sapnetweaver04 secguide km

8/10/2019 SAPNetWeaver04 SecGuide KM

1/24

SAP Knowledge

Management

Security Guide

Document Version 1.00 April 29, 2004

SAP NetWeaver 04

Security Guide


2/24

SAP AG

Neurottstrae 1669190 WalldorfGermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www sap com

Copyright 2004 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and

other SAP products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of SAP AG

in Germany and in several other countries all over the world. All other

product and service names mentioned are the trademarks of their

respective companies. Data contained in this document serves

informational purposes only. National product specifications may

vary.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or

omissions with respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in the express

warranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

warranty.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,

MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,

xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity,

Tivoli, and Informix are trademarks or registered trademarks of IBM

Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Disclaimer

Some components of this product are based on Java. Any code

change in these components may cause unpredictable and severe

malfunctions and is therefore expressively prohibited, as is any

decompilation of these components.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C, World Wide Web Consortium, Massachusetts

Institute of Technology.

Any Java Source Code delivered with this product is only to be used

by SAPs Support Services and may not be modified or altered in any

way.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

Documentation in the SAP Service Marketplace

You can find this documentation at the following Internet address:service.sap.com/securityguide

MaxDB is a trademark of MySQL AB, Sweden.


3/24

Typographic Conventions Icons

Type Style Description

Example Text Words or characters quotedfrom the screen. These includefield names, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.

Cross-references to otherdocumentation

Example text Emphasized words or phrasesin body text, graphic titles, andtable titles

EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, tablenames, and key concepts of aprogramming language whenthey are surrounded by body

text, for example, SELECT andINCLUDE.

Exampl e t ext Output on the screen. Thisincludes file and directorynames and their paths,messages, names of variablesand parameters, source text,and names of installation,upgrade and database tools.

Example text Exact user entry. These arewords or characters that youenter in the system exactly as

they appear in thedocumentation.

Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, forexample, F2or ENTER.

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAPLibrary documentation to help youidentify different types of information ata glance. For more information, see

Help on HelpGeneral InformationClasses and Information Classes for

Business Information Warehouseonthe first page of any version of SAPLibrary.


4/24

Knowledge Management Security Guide

4 Apr il 29, 2004

Contents

Knowledge Management Security Guide........................................5

1 Content Management Security Guide ...............................................5

1.1 Technical System Landscape ............................................................... 6

1.2 User Administration and Authentication.............................................. 7

1.3 Authorizations ........................................................................................ 8

1.4 Communication Channel Securi ty ........................................................9

1.5 Data Storage Secur ity .......................................................................... 11

1.6 Minimal Configuration ......................................................................... 12

1.7 Further Securi ty-Relevant Information ............................................... 131.8 Trace and Log Files..............................................................................14

1.9 Appendix ............................................................................................... 14

2 Search and Classification (TREX) Security Guide.........................15

2.1 Technical System Landscape ............................................................. 16

2.2 User Management and Authentication ............................................... 18

2.3 Network and Communication Securi ty ............................................... 18

2.4 Data Storage Secur ity .......................................................................... 21

2.5 Securi ty for Addit ional Appl icat ions .................................................. 22

2.6 Minimal Installation ..............................................................................222.7 Trace and Log Files..............................................................................23

2.8 Appendix ............................................................................................... 24


5/24


1 Content Management Security Guide

Apri l 29, 2004 5

Knowledge Management SecurityGuide

About this Guide

Knowledge Management comprises the following subcomponents:

Content Management (CM)

Search and Classification (TREX)

The Knowledge Management security guide is therefore actually divided into two separatesecurity guides:

Content Management Security Guide [Page 5]

Search and Classification (TREX) Security Guide [Page 14]


This guide does not replace the daily operations handbook that werecommend customers create for their specific productive operations.

About this Guide

This guide describes security-relevant topics that affect the technical component ContentManagement of the Knowledge Management platform.

As a component of SAP NetWeaverTM

, the Knowledge Management Platform relies on thecomponents SAP Enterprise Portal and the J2EE Engine of the SAP Web Application Server.The table below contains links to the security guides for these components.

