Security Guide for XML-Based Data
Archiving
The XML-based data archiving technology complements ADK, an established technology used for data archiving. Both are employed to extract dormant data from growing databases and provide long-term access to this archived data. However, as the name states, XML-based archiving was designed for all JAVA applications (and in some releases for new XML-oriented ABAP).
XML-based archiving relies on the XML Data Archiving Service (XML DAS), which is part of a standard Java Enterprise Edition (Java EE) installation of the SAP NetWeaver Application Server (SAP NW AS). If an application wants to use XML DAS it can do so with the help of an XML DAS Connector for Java, depending on its requirements. This documentation deals with the security aspects for JAVA-implemented archiving sets that communicate with the Application Server Java’s (AS Java) XML DAS.
For more
information on XML-based archiving see
XML-based
Archiving and
Administration
Functions for Information Lifecycle Management.
Technical System Landscape: Security-Relevant Interfaces
The following figure shows the different elements you need for XML-based data archiving, and the interfaces that connect these elements.
In NWA local mode, there are no remote JMX connections. Therefore, user 6 is the user accessing the back-end systems (XML DAS and local archiving session management), and the users 2, 3, 4, and 5 are only mentioned in the graphic conceptually.
The divisions shown in the figure are conceptual and are meant to clarify the different elements involved in XML-based archiving. In a realistic scenario it is entirely possible that the JAVA elements run within one SAP NW AS system, or even that the Java EE of which the XML DAS is a part, is also installed on the same SAP NW AS system. Likewise, the figure does not mean to imply that a WebDAV system and a file system both have to be installed for XML-based archiving. It is possible to be using only one of the two to store archive files.
From a security point of view, the interfaces shown in the figure can be described as follows:
● Interface 1: Communication user between the JAVA application system and the AS Java system hosting XML DAS.
● Interfaces 2, 4: NWA communication users used to log in to the managed system in order to perform modifying actions (read/write/execute).
● Interface 3, 5: NWA communication users used for read-only actions in the managed system
● Interface 6: SAP NetWeaver Administrator (NWA) user used to login to the NWA and finally into the XML DAS Administration, the JAVA Archiving Cockpit, and theILM Store Browser.
● Interface 7: File system interface.
● Interface 8: WebDAV interface between XML DAS and the external WebDAV-enabled storage system (WebDAV system).
For more information on the NWA see Wizard-based Configuration of the NWA.
User Authorization and Client Authentication
Interfaces 6
These are interfaces where individual users can access the system. These are the end user and the data archiving administrator of the Java Archiving Cockpit, the XML DAS Administration, and the ILM Store Browser (interface 6).
End user security is handled application-specifically, meaning that access to archived data is restricted according to archiving-set-specific authorizations. The main task of the data archiving administrator is to configure, schedule and monitor the archiving process. However, if enabled by applications, administrators can also be allowed to display certain types of archived data in a technical form using the ILM Store Browser. The user names are not predefined.
● For the Java Archiving Cockpit and the XML DAS Administration (interface 6):
○ The Java Archiving Cockpit, the XML DAS Administration, and the ILM Store Browser are part of the SAP NetWeaver Administrator (NWA) and can be reached from within NWA as follows:
■ Choose Operations Management → Data and Databases and then choose XML DAS Administration, Java Archiving Cockpit, or ILM Store Browser.
■ Or using the following quick links: /nwa/xmldas, /nwa/archcockpit or /nwa/ilm-storebrw
○
Create the
appropriate users and assign the correct roles as described under
Creating Users and
Assigning Roles.
Interfaces 2, 3, 4, 5
These users are used for technical communication between a central NWA and the managed system, and are checked during logins to the managed system (XML DAS and Java application system).
Users 2, 3, 4, 5: Create the appropriate users and assign the correct
roles as described under
Creating Users and
Assigning Roles.
Interfaces 1, 7 and 8
These interfaces are used for technical communication only:
● Interface 1: You can use any of the HTTP authentication methods supported by the participating client system (the system hosting the XML DAS Connector) and the AS Java, such as Basic Authentication, Basic Authentication with SSL (HTTPS), or Client Certification.
