Show TOC Start of Content Area

Background documentation Security Guide for XML DAS Archiving  Locate the document in its SAP Library structure

The XML DAS data archiving technology complements the ADK technology. Both are employed to extract dormant data from growing databases and provide long-term access to this archived data. XML DAS archiving was designed for all Java applications, but it can also be used for ABAP applications.

More information: Achiving using XML Data Archiving Service (XML DAS)

This documentation deals with the security aspects for JAVA-implemented archiving sets that communicate with the Application Server Java’s (AS Java) XML DAS.

Technical System Landscape: Security-Relevant Interfaces

The following figure shows the different elements you need for XML DAS data archiving, and the interfaces that connect these elements.

This graphic is explained in the accompanying textNote

In SAP NetWeaver Administrator local mode, there are no remote JMX connections. Therefore, user 6 is the user accessing the back-end systems (XML DAS and local archiving session management), and the users 2, 3, 4, and 5 are only mentioned in the graphic conceptually.

Note

The divisions shown in the figure are conceptual and are meant to clarify the different elements involved in XML-based archiving. In a realistic scenario it is entirely possible that the JAVA elements run within one SAP NetWeaver ASsystem, or even that the Java EE of which the XML DAS is a part, is also installed on the same SAP NetWeaver ASsystem. Likewise, the figure does not mean to imply that a WebDAV system and a file system both have to be installed for XML-based archiving. It is possible to be using only one of the two to store archive files.

From a security point of view, the interfaces shown in the figure can be described as follows:

      Interface 1: Communication user between the JAVA application system and the AS Java system hosting XML DAS.

      Interfaces 2, 4: SAP NetWeaver Administrator communication users used to log in to the managed system in order to perform modifying actions (read/write/execute).

      Interface 3, 5: SAP NetWeaver Administrator communication users used for read-only actions in the managed system

      Interface 6: SAP NetWeaver Administrator (NWA) user used to login to the NWA and finally into the XML DAS Administration, the JAVA Archiving Cockpit, and theILM Store Browser.

      Interface 7: File system interface.

      Interface 8: WebDAV interface between XML DAS and the external WebDAV-enabled storage system (WebDAV system).

User Authorization and Client Authentication

Interfaces 6

These are interfaces where individual users can access the system. These are the end user and the data archiving administrator of the Java Archiving Cockpit, the XML DAS Administration, and the ILM Store Browser.

End user security is handled application-specifically, meaning that access to archived data is restricted according to archiving-set-specific authorizations. The main task of the data archiving administrator is to configure, schedule and monitor the archiving process. However, if enabled by applications, administrators can also be allowed to display certain types of archived data in a technical form using the ILM Store Browser. The user names are not predefined.

Interfaces 2, 3, 4, 5

These users are used for technical communication between a central SAP NetWeaver Administrator and the managed system, and are checked during logins to the managed system (XML DAS and Java application system).

Interfaces 1, 7 and 8

These interfaces are used for technical communication only:

      Interface 1: You can use any of the HTTP authentication methods supported by the participating client system (the system hosting the XML DAS Connector) and the AS Java, such as Basic Authentication, Basic Authentication with SSL (HTTPS), or Client Certification.

The technical communication users must be known to the AS Java and must have been assigned to the security role XMLDASSecurityRole. We recommend you choose a Technical user to suppress the password change request.

If HTTPS is used, the HTTP SSL port must be specified in the destination instead of the HTTP port. For more information see Configuring the Use of SSL on the AS Java.

To set up the connection for Java archiving sets you use the SAP NetWeaver Administrator.

      Interface 7: If you decide to store your resources in a file system that is accessible from the AS Java, you can do so by specifying the directory using the XML DAS administration (function Define Archive Stores).

      Interface 8: The WebDAV protocol is used to store resources, that is, their actual content, on long-term storage systems or archive systems. To be able to use a WebDAV storage system, first create an HTTP destination using the SAP NetWeaver Administrator destination service.

Users

Create the users and connections needed to access the interfaces described above.

More information: Configuring XML DAS Archiving for Java Application Systems

Data Storage Security

The XML DAS collection hierarchy, properties and other meta data are stored in the Java EE database. The XML DAS uses the database pool alias SAP/BC_XMLA.

More information: Security Aspects for the Database Connection.

The collections and resources are stored in a WebDAV system or in a file system (see above). If a file system is used, directories and files are created by the Java EE. More specifically, the user employed for a Windows systems in this case is SAPService<sid> and for UNIX systems <sid>adm. Therefore, the directory needs to have the appropriate access privileges.

More information: Operating System Security.

Caution

To prevent unauthorized access or harmful alteration or deletion of resources or directories in the file system, give the appropriate access privileges only to SAPService<sid> or <sid>adm, respectively.

Do not manually create or delete directories or files once the archive store root directory is fixed.

In order to verify (on read request) that the content of archived resource has not changed, SAP recommends that you use the check sum option.

Trace and Log Files

Trace and log files are written for the XML DAS and the XML DAS Connector for Java by the AS Java:

      The log file for the XML DAS is located in the log directory of the server running the XML DAS in the applications.log file under the category /Applications/Common/Archiving/XML_DAS.

      Traces for the XML DAS are written in the default trace file using the location com.sap.archtech.daservice.

      The log file for the XML DAS Connector for Java is located in the log directory of the server running an archiving application in the applications.log file under the category /Applications/Common/Archiving/Connector.

      Traces for the XML DAS Connector for Java are written in the default trace file using the location com.sap.archtech.archconn.

For XML archiving objects, the usual job logs are written by the XML DAS Connector for ABAP. In addition, for every explicit deletion of a resource or a collection, a system log entry (syslog) is created with message ID DA1 and problem class S (operation trace), which documents the deletion of the resource or the collection.

End of Content Area