Related Security Guides

Appl ication Guide Most Relevant Sections orSpecific Restrictions

SAP Web ApplicationServer

SAP Web ApplicationServer Security Guide

SAP Web AS SecurityGuide for J2EE Technology

SAP Enterprise Portal Portal Platform SecurityGuide

Why is security necessary?

The Content Management security measures described here prevent illegal access todocuments and settings and prevent them being manipulated illegally.


6/24



Target Groups

Technical consultants

System administrators

This document is not included as part of the installation guides, configuration guides,technical operation manuals, or upgrade guides. Such guides are only relevant for a certainphase of the software life cycle, whereas the security guides provide information that isrelevant for all time frames.

Important SAP Notes

Check regularly to see what SAP Notes are available about the security of theapplication.

Important SAP Notes

SAP Note Number Title Comment

701097 SAP NetWeaver '04Documentation

Contains information oncorrections to thedocumentation after it hasbeen delivered.

599425 EP6: Permissions forKnowledge Management

After the installation youhave to restrict permissionsfor accessing folders anddocuments.

1.1 Technical System LandscapeThe table below tells you where you can find more information about the technical systemlandscape.

More Information About the Technical System Landscape

Topic Guide Quick Link to the SAPService Marketplace(service.sap.com)

Technology componentssuch as the SAP WebApplication Server

Master guide instguides

Technical configuration, highavailability

Technical infrastructureguide

ti

6 Apr il 29, 2004


7/24



1.2 User Administration and Authentication

User Management

Knowledge Management, like the portal, uses the user management of the J2EE Engine,since it doesnt have its own user management.

The following service users are used internally by Content Management:

User Delivered? Type DefaultPassword

Detailed Description

cmadmin_service Yes serviceuser

- Used for various tasks inCM.

The service user has

write permissions tocreate a personal folderfor every user in therepository / user homeand to createconfiguration settings atstart up.

ice_service Yes serviceuser

- Used to accessdocuments with thecontent exchangeservice.

index_service Yes service

user

- Used for crawling and

indexing documents withthe index managementservice.

notificator_service Yes serviceuser

- Used by the inbox andnotification services.

subscription_service Yes serviceuser

- Used by the subscriptionservice.

timebasedpublish_service

Yes serviceuser

- Used by the time-dependent publishingservice.

collaboration_service Yes serviceuser

- Used by CM repositoryservices such as thefeedback and ratingservices.

The service users have various system-wide permissions in CM, including resourcepermissions such as reading, writing, and deleting, and removing locks on documents.Service users are automatically created by the services in the user management of the J2EEEngine. However, no authentication is possible. For more information, see Service Users[SAP Library]in the KM administration guide.

Also refer to User Administration and Authentication [SAP NetWeaver Security Guide].

Apri l 29, 2004 7


8/24



1.3 Authorizations

Roles

The following roles are used in Knowledge Management:

Role Description

Content Manager The Content Manager role enables the structuring and managingof content of the KM platform.

This role must be assigned to relevant users after the installation.For more information, seeAssigning the Content Manager Role[SAP Library]in the KM administration guide.

System Administrator The SAP Enterprise Portal role now contains KM-specificadministration functions.

A system administrator carries out the configuration of the KMplatform (see System Administration [SAP Library]in the KMadministration guide).

Content Administrator The Content Administrator role of SAP Enterprise Portal nowcontains KM-specific content administration functions. It allowsdirect access to all folders and documents that are stored ininternal or external repositories of the KM platform (see the ContentManagement guide [SAP Library]in the KM documentation set).

You can delegate the task areas to other roles. For more information, see DelegatedAdministration [SAP Library] in the portal administration guide.

ACLs

In addition to the roles concept, another authorization concept is used - access control lists(ACLs).

By using repository managers that deal with various types of data storage (file system,WebDAV server, and so on), CM uniformly manages content located in different repositories.Initially, everybody has full control access to these contents. If a security manager is activatedfor a repository, you can protect the contents of the repository with access control lists(ACLs).

Permissions (ACLs) are inherited by subordinate folders from superordinate folders.However, if you change permissions on a subordinate folder, the system creates a separate

ACL for this resource. From now on, changes made to the permissions for the superordinatefolder will no longer be transferred to the subordinate folder for which the system has createda separate ACL.

