministration guide.
JavaScript Used by the HTMLBsoftware component (forexample, for client-sidecheck of entries and forgenerating popup menus).
JavaScript is also used extensively forthe component SAP Enterprise Portal.
Java Java applets are used forLocal Editing and for theXML Forms Builderapplication.
If your security policy rules out Javaapplets, you cannot use the XML FormsBuilder.
The Local Editing function can also beused with ActiveX.
Anonymous Users and Creat ion of Documents
Content Management allows users to create documents in the portal. Typical examples offeatures in which users can create documents are functions for uploading documents, editingdocuments online, providing feedback, joining in discussions, or writing reviews. By default,users create these documents using an HTML editor. In portals that allow anonymous usersto access the portal from the Internet, we strongly recommend that anonymous users not beallowed to create documents in HTML, as they may abuse this privilege.
For this reason, we recommend that you prevent anonymous users from creating documentsby granting them read permissions only on all documents and folders. In the flexible userinterface, layout sets for anonymous users should not contain any menu entries for actions
that involve creating documents.Additionally, it is possible to configure discussions, reviews, and feedback to use a text editorinstead of an HTML editor. We recommend that you make this setting. You can do this bysetting an indicator in the relevant service.
For more information on how to set this indicator in the discussion service, see CollaborationServices [SAP Library]in the KM administration guide. Use the same procedure forcomments and feedback.
Apri l 29, 2004 13
8/10/2019 SAPNetWeaver04 SecGuide KM
14/24
Knowledge Management Security Guide
1 Content Management Security Guide
1.8 Trace and Log FilesThe system writes log information of the Knowledge Management Platform to the fileknowl edgemanagement . * . l og (* is a value between 0 and 9).
You activate audit logging for ACLs by including the audit logging classcom. sappor t al s. wcm. reposi t ory. secur i t y. Secur i t yAudi t $Login theconfiguration file l oggi ng. proper t i es and setting the required level of detail.
com. sappor t al s. wcm. reposi t ory. secur i t y. Secur i t yAudi t $Log.sever i t y = DEBUG
For more information on logging, see KM Log [SAP Library]in the KM administration guide.
1.9 Appendix
Related Security Guides
You can find more information about the security of SAP NetWeaverTM
under Security [SAPLibrary].
Related Information
For more information about topics related to security, see the links in the table below.
Quick Links to Related Information
Content Quick Link on the SAP Service Marketplace(service.sap.com)
Master guide, installation guides, andupgrade guides
instguides
Related SAP Notes notes
Network security network
securityguide
Technical infrastructure ti
SAP Solution Manager solutionmanager
14 Apr il 29, 2004
8/10/2019 SAPNetWeaver04 SecGuide KM
15/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
2 Search and Classif ication (TREX)
Security Guide
This guide does not replace the daily operations handbook that werecommend customers create for their specific productive operations.
About this Guide
This guide describes security-relevant topics that affect the technical component Search andClassification of the Knowledge Management (KM) Platform. KM is a component of SAPNetweaver. It is used for managing unstructured information.
Related Security Guides
Appl ication Guide
SAP Web Application Server 6.40 SAP Web Application Server Security Guide
SAP Enterprise Portal 6.0 Portal Platform Security Guide
Content Management Content Management Security Guide [Page 5]
Why is Security Necessary?
Search and Classification (TREX)enables you to configure secure communication betweenTREX and the applications that use TREX (for example, SAP Enterprise Portal and SAPCustomer Relationship Management). The Secure Sockets Layer protocol (SSL protocol) withclient authentication is used for secure communication between TREX components(preprocessor and Web server) and other applications that access TREX using the TREXJava client and the TREX ABAP client.
TREX is a search and classification engine that is used to search in structured andunstructured data and documents. When documents are indexed and document content issearched by TREX, content containing personal or confidential information is alsotransmitted. The TREX security aspects prevent illegal access to, and manipulation of,documents and settings, and serve to ensure that data protection regulations are met.
