Start of Content Area

Background documentation Secure URLs  Locate the document in its SAP Library structure

Protection Against Unauthorized Access to Stored Content

To prevent unauthorized access to stored content on the SAP Content Server, the SAP system carries out an authorization check. However, the SAP Content Server is accessed by means of the open SAP Content Server interface (see also SAP Content Server HTTP 4.5 Interface). URLs must be secure so that they allow only authorized access to stored content and, correspondingly, so that forged requests are rejected. To make a URL secure, it is given a characteristic (like a watermark on a banknote) which allows the receiver to detect whether or not the URL has been tampered with (like if the watermark is missing from a banknote).

In the case of a Content Server URL, the characteristic in question is the signature. The signature is an encoded copy of the URL itself and is transferred to the content server as part of the URL. A signed URL contains the additional parameters expiration (see also Parameters and Keywords) and secKey (digital signature). A signed URL is only valid if the expiration time has not been exceeded and if it contains a valid signature.

The content server decodes the signature and compares it with the URL it received. The content server only executes the request if the URL and the signature match. If an intruder changes the plaintext in the URL, the signature will not match the URL. The content server will accordingly reject the request.

The signature is based on the RSA procedure and MD5 hashing.

The RSA procedure is also known as the public key procedure. This procedure is based on a private and a public key. You need the private key to create the signature. You need the public key to check the validity of the signature. For a description of the technical details of this procedure, see the documentation Secure Store & Forward / Digital Signatures (BC-SEC-SSF).

As the main partner in the three-way relationship of client – SAP system – content server, the SAP system is the only partner that may send request URLs to the client. Because of this, the SAP system has to create the URL signature using a private key.

The public key ( Certificate) of the SAP system must be stored on the content server, and the relevant repository must have access to it (see also Content Repositories). Transactions OAHT, OAC0 (from release 4.6C) and CSADMIN (from release 4.6C for SAP Content Server, see also Content Server and Cache Server Administration) are used to transfer the certificate. The certificate has to be activated on the content server for the repository in question. This is done using transaction CSADMIN (for SAP Content Server).

Caution

Every SAP system must have its own unique certificate, so that the SAP system’s digital signature can be used properly.

See the section Creating a System-Specific Certificate for Content Server Access.

 

 

End of Content Area