You should restrict access permissions on the root nodes of security-relevantrepositories immediately after the installation in order to prevent documentsbeing read illegally by users hacking or guessing document URLs. Changethe ACLs for subordinate folders if the permissions for these folders aredifferent.

8 Apr il 29, 2004


9/24



See also:

Permissions [SAP Library]

Security Managers [SAP Library]

ACL Security Manager [SAP Library]

Service ACL Service [SAP Library]

1.4 Communication Channel SecurityVarious channels of communication and technologies are used between subcomponents anddata sources of the Knowledge Management Platform.

Used Technologies

The following technologies are used for communication: HTTP/HTTPS

WebDAV

ICE

JDBC on OpenSQL

Operating system-dependent technologies

DBMS with

CM Database

Web Repository

Lotus Notes Repository

File System Repository

WebDAV Repository

HTTP(S)+WebDAV

JDBC aufOpenSQL

WebDAV Client

HTTP(S)

HTTP(S)CM HTTP(S) TREX

Knowledge Management

SAP J2EE Eng ine

(Portal Server)

Browser ICE Subscriber

HTTP(S)+ICE

HTTP(S)

HTTP(S)+WebDAV

* Operation system-dependent

IIOP

For example, NetBIOS, NFS

Directory withConfiguration

Data

*

Apri l 29, 2004 9


10/24



Components and Communication Channels

CommunicationBetween

CommunicationChannel/Log

TransmittedData

Comments

CM and DBMSwith CM database

JDBC on OpenSQL Documents,metadata

You can usedatabasemanagementsystems such asORACLE

and

MICROSOFT

CM and TREX HTTP or HTTPS Searchrequests,search results,index data,classificationdata

CM and directorywith configurationdata on the portalserver

Operation system-dependent.

WINDOWS

-Example:

NetBIOS

UNIX - Example: NFS

Configurationdata

In the case of clusterinstallations of CM,the directory with theconfiguration data ismade available onthe database server.

CM andrepositories

Depends on theimplementation (seetable below).

Documents,metadata

ICE subscriberund ICE provider

(CM)

ICE using HTTP orHTTPS.

Documents,metadata

Use for exchangingcontent packages.

WebDAV clientand WebDAVserver (CM)

HTTP or HTTPS withWebDAV extension.

Documents,metadata

Browser andportal withinstalled KM

HTTP or HTTPS (HTML)documents

Technologies for Repositories

External Repositories Communication Technology Type of Authentication

Web repository HTTP, HTTPS HTTP Basic Authentication,HTTP Digest Authentication

WebDAV repository HTTP, HTTPS with WebDAVextension

HTTP Basic Authentication,HTTP Digest Authentication

File-system repositoryand CM repository(DBFS and FSDBmodes)

Operating system-dependent.

WINDOWS

- Example:

NetBIOS, TCP/IP

UNIX - Example: NFS

Dependent on operatingsystem and configuration.

WINDOWS- Example:

SMB using TCP/IP

Lotus Notes repository IIOP IIOP-specific

10 Apr il 29, 2004


11/24



In the case of Web and WebDAV repositories, the combination of HTTP andBasic Authentication is seen as unsafe because passwords are to all intentsand purposes transmitted in plaintext. However, the authentication type used

is controlled by the remote server: If a remote server uses BasicAuthentication, the server is not configured to be secure. If this is the case,use another type of authentication such as Digest Authentication.

See also:

Content Management Configuration [SAP Library]

Repositories and Repository Managers [SAP Library]

1.5 Data Storage Security

Data in CM

Various types of data are used in Content Management. They are stored in different places.

Data in Content Management

Type of Data Storage Location Protected by

Configuration data Folder hierarchies in the filesystem of the portal server (seeContent ManagementConfiguration [SAP Library])

Permissions at operatingsystem level.

Access to the portal iscontrolled by the roleconcept.

CM portal content(worksets and iViewtemplates)

Portal catalog (database) Security concepts of theportal (roles), securityconcepts of DBMS.

CM content (foldersand files)

Internal repositories [SAP Library]

(such as / document s)

File system repository / et c.

Security concepts of theportal (roles), securityconcepts of DBMS,permissions at operatingsystem level.

Service data Database, directory withconfiguration data in the filesystem.

Security concepts of theDBMS, permissions atoperating system level.

