Show TOC Start of Content Area

Background documentation Scenario C: One Public Content Server (cFolders)  Locate the document in its SAP Library structure

In scenario C, a content server that is accessible from the Internet and/or the intranet is added to the network environment:

This graphic is explained in the accompanying text

Scenario C: One Public Content Server

If you configure the external firewall to allow direct access to both the SAP Web AS and the content server, you end up with two servers that can be accessed by external users. The consequences are as follows:

        One subnet for both servers is sufficient. Both can be reached by external users, which means that they are on exactly the same security level.

        External access to each server must only be possible using HTTPS, not HTTP.

        Access by internal users causes no security problems.

At this point, it is important to understand that the SAP Web AS and the content server use totally different HTTP technologies. The SAP Web AS is a completely new server designed for Internet use, and so far, no known attack by a hacker has succeeded. The content server runs as a Microsoft Internet Server API (ISAPI) extension to a Microsoft Internet Information Server (IIS). Since IIS is a very popular product, it has been the target of many hostile attacks. The installation of all relevant security patches for the IIS is therefore highly recommended.

Another big difference between the SAP Web AS and the content server is that access to the cFolders server (SAP Web AS) requires user authentication by login or X509 certificates. Access to the content server, however, does not require authentication by user login. User authentication for the content server (and cache server) relies on signed URLs, which consists of two elements: normal parameters and authentication. As a result, the URL is quite long: a signed URL can have more than 700 characters.

A signed URL for content server access must be created from the cFolders server. In cFolders, you usually never see these URLs. If a user opens a file, they are created on demand in the cFolders server. The signed part of the URL contains a digital signature that repeats the unsigned parameters and allows the content server to check whether the URL has been properly identified by the cFolders server. The URL also contains a time stamp (default: 2 hours). To access a file from the content server the following steps are required:

Download:

       1.      Logon to the cFolders server (SAP Web AS) with strong user authentication.

       2.      User navigates in cFolders and wants to read a file (download).

       3.      cFolders creates a signed URL that can be used in a HTTP GET request to the content server. The URL is only valid for 2 hours.

The upload procedure is similar:

...

       1.      Logon to the cFolders server (SAP Web AS) with strong user authentication.

       2.      User navigates in cFolders and wants to create a document.

       3.      cFolders creates a signed URL that can be used in a HTTP POST request to the content server. The URL is only valid for 2 hours. Furthermore, it can only be used once, which means that you can only create the document once within a time frame of two hours.

End of Content Area