Further Security-Relevant Information

Active Code

Various types of active code are used in Knowledge Management (KM). This is executed on the client host in the Web browser.

Active Code	Use	Note
ActiveX	Used for the Local Editing function.	You can restrict the execution of ActiveX to the safe zone in which you also included the portal. If your security policy rules out ActiveX, you cannot use the Local Editing function. For more information, see Online and Local Editing .
JavaScript	Used by the HTMLB software component (for example, for client-side check of entries and for generating popup menus).	JavaScript is used extensively in the portal.
Java	Java applets are used for Local Editing and for the XML Forms Builder application.	When launching the XML Forms Builder application and the Local Editing function, you must log on if the ume.logon.httponlycookie=trueparameter is set in the User Management Engine configuration (see Editing UME Properties ). Basic authentication is used to log on. If this parameter is set to false, the current logon ticket is used. If you use this method, there is a risk that it could be read by malicious scripts. SAP therefore recommends setting this parameter to true. If your security policy rules out Java applets, you cannot use the XML Forms Builder. To use the Local Editing function, you also need ActiveX.

Active Code

Use

Note

ActiveX

Used for the Local Editing function.

You can restrict the execution of ActiveX to the safe zone in which you also included the portal.

If your security policy rules out ActiveX, you cannot use the Local Editing function.

For more information, see Online and Local Editing .

JavaScript

Used by the HTMLB software component (for example, for client-side check of entries and for generating popup menus).

JavaScript is used extensively in the portal.

Java

Java applets are used for Local Editing and for the XML Forms Builder application.

When launching the XML Forms Builder application and the Local Editing function, you must log on if the ume.logon.httponlycookie=trueparameter is set in the User Management Engine configuration (see Editing UME Properties ). Basic authentication is used to log on. If this parameter is set to false, the current logon ticket is used. If you use this method, there is a risk that it could be read by malicious scripts. SAP therefore recommends setting this parameter to true.

If your security policy rules out Java applets, you cannot use the XML Forms Builder.

To use the Local Editing function, you also need ActiveX.

Configuration on Secure Sockets Layer (SSL)

SAP recommends that you configure Knowledge Management in a portal that is secured with SSL encryption. Otherwise, communication could be overheard.

Anonymous Users and Creating Documents

Users can use Content Management to create documents in the portal. Examples of document creation are uploading and editing documents, sending feedback, taking part in discussions, and writing reviews. Users normally create these documents using the HTML Editor. In the case of portals that give anonymous users access to the portal over the Internet, we urgently recommend limiting the scope of the HTML editor (see the following section), since users could abuse the options available in the HTML editor.

We also recommend that you give anonymous users read permission only for all documents and folders. You should not give them write permission. On the flexible UI, layout sets for anonymous users cannot contain menu items for creating documents.

It is possible to configure discussions, reviews, and feedback in such a way that users can create them using the secure HTML editor, which has a limited scope. We recommend that you make this setting. You can do this by setting a parameter in the services in question. For more information on setting this parameter, see Collaboration Services in the KM Administration Guide. Use the same procedure for comments and feedback.

You can also configure the XML Forms Builder so that no HTML can appear in the forms created and no JavaScript can be executed. For more information, see Form-Based Publishing and Options .

Secure Configuration of the HTML Editor

In the configuration of the HTML editor, you can deactivate security-relevant editing functions, such as the insertion of HTML text.

If you activate the secure HTML editor, the editor only allows changes to the formatting (bold, italics, underlining). You can allow additional editing functions.

You can also safeguard the HTML editor so that no further editing functions are supported and insertion of HTML-formatted text is not possible.

For more information, see HTML Editor .

Deactivating Repository Services

If you later deactivate the time-dependent publishing (tbp) and status management (statemngt) repository services in the configuration of repository managers, all documents in folders of these repositories become visible for all users. If the services are active, some documents are not visible, because they have a status that restricts visibility to certain user groups or time periods.

Encoding and Decoding Executable Scripts in Text Files

You can prevent accidental execution of executable scripts contained in text files that are to be uploaded or modified in the KM repositories using the malicious script filter. You can optionally run the Malicious Script Handler report to decode the encoded scripts or to encode scripts contained in files already available in the KM repositories.

For more information, see Malicious Script Filter and Encoding and Decoding Executable Scripts .