Customer and system-external content(folders and files)

External repositories [SAP Library] Security concepts of theremote server, ACLs,permissions.

Customer and system-external content(folders and files)

Internal repositories (database, filesystem)

Permissions at operatingsystem level, ACLs.

Apri l 29, 2004 11


12/24



Temporary Data on the Client PC

Note that CM-specific Internet files are stored on the client PC when the portal is called.

When you use the function Edit Locally, the content of the document in question is stored in atemporary directory on the client PC. When you upload the document to KM, it is deleted fromthe client PC when the program used to edit it is terminated. If you do not terminate theprogram, or if the document is locked, it is not deleted from the client PC.

If the client PC is also being used by another user, delete the content from thetemporary directories and the browser cache when you have finished yourwork.

1.6 Minimal Configuration

Functionality Restric tions

Depending on the users of your system, you may want to restrict functionality as well asaccess permissions.

Deactivating Repository Services

By default, the CM repository documents is delivered for storing documents and metadata.For a minimal configuration, you deactivate the repository services that you do not need (forexample, the discussion service for creating discussions) in the configuration of thisrepository manager. If you integrate your own repositories, you should also reduce the

number of repository services to a minimum. However, you should not change theconfiguration of repository managers that are used system-internally.

For more information, see Repositories and Repository Managers [SAP Library]andRepository Services [SAP Library]in the administration guide.

Deactivating Interface Commands

The flexible user interface of the KM platform provides you with interface commands forcarrying out operations. For a minimal configuration, you should deactivate interfacecommands that cause changes, including commands for checking objects in (Upload, CreateNew Text File. Create New HTML File), commands for editing objects (Edit Locally, EditOnline) and commands for deleting objects.

For more information, see User Interface Commands [SAP Library]in the administrationguide.

12 Apr il 29, 2004


13/24



1.7 Further Security-Relevant Information

Active Code

Various types of active code are used in the KM platform. This is executed on the client hostin the Web browser.

Active Code Use Comments

ActiveX Used for the Local Editingfunction.

If your security policy rules out ActiveX,you can use a Java applet instead.

For more information, see Online andLocal Editing [SAP Library]in the KMadministration guide.

JavaScript Used by the HTMLBsoftware component (forexample, for client-sidecheck of entries and forgenerating popup menus).

JavaScript is also used extensively forthe component SAP Enterprise Portal.

Java Java applets are used forLocal Editing and for theXML Forms Builderapplication.

If your security policy rules out Javaapplets, you cannot use the XML FormsBuilder.

The Local Editing function can also beused with ActiveX.

Anonymous Users and Creat ion of Documents

Content Management allows users to create documents in the portal. Typical examples offeatures in which users can create documents are functions for uploading documents, editingdocuments online, providing feedback, joining in discussions, or writing reviews. By default,users create these documents using an HTML editor. In portals that allow anonymous usersto access the portal from the Internet, we strongly recommend that anonymous users not beallowed to create documents in HTML, as they may abuse this privilege.

For this reason, we recommend that you prevent anonymous users from creating documentsby granting them read permissions only on all documents and folders. In the flexible userinterface, layout sets for anonymous users should not contain any menu entries for actions

that involve creating documents.Additionally, it is possible to configure discussions, reviews, and feedback to use a text editorinstead of an HTML editor. We recommend that you make this setting. You can do this bysetting an indicator in the relevant service.

For more information on how to set this indicator in the discussion service, see CollaborationServices [SAP Library]in the KM administration guide. Use the same procedure forcomments and feedback.

Apri l 29, 2004 13


14/24



1.8 Trace and Log FilesThe system writes log information of the Knowledge Management Platform to the fileknowl edgemanagement . * . l og (* is a value between 0 and 9).

You activate audit logging for ACLs by including the audit logging classcom. sappor t al s. wcm. reposi t ory. secur i t y. Secur i t yAudi t $Login theconfiguration file l oggi ng. proper t i es and setting the required level of detail.

com. sappor t al s. wcm. reposi t ory. secur i t y. Secur i t yAudi t $Log.sever i t y = DEBUG

For more information on logging, see KM Log [SAP Library]in the KM administration guide.

1.9 Appendix


You can find more information about the security of SAP NetWeaverTM

under Security [SAPLibrary].

