Documents Product Categories SAP Content Server (DMS) Architecture Design

SAP Content Server (DMS) Architecture Design

Jun 28, 2024
1/26/2022 SAP Content Server Generated on: 2022-01-26 02:39:54 GMT+0000 SAP NetWeaver 7.0 EHP1 | SPS19 PUBLIC Original content: https://help.sap.com/viewer/6d9c81b06c4b1014bef598177122847c/7.01.19/en-US Warning This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product documentation. The information included in custom documentation may not re�ect the arrangement of topics in the SAP Help Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use. For more information, please visit the https://help.sap.com/viewer/disclaimer. This is custom documentation. For more information, please visit the SAP Help Portal 11/26/2022 SAP Content Server Purpose The SAP Content Server is based on the database instance MaxDB and is available on Microsoft Windows operating systems as of Release 4.6. Therefore, besides the SAP database, an independent content server is always available in every SAP system installation. This provides the required technical infrastructure for all document-oriented applications and business scenarios that do not require long-term archiving. Since the SAP Content Server is also integrated via the HTTP interface (see SAP HTTP Content Server 4.5 Interface ), the actual storage medium used remains completely transparent to SAP applications. This means that the storage medium can be changed at any time. Implementation Notes The installation procedure for the SAP Content Server is described in the SAP Content Server Installation Guide , which is also available in both English and German as a PDF document on the SAP Server Components2 CD. Restrictions The SAP Content Server is not intended to replace optical storage systems and other storage media for long-term document archiving. Integrating the SAP Content Server Content Server Administration The Content Server can be administrated directly from the SAP system. Special tools have been developed for monitoring and administrating the SAP DB underlying the SAP Content Server.  Note For more information, see the SAP Library under Knowledge Provider in the section SAP Content Server Administration . Monitoring The Knowledge Provider’s Content Management Service (CMS) is used to monitor the Content Server. The CMS is a service of the IT infrastructure provided by Knowledge Provider within the framework of SAP Web Application Server. The central feature of the CMS is that it is designed to be compatible with different types of storage media. In other words, the CMS functions as an interface between content servers and the SAP system.  Note For further information see Content Server and Cache Server Monitoring . Content Servers and Cache Servers Any number of content servers can be installed in different locations. The contents are transferred directly between the client and content server. If the content servers are accessed from different locations that are linked only via a wide area network This is custom documentation. For more information, please visit the SAP Help Portal 21/26/2022 (WAN), cache servers should be used. Network traffic across the WAN can be reduced to a minimum and performance enhanced by installing at least one cache server at each location. A client cache is also available on the user''s front-end computer.  Note For further information see Knowledge Provider and Caching . Architecture of the SAP Content Server The SAP Content Server consists of the following components: The basis of the SAP Content Server is the Content Server Engine . The engine is implemented as an ISAPI extension in Microsoft Internet Information Server. The engine receives all URLs, checks their validity, and triggers the processing of requests. The SAP Content Server saves data to the Database Instance . However, the Content Server engine does not communicate directly with the database instance. It uses an adapter known as the content storage layer. The storage layer hides the speci�c access mechanisms of the storage medium behind a consistent, bytestream-oriented interface. This means that one server engine can support several storage media. Only the storage layer has to be implemented every time. In the case of the SAP Content Server, the storage layer uses the client driver to access the database instance. The database instance administrates the individual repository tables in which the documents are stored. Advantages of the SAP Content Server The SAP Content Server provides a �exible and scalable architecture. You can improve the capacity and performance of the SAP Content Server by using a number of servers and by decoupling the database server from the HTTP server. This is custom documentation. For more information, please visit the SAP Help Portal 31/26/2022 The database is much better suited than a �le system to the administration of large amounts of data. Internally at SAP, the SAP Content Server has been used for several release cycles to administrate all documentation and training content. The Database Instance version is independent of the SAP release. For more information on the Content Server and SAP MaxDB, see SAP Note 1619726 . Database administration tools, which are easy to use, are delivered with it. These can be used to make automatic backups, for example. The interface, which is based on the HTTP protocol, decouples the storage systems involved. Several well-known providers of storage systems have successfully implemented the certi�cation procedure. Title Secure URLs Protection Against Unauthorized Access to Stored Content To prevent unauthorized access to stored content on the SAP Content Server, the SAP system carries out an authorization check. However, the SAP Content Server is accessed by means of the open SAP Content Server interface (see also SAP Content Server HTTP 4.5 Interface ). URLs must be secure so that they allow only authorized access to stored content and, correspondingly, so that forged requests are rejected. To