Security concept provided by Content Collector for SAP

Edit online

Content Collector for SAP provides a comprehensive security concept for storing your passwords and for the communication between Collector Server and IBM® Content Navigator, the SAP system, the repositories, and any external applications.

Overview

The following figure provides an overview of the security concept and of how the most important files interrelate.
Figure 1. Overview of the security concept, including the files involved
Overview of the security concept, including the files involved

The master key

The central part of the security concept is the master key. The master key is used to encrypt the following items:
  • The password file (default name: archint.cfg), which contains all passwords that a Collector Server instance needs for its communication with IBM Content Navigator, SAP, the repositories, and any external applications.
  • The SAP certificates that a Collector Server instance needs to ensure that an HTTP request from SAP was not manipulated. The SAP certificates are stored in the SAPCertificates directory.

You create the master key when you start the Collector Server instance for the first time. Starting with Fix Pack 1, the master key is generated when you start the Collector Server instance from IBM Content Navigator. The master key is stored in the master key file, which is defined in the Collector Server instance configuration.

The master key file is not encrypted or protected by a password. Therefore, strictly control the access to the master key file and to the directory where this file is stored.

The password file

The password file is protected by the master key and is defined in the Collector Server instance configuration. Its content is controlled by Collector Server. The password file contains the passwords of the following users and keystores:
  • The CPIC user that the Collector Server instance uses to log on to SAP
  • The user that the Collector Server instance uses to log on to IBM Content Manager, Content Manager OnDemand, FileNet® P8, or Tivoli® Storage Manager
  • The server keystore that is used for the communication between the API of Content Collector for SAP and the Collector Server instance
  • The SSL keystore and SSL truststore that are used for the communication between IBM Content Navigator and the Collector Server instance and for an HTTPS communication between the SAP system and the Collector Server instance
  • FileNet P8 The user who can read P8 queues
  • Tivoli Storage Manager The user who is authorized for ILM-enabled data archiving (BC-ILM)

You add the passwords to the password file when you start a Collector Server instance. You can change the passwords in the password file each time you start a Collector Server instance.

The communication between SAP and Collector Server

For the communication between an SAP system and a Collector Server instance, you can use HTTP or RFC. Because HTTP requests from SAP usually contain the secKey parameter, Collector Server needs an SAP certificate for each logical archive that is defined in the Collector Server instance configuration and that is accessed by SAP by using HTTP. SAP certificates are protected by the master key.

An HTTP communication can be made more secure by using HTTPS. You can configure an HTTPS connection with server authentication only or with both server authentication and client authentication.

For a server authentication, only the Collector Server instance must authenticate itself. If you use client authentication in addition, the SAP system must also authenticate itself. You can secure the connection to an entire Collector Server instance or to specific logical archives only.

Server authentication requires a keystore (SSL keystore) and a certificate for each Collector Server instance. The server certificate must be imported into the SAP Personal Security Environments (PSEs).

For the client authentication, you must import the SAP certificate into a keystore that is used for trusted certificates (SSL truststore).

Both the SSL keystore and the SSL truststore are protected by passwords that are stored in the password file. The SSL keystore and the SSL truststore are specified in the Collector Server instance configuration.

The communication between IBM Content Navigator and Collector Server

For the communication between IBM Content Navigator and a Collector Server instance, you must use configure an HTTPS connection with server authentication and client authentication.

Server authentication requires an SSL keystore and a certificate for each Collector Server instance. The server certificate must be imported into the truststore of the web application server that hosts IBM Content Navigator.

For the client authentication, you must import the certificate of the web application server that hosts IBM Content Navigator, into the SSL truststore.

If the Collector Server instance also communicates with SAP, you must use the same Collector Server instance and the same SSL truststore as for the HTTPS communication with SAP.

The communication between the API and Collector Server

The API (csclient.dll) must be used by all external applications that are to communicate with a Collector Server instance. The API is installed, as part of the add-ons package, on the system where the external application runs. The communication between the API and Collector Server is secured, that is, all data is always encrypted before it is transferred. In addition, the access is controlled by server authentication and client authentication.

Server authentication means that the clients verify the identity of the Collector Server instance from which it receives encrypted data. Client authentication means that the Collector Server instance verifies the identity of the clients from which it receives encrypted data. A client stands for a user, or a group of users, that has an account on the system with the external application, that has access to the API, and that holds or shares one client certificate.

These authentication methods require a keystore for each Collector Server instance (server keystore) and a keystore for each client (client keystore). A keystore contains a public key and a private key. The private key is used to encrypt data. The public key is used to decrypt data. A keystore also contains a certificate, which binds the public key and thus identifies the Collector Server instance or the client. The server certificate must be exported to the client keystores, and the client certificates must be exported to the server keystore. The imported certificates are considered trusted certificates.

The server keystore is protected by a password, which is stored in the password file, and is specified in the Collector Server instance configuration.

The client keystore and its certificate are not protected by a password. Strictly control the access to the certificate, to the client keystore, and to the directory that contains the client keystore. The client keystore is specified in the client configuration profile (default name: csclient.ini), which must be set up for each client.

If a client represents a group of users, these users share one certificate. The more users share one certificate the greater the risk for the certificate to be exposed.

The communication between the API and several Collector Server instances

The API can communicate with several instances of Collector Server. The Collector Server instances can be on the same system or on different systems. The individual connections are secured like a connection to one Collector Server instance.