Show TOC Start of Content Area

Object documentation Network Security Locate the document in its SAP Library structure

This section is valid both for the windows and UNIX versions of the SAP Content Server.

·        You can operate the content server in a different network segment to that of the database. It is important that the Content Storage Host can be reached via an appropriate route. The content server and the database server communicate entirely through the ODBC protocol. The ports, 7200/sql30 and 7210/sql6, must be opened on the database server.

·        Especially in configurations where you want to access documents from the extranet, special security measures are necessary:

o        The content server should be set up in the demilitarized zone (DMZ).

o        The content server has exclusive access to local repositories that manage documents held temporarily for accessing from the extranet. These documents should ideally be stored in an SAP DB instance. You should definitely change the password for the database user.

o        A further content server located in the Intranet has access to the database repositories in the demilitarized zone through ODBC. This requires that repositories are manually entered in the configuration file of the content server. In particular you must ensure that the content server knows that the password of the database user has been changed.

With this internal content server the documents requested in the extranet can now temporarily be placed in the database instance of the DMZ, simply by copying them into a DMZ repository.

Then the URL required for accessing them can be given to the extranet client. The other way round, the extranet client can check documents into the DMZ repository. Using an appropriate workflow the application can then copy these documents from the DMZ into an internal repository, and even carry out security checks (virus check, etc) beforehand.

o        Only by using the procedure outlined above, you can exclude access through the DMZ from the extranet into the intranet. Extranet clients are allowed HTTP access to the content server in the DMZ, but the whole document transfer between the intranet and DMZ is controlled from the intranet. These control mechanisms and the entire workflow effort associated with it is the responsibility of the application and is not contained in the KPro.

 

End of Content Area