make a URL secure, it is given a characteristic (like a watermark on a banknote) which allows the receiver to detect whether or not the URL has been tampered with (like if the watermark is missing from a banknote). In the case of a Content Server URL, the characteristic in question is the signature. The signature is an encoded copy of the URL itself and is transferred to the content server as part of the URL. A signed URL contains the additional parameters expiration (see also Parameters and Keywords ) and secKey (digital signature). A signed URL is only valid if the expiration time has not been exceeded and if it contains a valid signature. The content server decodes the signature and compares it with the URL it received. The content server only executes the request if the URL and the signature match. If an intruder changes the plaintext in the URL, the signature will not match the URL. The content server will accordingly reject the request. The signature is based on the RSA procedure and MD5 hashing. The RSA procedure is also known as the public key procedure. This procedure is based on a private and a public key. You need the private key to create the signature. You need the public key to check the validity of the signature. For a description of the technical details of this procedure, see the documentation Secure Store & Forward / Digital Signatures (BC-SEC-SSF) . As the main partner in the three-way relationship of client – SAP system – content server, the SAP system is the only partner that may send request URLs to the client. Because of this, the SAP system has to create the URL signature using a private key. The public key ( Certi�cate ) of the SAP system must be stored on the content server, and the relevant repository must have access to it (see also Content Repositories ). Transactions OAHT , OAC0 (from release 4.6C) and CSADMIN (from release 4.6C for SAP Content Server, see also Content Server and Cache Server Administration ) are used to transfer the certi�cate. The certi�cate has to be activated on the content server for the repository in question. This is done using transaction CSADMIN (for SAP Content Server).  Caution Every SAP system must have its own unique certi�cate, so that the SAP system’s digital signature can be used properly. See the section Creating a System-Speci�c Certi�cate for Content Server Access . This is custom documentation. For more information, please visit the SAP Help Portal 41/26/2022 Protection Against Tapping and Forging of the Data Stream Data transfer must also be encoded, so that a potential intruder cannot access the data while it is in transit between client and server. Standard procedures exist for this, such as secure HTTP (HTTPS). HTTPS encoding is usually implemented between the client and the server and is not part of the SAP HTTP Content Server interface.  Caution Signed URLs can slow down performance, as it takes increased processing power to create the signature. Security Mechanisms Against Data Loss The SAP Content Server is subject to the security requirements for Database Instances . To avoid data loss, the following measures can be taken: Redundant hardware Mirror disks, RAID systems, and so on Standard security measures Data Backup , Log Backup Note that security against data loss is only ensured, if, in addition to the standard security measures stated above, �le ContentServer.ini and directory Security are also backed up. See also note 319332 (Content Server Backup Strategies). Creating a System-Speci�c Certi�cate for Content Server Access Use To ensure that every SAP system has its own certi�cate, a Personal Security Environment (PSE) must be created on every SAP system when it is installed. You set up the PSE in the Trust Manager (transaction STRUST, see also Trust Manager ). As a rule, the SAP system PSE is used to create and verify signed URLs in the SAP system. From SAP Web Application Server release 6.10, you can also use your own PSE. There are two cases here: If the SAP system is functioning as a client and is using an external content server as a repository, once you create your own PSE, URLs are from then on signed with your PSE and not with the system PSE. In this case, only private and public key are relevant; the certi�cate list is irrelevant. If the SAP system is functioning as a content server and is using HTTP via SAP Web Application Server, the PSE then also has the effect that all public keys needed for checking signatures are stored in the certi�cate list. Content Server Administration is used for the checking process itself (see also Content Server and Cache Server Administration ).You see this in transaction CSADMIN on tab page Certi�cates . This is custom documentation. For more information, please visit the SAP Help Portal 51/26/2022 Carry out the procedure described below for creating a certi�cate for Content Server access before creating repositories. If you do this after you create repositories, you will have to re-send the certi�cates to all HTTP repositories and reactivate all the certi�cates. This is because the certi�cate changes when you create a new PSE. If you are accessing the database via HTTP (see also HTTP Access for Repositories on the SAP Web Application Server ), you also have to redistribute and reactivate the certi�cates. Procedure Take the following steps to create your own PSE: Call transaction STRUST. The Trust Manager opens. Choose Applications . Select New entries . Use F4 Help to select HTTP Content Server and con�rm this by choosing Enter . Additional �elds for application-speci�c Secure Store & Forward (SSF) parameters and standard values for empty �elds are grayed out. Make the following entries: ... In the �eld Security/Product , enter SAPSECULIB. In the �eld SSF Format , choose International standard PKCS#7. In the �eld Priv. add. book , enter SAPHTTPCS.pse. In the �eld SSF pro�le , also enter SAPHTTPCS.pse. In the �eld SSF Pro�leID , enter CN=,OU=,O=,C=. Example: CN=BCECS,OU=DEV,O=SAP-AG,C=DE Check Distribute