Related Information

For more information about topics related to security, see the links in the table below.

Quick Links to Related Information

Content Quick Link on the SAP Service Marketplace(service.sap.com)

Master guide, installation guides, andupgrade guides

instguides

Related SAP Notes notes

Network security network

securityguide

Technical infrastructure ti

SAP Solution Manager solutionmanager

14 Apr il 29, 2004


15/24


2 Search and Classifi cation (TREX) Securi ty Guide

2 Search and Classif ication (TREX)

Security Guide

This guide does not replace the daily operations handbook that werecommend customers create for their specific productive operations.

About this Guide

This guide describes security-relevant topics that affect the technical component Search andClassification of the Knowledge Management (KM) Platform. KM is a component of SAPNetweaver. It is used for managing unstructured information.


Appl ication Guide

SAP Web Application Server 6.40 SAP Web Application Server Security Guide

SAP Enterprise Portal 6.0 Portal Platform Security Guide

Content Management Content Management Security Guide [Page 5]

Why is Security Necessary?

Search and Classification (TREX)enables you to configure secure communication betweenTREX and the applications that use TREX (for example, SAP Enterprise Portal and SAPCustomer Relationship Management). The Secure Sockets Layer protocol (SSL protocol) withclient authentication is used for secure communication between TREX components(preprocessor and Web server) and other applications that access TREX using the TREXJava client and the TREX ABAP client.

TREX is a search and classification engine that is used to search in structured andunstructured data and documents. When documents are indexed and document content issearched by TREX, content containing personal or confidential information is alsotransmitted. The TREX security aspects prevent illegal access to, and manipulation of,documents and settings, and serve to ensure that data protection regulations are met.

Target Groups

Technical consultants

System administrators

This document is not included as part of the installation guides, configuration guides,technical operation manuals, or upgrade guides. Such guides are only relevant for a certainphase of the software life cycle, whereas the security guides provide information that isrelevant for all time frames.

Apri l 29, 2004 15


16/24



Important SAP Notes

Check regularly to see what SAP Notes are available about the security of theapplication.

Important SAP Notes

SAP Note Number Title Comment

583396 TREX 6.0/6.1: Preprocessing fails withreturn code 6403

620169 TREX 6.0/6.1: Cryptographic Softwarefor Apache Web Server

656042 TREX 6.0/6.1: TREX Web Page not

accessible after update

701097 SAP NetWeaver '04 Documentation Contains information oncorrections to thedocumentation after ithas been delivered.

701701 TREX 6.1:Providing Certificates forTREX Java Client

2.1 Technical System LandscapeSearch and Classification (TREX) includes the following central components:

Java client and ABAP client

Web server with TREX extension

Queue server

Preprocessor

Index server with the TREX engines

Name server

16 Apr il 29, 2004


17/24



The graphic below shows the individual TREX components and how they communicate.

Queue Server

Appl ication us ing TREX

Preprocessor

Queues Indexes

Index Server

TREX engines

Web Server

Name

Server

TREX

components

Other

components

TREX

data storages

Java ClientABAP Cl ient

TREX ext ension

HTTP/HTTPSRFC/SNC

HTTP/HTTPS

TCP/IP

TCP/IP

TCP/IPTCP/IP

RFC-Server

SAP-Gateway

TCP/IP

TREX is based on a client/server architecture. The client software is integrated into theapplication that uses the TREX functions, and allows access to the TREX servers. The TREXservers execute the requests of the clients: They index and classify documents and respondto search queries.

TREX offers an ABAP and a Java client. This allows ABAP and Java applications to useTREX functions. ABAP and Java applications communicate with the TREX servers usingdifferent protocols and components.

ABAP applications communicate with TREX servers using the RFC protocol. Thiscommunication takes place using an SAP gateway and an RFC server.

Java applications communicate with TREX using the HTTP or HTTPS protocol. Thiscommunication takes place using a Web server that is enhanced with TREX-specificfunctions.

RFC and Web servers have similar functions: They receive the requests of the application,convert them to a TREX-internal format, and send them on to the responsible TREX server.

The table below tells you where you can find more information about the technical system

landscape.

