Question & Answer
Question
In using IBM® DB2® CommonStore for SAP, I find that the URL does not expire and any user can view a document. How can I resolve this issue?
Answer
The security (access rights, expiration, and so on) is actually handled by the SAP system. A user can enable or disable security inside the SAP transaction oac0 (Administration view of content repositories) by selecting or clearing the check box "No signature". However, this check box is somewhat misleading: If you select the check box, security is disabled. If the check box is cleared, security is enabled. Note that this check box is visible only if you switch to "Full Administration".
The settings on the SAP side need to match the settings made in the archint.ini file. Inside the archint.ini, you can enable security by adding the keyword PROTECTION rcud to the appropriate archive section (This is the default setting. By using just a subset of the available protection flags r (= read), c (= create), u (= update), and d (= delete), you can enable security/protection just for specific kinds of operations.) If security on the SAP side is disabled (by checking "No signature"), you have to disable security/protection on the CommonStore for SAP side as well by adding the keyword PROTECTION OFF to the appropriate archive section. If protection/security is enabled, the user has to download the sapsecu library from SAP and copy it inside the CommonStore for SAP bin directory also. (Due to legal reasons, this library is not included in the product shipment.)
If security is enabled (in this case the URL contains a secKey parameter ), one of the discussed security issues is corrected: Now, the URL contains an expiration time. Thus the URL expires at a specific point of time and cannot be used afterwards.
Example URL with the expiration and secKey information highlighted:
http:/ /pswdf009:1080/ContentServer/ContentServer.dll?get&pVersion=0045
&contRep=K1&docId=361A524A3ECB5459E0000800099245EC&accessMode=r
&authId=pawdf054_BCE_26&expiration=19981104091537&secKey=g3AhQg%3D%3D
However this kind of security does not solve the problem that the URL can be copied and accessed by unauthorized people before it expires.
To solve the other security problems, the user has to use HTTPS as the communication protocol. There are two possible usage scenarios:
- HTTPS with server authentication and encryption (so called "HTTPS without client authentication" )
- HTTPS with server authentication, encryption and client authentication (so called "HTTPS with client authentication" )
If the first option is used, the transferred data is encrypted (thus it cannot be read or tampered with) and the SAP server is authenticated. However if someone would get an URL (which has not expired yet), they would be able to download the document because the client is not authenticated.
For maximum security, you could use the second option: This not only encrypts the data and authenticates the server, but also authenticates the client. Thus, someone without a correct HTTPS/SSL certificate cannot access a document, even if that user has a valid URL. However, this option is difficult to customize, as you would have to create SSL certificates for the SAP server, the CommonStore for SAP server and at least one certificate for requesting clients.
Note that HTTPS is supported by SAP R/3 4.6c or later, and CommonStore for SAP V8.2 or later.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21221290