PSE (Only SAPSECULIB) . Save your entries. Call transaction STRUST again. Select HTTP Content Server . Choose Replace from the context menu. Con�rm the following con�rmation prompts. This is custom documentation. For more information, please visit the SAP Help Portal 61/26/2022 Con�rm your entries by choosing in the next popup ( Replace PSE ). Example The HTTP Content Server PSE links to a system-speci�c PSE. This means that you can specify that you no longer want to use a speci�c certi�cate. In this case, you have to open Content Server Administration and delete the certi�cate in all repositories. You also have to delete it from the certi�cate list. Access Protection for Administration Administration for the SAP Content Server is carried out partly inside the SAP System (see Content Server and Cache Server Administration ), and partly outside the SAP System Note the following security considerations in relation to administration on the Content Server: Make sure that only authorized persons have (administrative) access to the computer on which the SAP Content Server is running. Make sure that (administrative) access to the database instance is appropriately restricted. To ensure that only authorized persons have administrative access to the SAP Content Server from the SAP system, you need to set the parameter AdminSecurity in the �le ContentServer.ini on the SAP Content Server to 1 : AdminSecurity=1 .For more information, see the section CSADMIN , and the installation documentation SAP Content Server Installation Guide . Content Server for Business Workplace Documents Purpose For the Knowledge Provider to be able to store documents on the content server, a class for these documents must be created.In the Knowledge Provider the class SOFFPHIO is provided for Business Workplace documents.Storage categories are assigned to this class with content repositories. This is custom documentation. For more information, please visit the SAP Help Portal 71/26/2022 As shown in the graphic, SOFFDB is the default content category assigned to the SOFFPHIO class. This means the documents are stored on the SAP DB.To use the SAP Content Server or an external content server, you have to make some settings. Then you can store Business Workplace documents on the content server. Process Flow Process Flow Procedure Creation of content repository for connecting to the content server In the Implementation Guide (IMG) (transaction SPRO) choose Basis → Basis Services → Knowledge Provider → Content Management Service → De�ne Content Repositories . Create a content repository for the storage category HTTP content server. This content repository will contain the connection details to your content server.To do this follow the IMG documentation for this activity. Assignment of content category SOFFHTTP to the content In the Implementation Guide (IMG) (transaction SPRO) choose repository you have created. Basis → Basis Services → Knowledge Provider → Content Management Service → De�ne Content Repositories . Select the entry SOFFHTTP by double-clicking on it. In the Content Repository �eld enter the name of the content repository that you created for your content server. Choose . Assignment of SOFFPHIO class to content category SOFFHTTP Enter transaction SKPR08. The previous memory category SOFFDB is already speci�ed for the class SOFFPHIO.In the New Category �eld enter SOFFHTTP. Choose . Result Once you have completed the settings, new PC documents created in the Business Workplace and binary documents will be stored on the content server you de�ned.Documents stored in the Business Workplace before this time point, will remain in the database used up to now. The content category SOFFDB establishes the connection to this database and must not be changed or deleted. Cache Servers Purpose The purpose of the Cache Server is to provide the following bene�ts: 1. Seamless, transparent integration into existing content server landscapes 2. Signi�cant reduction in client response times 3. As little administration work as possible This is custom documentation. For more information, please visit the SAP Help Portal 81/26/2022 Cache servers are used to speed up access to document content. This is particularly useful if the content is required for display in a Web browser, for example. Cache servers can also reduce the network load and thereby enhance performance. It is therefore also a task of the cache to provide the client with documents from a physically close location, even if the content server is located on a different continent.  Example Caches are used in many areas. For example, MS Internet Explorer uses a local cache on the user''s hard disk. Cache servers are similar to content servers , but require less administration with the same level of access protection.  Note The Cache Server only uses HTTP. To make this possible, SAP Content Server HTTP Interface has been extended (see SAP Content Server HTTP 4.5 Interface ). By using cache servers, you are simply extending your existing infrastructure in a transparent way. There is no need to re-structure the existing content server landscape. Implementation Considerations The cache server is installed from the SAP Server Components2 CD-ROM as part of the installation of the SAP Content Server. Installation instructions in PDF format are provided in both English and German on this CD-ROM, in the directory \CONTSERV\DOCU. Architecture of the Cache Server Despite their similar architecture, the Cache Server and the Content Server have some basic differences. The cache server can set up its own HTTP connections to other servers and can forward incoming client requests. The
To view the full page, please visit: SAP Content Server (DMS) Architecture Design Product Userguide

SAP Content Server (DMS) Architecture Design

Knowledge Provider (KPro) is a framework that is used in Document Manage Systems. To achieve the SAP Content Server Architecture redesign goals. HAND offer content repositories migration services.
Buy now