Apri l 29, 2004 17


18/24



More Information About the Technical System Landscape

Topic Guide/Tool Quick Link to the SAPService Marketplace

(service.sap.com)

TREX components andinfrastructure

TREX installation guide Instguides

2.2 User Management and Authentication

User Management

User management is administrated by the application using TREX (for example, SAP

Enterprise Portal or SAP Business Information Warehouse). TREX does not have its ownuser management. For more information on user management in SAP NetWeaver, seeUser Authentication and Single Sign-On [SAP Library].

Integration into Single Sign-On Environments

TREX is integrated into the SAP Enterprise Portal single sign-on environment. This meansthat TREX identifies itself to the portal using an SAP Logon ticket. For more information onclient authentication, see Configuration of the TREX Security Settings [SAP Library].

Authorizations

The clients that access the TREX servers identify and authorize themselves with the TREXserver in question using client certification (TREX Java Client TREX Web Server / PortalWeb Server TREX Preprocessor). The TREX preprocessor identifies itself to the portal Webserver using the SAP Logon ticket. As a TREX server only allows access to an authenticatedclient, granular configuration of the secure access of the individual clients to the TREXservers is possible.

2.3 Network and Communication Security

Communication Channel Security

Used Technologies

The following technology is used for communication between the individual TREXcomponents and between TREX and the applications that use TREX:

HTTP/HTTPS

TCP/IP (TREXNet)

RFC/SNC

SSL

18 Apr il 29, 2004


19/24



The graphic below shows the individual TREX components and how they communicate.

Queue Server

Appl ication us ing TREX

Preprocessor

Queues Indexes

Index Server

TREX engines

Web Server

Name

Server

TREX

components

Other

components

TREX

data storages

Java ClientABAP Cl ient

TREX ext ension

HTTP/HTTPSRFC/SNC

HTTP/HTTPS

TCP/IP

TCP/IP

TCP/IPTCP/IP

RFC-Server

SAP Gatew ay

TCP/IP

Communication between the TREX Java client and the TREX Web server, and between thePortal Web server and the TREX preprocessor, takes place using HTTP/HTTPS. All othercommunication between the TREX components (name, index, queue, and Web server) takesplace using a TREX-specific protocol (TREXNet) that is based on TCP/IP.

Communication Channels of TREX Components

TREX Component Communication Technology Type of Authentication

Java client HTTP/HTTPS Client certification

ABAP client RFC/SNC

HTTP/HTTPS Client certificationWeb server with TREXextension

With other TREX components,using TCP/IP (TREXNet).

With portal Web server, usingHTTP/HTTPS.

Client certificationPreprocessor

With other TREX components,using TCP/IP (TREXNet).

Name server TCP/IP (TREXNet)

Queue server TCP/IP (TREXNet)

Index server TCP/IP (TREXNet)

Data Storage

The data that the TREX queue server (queues) and the TREX index server and its searchengines (search index, text-mining index, and attribute-engine index) access are not stored in

a database. They are stored on the file system in special directories.

Apri l 29, 2004 19


20/24



Data Transfer

The communication between the TREX preprocessor and the portal Web server is used tocall up and transmit document content from the repositories of the application using TREX(for instance, SAP Enterprise Portal). The TREX Java client is used to transmit search

requests and commands (for instance, create a link) from the application to the TREX indexserver. The Java client also transmits the search results, responses to commands, anddocument content. This takes place in a similar way to the communication of an R/3application with TREX using the TREX ABAP client and RFC. The data (search requests,search results, document content, and commands) is protected by securing thecommunication channels and the certification of communication partners.

Network Security

The TREX servers, components, and indexes can be distributed among various networksegments using a scaling and load-balancing concept.

Note that no validated scaling concept is available for TREX 6.1 SP1.

When the TREX installation takes place, using SAPinst, the ports for the TREX servers arecalculated as follows on the basis of the selected number for the TREX instance beinginstalled:

30000 + 100 * +

The method of calculation ensures that the ports do not clash with another TREX instance onthe same host. The ports can be configured individually.

If you chose the instance number 48, the ports will be as follows:

Name server 34801 Preprocessor 34802

Index server 34803

Queue server 34804

HTTP server 34805

The configuration of firewall settings depends on whether TREX is within the technical systemlandscape. If this is the case, you must use the configuration to ensure that the firewall ispermeable to the ports of the TREX servers in both directions for TCP/IP (not for UDP).