Target Groups
Technical consultants
System administrators
This document is not included as part of the installation guides, configuration guides,technical operation manuals, or upgrade guides. Such guides are only relevant for a certainphase of the software life cycle, whereas the security guides provide information that isrelevant for all time frames.
Apri l 29, 2004 15
8/10/2019 SAPNetWeaver04 SecGuide KM
16/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
Important SAP Notes
Check regularly to see what SAP Notes are available about the security of theapplication.
Important SAP Notes
SAP Note Number Title Comment
583396 TREX 6.0/6.1: Preprocessing fails withreturn code 6403
620169 TREX 6.0/6.1: Cryptographic Softwarefor Apache Web Server
656042 TREX 6.0/6.1: TREX Web Page not
accessible after update
701097 SAP NetWeaver '04 Documentation Contains information oncorrections to thedocumentation after ithas been delivered.
701701 TREX 6.1:Providing Certificates forTREX Java Client
2.1 Technical System LandscapeSearch and Classification (TREX) includes the following central components:
Java client and ABAP client
Web server with TREX extension
Queue server
Preprocessor
Index server with the TREX engines
Name server
16 Apr il 29, 2004
8/10/2019 SAPNetWeaver04 SecGuide KM
17/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
The graphic below shows the individual TREX components and how they communicate.
Queue Server
Appl ication us ing TREX
Preprocessor
Queues Indexes
Index Server
TREX engines
Web Server
Name
Server
TREX
components
Other
components
TREX
data storages
Java ClientABAP Cl ient
TREX ext ension
HTTP/HTTPSRFC/SNC
HTTP/HTTPS
TCP/IP
TCP/IP
TCP/IPTCP/IP
RFC-Server
SAP-Gateway
TCP/IP
TREX is based on a client/server architecture. The client software is integrated into theapplication that uses the TREX functions, and allows access to the TREX servers. The TREXservers execute the requests of the clients: They index and classify documents and respondto search queries.
TREX offers an ABAP and a Java client. This allows ABAP and Java applications to useTREX functions. ABAP and Java applications communicate with the TREX servers usingdifferent protocols and components.
ABAP applications communicate with TREX servers using the RFC protocol. Thiscommunication takes place using an SAP gateway and an RFC server.
Java applications communicate with TREX using the HTTP or HTTPS protocol. Thiscommunication takes place using a Web server that is enhanced with TREX-specificfunctions.
RFC and Web servers have similar functions: They receive the requests of the application,convert them to a TREX-internal format, and send them on to the responsible TREX server.
The table below tells you where you can find more information about the technical system
landscape.
Apri l 29, 2004 17
8/10/2019 SAPNetWeaver04 SecGuide KM
18/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
More Information About the Technical System Landscape
Topic Guide/Tool Quick Link to the SAPService Marketplace
(service.sap.com)
TREX components andinfrastructure
TREX installation guide Instguides
2.2 User Management and Authentication
User Management
User management is administrated by the application using TREX (for example, SAP
Enterprise Portal or SAP Business Information Warehouse). TREX does not have its ownuser management. For more information on user management in SAP NetWeaver, seeUser Authentication and Single Sign-On [SAP Library].
Integration into Single Sign-On Environments
TREX is integrated into the SAP Enterprise Portal single sign-on environment. This meansthat TREX identifies itself to the portal using an SAP Logon ticket. For more information onclient authentication, see Configuration of the TREX Security Settings [SAP Library].
Authorizations
The clients that access the TREX servers identify and authorize themselves with the TREXserver in question using client certification (TREX Java Client TREX Web Server / PortalWeb Server TREX Preprocessor). The TREX preprocessor identifies itself to the portal Webserver using the SAP Logon ticket. As a TREX server only allows access to an authenticatedclient, granular configuration of the secure access of the individual clients to the TREXservers is possible.