The technical communication users must be known to the AS Java and must have been assigned to the security role XMLDASSecurityRole. We recommend you choose a Technical user to suppress the password change request.
If HTTPS is
used, the HTTP SSL port must be specified in the destination instead of the
HTTP port. For more information see
Configuring the Use of
SSL on the AS Java.
To set up the
connection for Java archiving sets you use the NWA; for more information see
Creating a
Destination in the XML Data Archiving Configuration
Steps for Java Applications.
● Interface 7: If you decide to store your resources in a file system that is accessible from the AS Java, you can do so by specifying the directory using the XML DAS administration (function Define Archive Stores).
●
Interface
8: The WebDAV protocol is
used to store resources, that is, their actual content, on long-term storage
systems or archive systems. To be able to use a WebDAV storage system, first
create an HTTP destination using the NWA destination service, following the
procedure outlined under
Configuring the XML
Data Archiving Service under Creating a
Destination. For more information see also
Archive Store
Management.
Users
The following table is a summary of users needed for XML Archiving:
System |
User(s) |
Delivered |
Type |
Default Password |
XML Data Archiving Service Administrator(s), including ILM Store Browser user (NWA) |
has to be defined in NWA and assigned to one or more of the following roles: NWA_READONLY NWA_SUPERADMIN SAP_ARCH_SUPERADMIN |
No |
Individual administrator(s) |
(has to be defined in NWA) |
NWA communication users* (Application Systems registered in NWA) |
has to be defined in application system and assigned to following roles, for either Java Archiving Cockpit or XML DAS Administration: NWA_READONLY NWA_SUPERADMIN SAP_ARCH_SUPERADMIN
|
No |
Technical user(s), also used for remote login to the Java Archiving Cockpit and the XML DAS Administration |
(has to be defined in (NWA) managed application system) |
XML Data Archiving Service Communication (Java EE) |
(has to be defined in NW AS and assigned to security role XMLDASSecurityRole) |
No |
Technical user(s) |
(has to be defined in NW AS) |
WebDAV System connected to a Java EE |
(has to be defined in WebDAV server and entered in WebDAV destination) |
No |
Technical user |
(has to be defined in WebDAV server and entered in WebDAV destination) |
*not in NWA local mode
Data Storage Security
The XML DAS collection hierarchy, properties and other meta data are stored in the Java EE database. The XML DAS uses the database pool alias SAP/BC_XMLA. For further details see Security Aspects for the Database Connection.
The collections and resources are stored in a WebDAV system or in a file system (see above). If a file system is used, directories and files are created by the Java EE. More specifically, the user employed for a Windows systems in this case is SAPService<sid> and for UNIX systems <sid>adm. Therefore, the directory needs to have the appropriate access privileges. See also: Operating System Security.
To prevent unauthorized access or harmful alteration or deletion of resources or directories in the file system, give the appropriate access privileges only to SAPService<sid> or <sid>adm, respectively.
Do not manually create or delete directories or files once the archive store root directory is fixed.
In order to verify (on read request) that the content of archived resource has not changed, SAP recommends that you use the check sum option.
In ABAP you can find this function in Archive Administration (transaction SARA) by choosing Customizing → Configuration of the XML DAS: Check Sum
Trace and Log Files
Trace and log files are written for the XML DAS and the XML DAS Connector for Java by the AS Java:
● The log file for the XML DAS is located in the log directory of the server running the XML DAS in the applications.log file under the category /Applications/Common/Archiving/XML_DAS.
● Traces for the XML DAS are written in the default trace file using the location com.sap.archtech.daservice.
● The log file for the XML DAS Connector for Java is located in the log directory of the server running an archiving application in the applications.log file under the category /Applications/Common/Archiving/Connector.
● Traces for the XML DAS Connector for Java are written in the default trace file using the location com.sap.archtech.archconn.
For XML archiving objects, the usual job logs are written by the XML DAS Connector for ABAP. In addition, for every explicit deletion of a resource or a collection, a system log entry (syslog) is created with message ID DA1 and problem class S (operation trace), which documents the deletion of the resource or the collection.