Communication Destinations

When the TREX installation takes place, you create one or more RFC destinations of the

connection type T so that the application can communicate with TREX. You choose theactivation type Start orActivation when you create the RFC destination. The activation typedetermines how the SAP Gateway communicates with the RFC server.

In addition to the RFC connection, TREX uses HTTP/HTTPS for the communication betweenTREX components and the application using TREX. The ports used for this are describedunder Networks Security.

20 Apr il 29, 2004


21/24



2.4 Data Storage Security

Data Storage Location

The data that the TREX queue server (queues) and the TREX index server and its searchengines (search index, text-mining index, and attribute-engine index) access are stored onthe file system in special directories. SAPinst creates the following directory for the TREXinstance being installed:

On UNIX: / usr / sap/ t r ex_

On Windows: : \ usr \ sap\ t r ex_

The queues and indexes are then stored in the subdirectories / i ndex and / queue. Thepaths to the directories are determined by SAP_RETRI EVAL_PATH when TREX is installed. Inthe case of a distributed scenario, the system itself is responsible for the distributed storageof the data for the queues and indexes (not the case for TREX 6.1 SP1). The data is notstored temporarily anywhere else.

Type of Data Access

Only read access to data takes place for search requests. If new documents are added to thedata set, the indexes and queues must be changed and enhanced. This takes place usingwrite, delete, or change access.

Level of Protection

The TREX installation is created by a root user that specifies a TREX user during theinstallation. This TREX user has read and write access for the directories that are created.

You need a separate UNIX or Windows user for every TREX instance that you install. Youspecify this user later on during the TREX installation. SAPinst makes sure that the user isowner of all files and directories that belong to the TREX instance. On UNIX, the user cannothave root permissions, and on Windows, it must have administration permissions. Thismeans that customers can decide at file-system level on who and how the data used byTREX is accessed.

The TREX setup program creates the Web site SAP_TREX_ on the Webserver. This causes an anonymous user for access to the Web site to be defined. Thisanonymous user is calledI USR_ by default. The anonymous user needs tohave Full Controlpermission for the TREX directory.

You can ensure this in the following ways:

Variant 1: You determine the anonymous user entered in the properties for the Web

site SAP_TREX_. You give this user Full Controlaccess to theTREX directory and to all contained files and sub-directories.

Variant 2: You change the anonymous user in the properties for the Web site

SAP_TREX_. Instead of using the default setting

I USR_, you enter a local user that has Full Controlaccess for the TREXdirectory.

For more information on the user permissions given during the TREX installation, see the

TREX installation guide at service.sap.com/instguidesSAP NetWeaver

Release 04Installation Search and Classification (TREX) 6.1 Installation Guide.

Apri l 29, 2004 21


22/24



2.5 Security for Additional ApplicationsThe following applications are delivered with the TREX installation.

Addi tonal Appl ications

Appl ication Comments

Microsoft Internet Information Server (IIS) External

Apache Web Server External

SAPinst SAP internal

SAP Gateway SAP internal

The Microsoft Internet Information Server (IIS) and the Apache Web-Server, whichcommunicate on Windows and UNIX with the CM Java client as TREX Web servers, bothhave their own validated security concepts that are referred to in the configuration of TREXsecurity.

During the SAPinst TREX installation, the required permissions are given for the Microsoft

Internet Information Server (IIS) (see Data Storage Security [Page 20] Level ofProtection). You can use the cryptography tool SAPGENPSE to configure securecommunication between the TREX preprocessor and the portal Web server, and between theTREX Web server and the TREX name server. You obtain the cryptography toolSAPGENPSE as part of the SAP Cryptographic Library from the SAP Service Marketplace.

The cryptography tool OpenSSL is used for the secure configuration of the Apache Web

Server. You use a build process to generate the tool OpenSSL and the library mod_SSL. so,both of which you need for the secure communication of the Apache Web server.

For more information on the user permissions given during the TREX installation, see

the TREX installation guide at service.sap.com/instguides SAP NetWeaver

Release 04Installation Search and Classification (TREX) 6.1 InstallationGuide.