2.3 Network and Communication Security
Communication Channel Security
Used Technologies
The following technology is used for communication between the individual TREXcomponents and between TREX and the applications that use TREX:
HTTP/HTTPS
TCP/IP (TREXNet)
RFC/SNC
SSL
18 Apr il 29, 2004
8/10/2019 SAPNetWeaver04 SecGuide KM
19/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
The graphic below shows the individual TREX components and how they communicate.
Queue Server
Appl ication us ing TREX
Preprocessor
Queues Indexes
Index Server
TREX engines
Web Server
Name
Server
TREX
components
Other
components
TREX
data storages
Java ClientABAP Cl ient
TREX ext ension
HTTP/HTTPSRFC/SNC
HTTP/HTTPS
TCP/IP
TCP/IP
TCP/IPTCP/IP
RFC-Server
SAP Gatew ay
TCP/IP
Communication between the TREX Java client and the TREX Web server, and between thePortal Web server and the TREX preprocessor, takes place using HTTP/HTTPS. All othercommunication between the TREX components (name, index, queue, and Web server) takesplace using a TREX-specific protocol (TREXNet) that is based on TCP/IP.
Communication Channels of TREX Components
TREX Component Communication Technology Type of Authentication
Java client HTTP/HTTPS Client certification
ABAP client RFC/SNC
HTTP/HTTPS Client certificationWeb server with TREXextension
With other TREX components,using TCP/IP (TREXNet).
With portal Web server, usingHTTP/HTTPS.
Client certificationPreprocessor
With other TREX components,using TCP/IP (TREXNet).
Name server TCP/IP (TREXNet)
Queue server TCP/IP (TREXNet)
Index server TCP/IP (TREXNet)
Data Storage
The data that the TREX queue server (queues) and the TREX index server and its searchengines (search index, text-mining index, and attribute-engine index) access are not stored in
a database. They are stored on the file system in special directories.
Apri l 29, 2004 19
8/10/2019 SAPNetWeaver04 SecGuide KM
20/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
Data Transfer
The communication between the TREX preprocessor and the portal Web server is used tocall up and transmit document content from the repositories of the application using TREX(for instance, SAP Enterprise Portal). The TREX Java client is used to transmit search
requests and commands (for instance, create a link) from the application to the TREX indexserver. The Java client also transmits the search results, responses to commands, anddocument content. This takes place in a similar way to the communication of an R/3application with TREX using the TREX ABAP client and RFC. The data (search requests,search results, document content, and commands) is protected by securing thecommunication channels and the certification of communication partners.
Network Security
The TREX servers, components, and indexes can be distributed among various networksegments using a scaling and load-balancing concept.
Note that no validated scaling concept is available for TREX 6.1 SP1.
When the TREX installation takes place, using SAPinst, the ports for the TREX servers arecalculated as follows on the basis of the selected number for the TREX instance beinginstalled:
30000 + 100 * +
The method of calculation ensures that the ports do not clash with another TREX instance onthe same host. The ports can be configured individually.
If you chose the instance number 48, the ports will be as follows:
Name server 34801 Preprocessor 34802
Index server 34803
Queue server 34804
HTTP server 34805
The configuration of firewall settings depends on whether TREX is within the technical systemlandscape. If this is the case, you must use the configuration to ensure that the firewall ispermeable to the ports of the TREX servers in both directions for TCP/IP (not for UDP).
Communication Destinations
When the TREX installation takes place, you create one or more RFC destinations of the
connection type T so that the application can communicate with TREX. You choose theactivation type Start orActivation when you create the RFC destination. The activation typedetermines how the SAP Gateway communicates with the RFC server.
In addition to the RFC connection, TREX uses HTTP/HTTPS for the communication betweenTREX components and the application using TREX. The ports used for this are describedunder Networks Security.