For more information on the configuration of TREX security, see the SAP Library at

help.sap.com\NW04 SAP NetWeaver Information Integration

Knowledge Management Security ConfigurationConfiguration of the TREXSecurity Settings [SAP Library].

2.6 Minimal Installation

Minimal Installation and Required ComponentsA minimal TREX system consists of one TREX instance (one installation of the serversoftware). You can use a minimal TREX system as a demo, test, and productive system.

The TREX servers (queue server, index server, preprocessor, and name server) can be usedby one or more applications. When you are installing TREX, you need to know the type ofapplication and communication protocol. There are the following possibilities:

The TREX servers are only used by Java applications. In this case, only execute theinstallation steps necessary for an HTTP connection.

The TREX servers are only used by ABAP applications. In this case, only execute theinstallation steps necessary for an RFC connection.

22 Apr il 29, 2004


23/24



The TREX servers are used by Java and ABAP applications. In this case, execute theinstallation steps necessary for an HTTP and RFC connection.

The documents to be indexed are sent by an ABAP application to TREX. Thesearch takes place using a Web application (Java application). In thisscenario, both an RFC and an HTTP connection are needed.

For more information on a minimal TREX installation, see the TREX installation guide at

service.sap.com/instguides SAP NetWeaverRelease 04Installation

Search and Classification (TREX) 6.1 Installation Guide.

TREX Test Package

New TREX releases are always tested internally using a predefined test package with astandard test landscape and with verifiable test data. In particular, the handling of mass data(mass tests), load restrictions (stress tests), and the performance of TREX are checked. The

test package calls test atoms in the form of Python scripts that test the basic functionality ofTREX and are stored in the directory \ python_suppor t .

When you have installed TREX you execute the Python script r unI nst al l at i onTest . pythat is used to test the basic functions of TREX. This script calls a subset of TREX test atomsto check the functional correctness of TREX. If the Python script is executed successfully, youknow that TREX has been installed properly, the configuration files contain the necessaryentries, and the TREX servers are running.

TREX Administration Tools

TREX provides various administration tools for administrating the TREX servers. Some ofthem can be found in the TREX installation directory

(/ usr / sap/ t r ex_: Tr exGui . exe; Tr exQueueCl i ent . exe)and others are located in the Python support directory(\ usr \ sap\ t r ex_11\ python_suppor t : t opoVi ew. py, TrexAdmi nTool . py usw) . .You can delete these test and administration tools without restricting the TREX functions, butfor supportability reasons we do not recommend that you do so.

SAPinst Tool

The SAPinst tool can also be deleted after the installation. However, this deletes importantinformation on the installation that could be needed if a terminated TREX installation needs tobe continued.

2.7 Trace and Log FilesWith a standard configuration, TREX writes all error messages that arise during routineoperation to trace and alert files. The TREX daemon, the individual TREX servers, and otherTREX components all write their own trace files.

These trace files contain error messages that the index server, name server, preprocessor,queue server, and Web server return during routine operation. With the standardconfiguration, the trace files only contain error messages.

Apri l 29, 2004 23


24/24



If you set a higher trace level, the entire content of the documents being processed can bewritten to the trace files. The SAP Logon ticket t i cket might also appear in a trace filewhen tracing the TREX preprocessor.

However, these trace files are protected for the following reasons:

Only administrators have permission to access the TREX trace directories.

The trace level must be set in the corresponding TREX configuration file.

2.8 Appendix


You can find more information about the security of SAP applications on the SAP ServiceMarketplace, using the quick link security. Security guides are available using the quick link

securityguide.

Related Information

For more information about topics related to security, see the links in the table below.

Quick Links to Related Information

Content Quick Link on the SAP ServiceMarketplace

(service.sap.com)

Master guide, installation guides, upgrade

guides, and solution management guides

instguides

ibc

Related SAP Notes notes

Released platforms platforms

Network security network

securityguide

Technical infrastructure ti

SAP Solution Manager solutionmanager

Checklists

The TREX installation guide contains checklists for the following scenarios:

TREX installation with HTTP connection

TREX installation with RFC connection

TREX installation with HTTP and RFC connections

The TREX installation guide is located at service.sap.com/instguides SAP

NetWeaverRelease 04 InstallationSearch and Classification (TREX) 6.1 InstallationGuide.