20 Apr il 29, 2004
8/10/2019 SAPNetWeaver04 SecGuide KM
21/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
2.4 Data Storage Security
Data Storage Location
The data that the TREX queue server (queues) and the TREX index server and its searchengines (search index, text-mining index, and attribute-engine index) access are stored onthe file system in special directories. SAPinst creates the following directory for the TREXinstance being installed:
On UNIX: / usr / sap/ t r ex_
On Windows: : \ usr \ sap\ t r ex_
The queues and indexes are then stored in the subdirectories / i ndex and / queue. Thepaths to the directories are determined by SAP_RETRI EVAL_PATH when TREX is installed. Inthe case of a distributed scenario, the system itself is responsible for the distributed storageof the data for the queues and indexes (not the case for TREX 6.1 SP1). The data is notstored temporarily anywhere else.
Type of Data Access
Only read access to data takes place for search requests. If new documents are added to thedata set, the indexes and queues must be changed and enhanced. This takes place usingwrite, delete, or change access.
Level of Protection
The TREX installation is created by a root user that specifies a TREX user during theinstallation. This TREX user has read and write access for the directories that are created.
You need a separate UNIX or Windows user for every TREX instance that you install. Youspecify this user later on during the TREX installation. SAPinst makes sure that the user isowner of all files and directories that belong to the TREX instance. On UNIX, the user cannothave root permissions, and on Windows, it must have administration permissions. Thismeans that customers can decide at file-system level on who and how the data used byTREX is accessed.
The TREX setup program creates the Web site SAP_TREX_ on the Webserver. This causes an anonymous user for access to the Web site to be defined. Thisanonymous user is calledI USR_ by default. The anonymous user needs tohave Full Controlpermission for the TREX directory.
You can ensure this in the following ways:
Variant 1: You determine the anonymous user entered in the properties for the Web
site SAP_TREX_. You give this user Full Controlaccess to theTREX directory and to all contained files and sub-directories.
Variant 2: You change the anonymous user in the properties for the Web site
SAP_TREX_. Instead of using the default setting
I USR_, you enter a local user that has Full Controlaccess for the TREXdirectory.
For more information on the user permissions given during the TREX installation, see the
TREX installation guide at service.sap.com/instguidesSAP NetWeaver
Release 04Installation Search and Classification (TREX) 6.1 Installation Guide.
Apri l 29, 2004 21
8/10/2019 SAPNetWeaver04 SecGuide KM
22/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
2.5 Security for Additional ApplicationsThe following applications are delivered with the TREX installation.
Addi tonal Appl ications
Appl ication Comments
Microsoft Internet Information Server (IIS) External
Apache Web Server External
SAPinst SAP internal
SAP Gateway SAP internal
The Microsoft Internet Information Server (IIS) and the Apache Web-Server, whichcommunicate on Windows and UNIX with the CM Java client as TREX Web servers, bothhave their own validated security concepts that are referred to in the configuration of TREXsecurity.
During the SAPinst TREX installation, the required permissions are given for the Microsoft
Internet Information Server (IIS) (see Data Storage Security [Page 20] Level ofProtection). You can use the cryptography tool SAPGENPSE to configure securecommunication between the TREX preprocessor and the portal Web server, and between theTREX Web server and the TREX name server. You obtain the cryptography toolSAPGENPSE as part of the SAP Cryptographic Library from the SAP Service Marketplace.
The cryptography tool OpenSSL is used for the secure configuration of the Apache Web
Server. You use a build process to generate the tool OpenSSL and the library mod_SSL. so,both of which you need for the secure communication of the Apache Web server.
For more information on the user permissions given during the TREX installation, see
the TREX installation guide at service.sap.com/instguides SAP NetWeaver
Release 04Installation Search and Classification (TREX) 6.1 InstallationGuide.
For more information on the configuration of TREX security, see the SAP Library at
help.sap.com\NW04 SAP NetWeaver Information Integration
Knowledge Management Security ConfigurationConfiguration of the TREXSecurity Settings [SAP Library].
2.6 Minimal Installation
Minimal Installation and Required ComponentsA minimal TREX system consists of one TREX instance (one installation of the serversoftware). You can use a minimal TREX system as a demo, test, and productive system.
The TREX servers (queue server, index server, preprocessor, and name server) can be usedby one or more applications. When you are installing TREX, you need to know the type ofapplication and communication protocol. There are the following possibilities:
The TREX servers are only used by Java applications. In this case, only execute theinstallation steps necessary for an HTTP connection.
The TREX servers are only used by ABAP applications. In this case, only execute theinstallation steps necessary for an RFC connection.
22 Apr il 29, 2004
8/10/2019 SAPNetWeaver04 SecGuide KM
23/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
The TREX servers are used by Java and ABAP applications. In this case, execute theinstallation steps necessary for an HTTP and RFC connection.
The documents to be indexed are sent by an ABAP application to TREX. Thesearch takes place using a Web application (Java application). In thisscenario, both an RFC and an HTTP connection are needed.
For more information on a minimal TREX installation, see the TREX installation guide at
service.sap.com/instguides SAP NetWeaverRelease 04Installation
Search and Classification (TREX) 6.1 Installation Guide.
TREX Test Package
New TREX releases are always tested internally using a predefined test package with astandard test landscape and with verifiable test data. In particular, the handling of mass data(mass tests), load restrictions (stress tests), and the performance of TREX are checked. The
test package calls test atoms in the form of Python scripts that test the basic functionality ofTREX and are stored in the directory \ python_suppor t .
When you have installed TREX you execute the Python script r unI nst al l at i onTest . pythat is used to test the basic functions of TREX. This script calls a subset of TREX test atomsto check the functional correctness of TREX. If the Python script is executed successfully, youknow that TREX has been installed properly, the configuration files contain the necessaryentries, and the TREX servers are running.
TREX Administration Tools
TREX provides various administration tools for administrating the TREX servers. Some ofthem can be found in the TREX installation directory
(/ usr / sap/ t r ex_: Tr exGui . exe; Tr exQueueCl i ent . exe)and others are located in the Python support directory(\ usr \ sap\ t r ex_11\ python_suppor t : t opoVi ew. py, TrexAdmi nTool . py usw) . .You can delete these test and administration tools without restricting the TREX functions, butfor supportability reasons we do not recommend that you do so.
SAPinst Tool
The SAPinst tool can also be deleted after the installation. However, this deletes importantinformation on the installation that could be needed if a terminated TREX installation needs tobe continued.
2.7 Trace and Log FilesWith a standard configuration, TREX writes all error messages that arise during routineoperation to trace and alert files. The TREX daemon, the individual TREX servers, and otherTREX components all write their own trace files.
These trace files contain error messages that the index server, name server, preprocessor,queue server, and Web server return during routine operation. With the standardconfiguration, the trace files only contain error messages.
Apri l 29, 2004 23
8/10/2019 SAPNetWeaver04 SecGuide KM
24/24
Knowledge Management Security Guide
2 Search and Classifi cation (TREX) Securi ty Guide
If you set a higher trace level, the entire content of the documents being processed can bewritten to the trace files. The SAP Logon ticket t i cket might also appear in a trace filewhen tracing the TREX preprocessor.
However, these trace files are protected for the following reasons:
Only administrators have permission to access the TREX trace directories.
The trace level must be set in the corresponding TREX configuration file.
2.8 Appendix
Related Security Guides
You can find more information about the security of SAP applications on the SAP ServiceMarketplace, using the quick link security. Security guides are available using the quick link
securityguide.
Related Information
For more information about topics related to security, see the links in the table below.
Quick Links to Related Information
Content Quick Link on the SAP ServiceMarketplace
(service.sap.com)
Master guide, installation guides, upgrade
guides, and solution management guides
instguides
ibc
Related SAP Notes notes
Released platforms platforms
Network security network
securityguide
Technical infrastructure ti
SAP Solution Manager solutionmanager
Checklists
The TREX installation guide contains checklists for the following scenarios:
TREX installation with HTTP connection
TREX installation with RFC connection
TREX installation with HTTP and RFC connections
The TREX installation guide is located at service.sap.com/instguides SAP
NetWeaverRelease 04 InstallationSearch and Classification (TREX) 6.1 InstallationGuide.