SAP Content Server

Purpose
The SAP Content Server is based on the SAP DB and is available on Windows NT Server and Windows 2000 Server from release 4.6. Therefore besides the SAP DB an e!ternal "ontent server is alwa#s available in ever# SAP s#stem installation. $n this wa# the ne"essar# te"hni"al infrastr%"t%re is &rovided for all do"%ment'"entri" a&&li"ations and b%siness s"enarios that do not re(%ire a lon)'term ar"hivin) sol%tion. Sin"e the SAP Content Server is also inte)rated via the *TTP interfa"e +see SAP *TTP Content Server 4., $nterfa"e- the a"t%al stora)e medi%m %sed remains "om&letel# trans&arent to SAP a&&li"ations. This means that the stora)e medi%m "an be "han)ed at an# time.

.or /0TP do"%mentation and information on the SAP DB tools see the do"%mentation %nder mySAP Technology Components SAP DB: Database 1ana)er 23$4 SAP DB 5.6 Database 1ana)er C0$4 SAP DB 5.6 S70 St%dio4 SAP DB 5.6 8eferen"e 1an%al4 SAPDB 5.2 and 5.6 8e&li"ation 1ana)er4 SAP DB A&&li"ations that "an %se the te"hni"al infrastr%"t%re of the SAP Content Server in"l%de the SAP B%siness Wor9&la"e SAP Ar"hive0in9 the Do"%ment 1ana)ement S#stem +D1S- and the :nowled)e Wareho%se.

Implementation Considerations
The installation &ro"ed%re for the SAP Content Server is des"ribed in the SAP Content Server Installation Guide whi"h is also available in both ;n)lish and 2erman as a PD. do"%ment on the SAP Server Components2 CD.

Constraints
The SAP Content Server is not intended to re&la"e o&ti"al stora)e s#stems and other stora)e media for lon)'term ar"hivin) of do"%ments.

Integrating the SAP Content Server

Content Server Administration
The Content Server "an be administrated dire"tl# from the SAP s#stem. S&e"ial tools have been develo&ed for monitorin) and administratin) the SAP DB %nderl#in) the SAP Content Server.

.or more information see the SAP 0ibrar# %nder Kno ledge Provider in the se"tion SAP Content Server Administration.

Monitoring
The :nowled)e Provider<s Content 1ana)ement Servi"e +C1S- is %sed to monitor the Content Server. The C1S is a servi"e of the $T infrastr%"t%re &rovided b# :nowled)e Provider within the framewor9 of SAP Web A&&li"ation Server. The "entral feat%re of the C1S is that it is desi)ned to be "om&atible with different t#&es of stora)e media. $n other words the C1S f%n"tions as an interfa"e between "ontent servers and the SAP s#stem.

.or f%rther information see 1onitorin).

Content Server and Ca"he Server

Content Servers and Cache Servers

An# n%mber of "ontent servers "an be installed in different lo"ations. The "ontents are transferred dire"tl# between the "lient and "ontent server. $f the "ontent servers are a""essed from different lo"ations that are lin9ed onl# via a wide area networ9 +WAN"a"he servers sho%ld be %sed. Networ9 traffi" a"ross the WAN "an be red%"ed to a minim%m and &erforman"e enhan"ed b# installin) at least one "a"he server at ea"h lo"ation. A "lient "a"he is also available on the %ser=s front'end "om&%ter.

.or f%rther information see

:nowled)e Provider and Ca"hin).

Architecture of the SAP Content Server

The SAP Content Server "onsists of the followin) "om&onents4

The basis of the SAP Content Server is the Content Server !ngine. The en)ine is im&lemented as an $SAP$ e!tension in 1i"rosoft $nternet $nformation Server. The en)ine re"eives all 380s "he"9s their validit# and tri))ers the &ro"essin) of re(%ests. The SAP Content Server saves data to the SAP database +SAP DB-. *owever the Content Server en)ine does not "omm%ni"ate dire"tl# with the SAP DB. $t %ses an ada&ter 9nown as the "ontent stora)e la#er. The stora)e la#er hides the s&e"ifi" a""ess me"hanisms of the stora)e medi%m behind a "onsistent b#testream'oriented interfa"e. This means that one server en)ine "an s%&&ort several stora)e media. /nl# the stora)e la#er has to be im&lemented ever# time. $n the "ase of the SAP Content Server the stora)e la#er %ses the SAP DB "lient driver to a""ess the database server. The SAP DB administrates the individ%al re&ositor# tables in whi"h the do"%ments are stored.

Advantages of the SAP Content Server

The SAP Content Server &rovides a fle!ible and s"alable ar"hite"t%re. >o% "an enhan"e the "a&a"it# and &erforman"e of the SAP Content Server even f%rther b# %sin) a n%mber of servers and b# de"o%&lin) the database server from the *TTP server. The database is m%"h better s%ited than a file s#stem to the administration of lar)e amo%nts of data. $nternall# at SAP the SAP Content Server has been %sed for several release "#"les to administrate all do"%mentation and trainin) "ontent.

The SAP DB version is inde&endent of the SAP release. SAP DB version 5.2 is in"l%ded in the SAP release 4.6C &a"9a)e. This version of the SAP DB has a "a&a"it# of 64 terab#tes +ma!im%m-. $n the %nli9el# event of this s&a"e bein) %sed %& another database "an be installed. ;as#'to'%se and stable SAP DB administration tools are shi&&ed with the SAP Content Server. These "an be %sed to ma9e a%tomati" ba"9%&s for e!am&le. The interfa"e whi"h is based on the *TTP &roto"ol de"o%&les the stora)e s#stems involved. Several well'9nown &roviders of stora)e s#stems have s%""essf%ll# im&lemented the "ertifi"ation &ro"ed%re.

Security Mechanisms of the SAP Content Server

$nternet se"%rit# me"hanisms are intended to &revent data from bein) inter"e&ted d%rin) transfer b# %na%thori?ed &ersons and from bein) %sed for &%r&oses for whi"h it was not intended. $n the :nowled)e Provider there are two &otential se"%rit# ris9s4 380s ma# be for)ed allowin) the for)er %na%thori?ed a""ess to data The data stream ma# be @ta&&ed@ or for)ed

The followin) se"%rit# me"hanisms "o%ntera"t these ris9s4 Se"%re 380s ;n"oded Data Transfer Se"%rit# 1e"hanisms A)ainst Data 0oss A""ess Prote"tion for Administration

Secure URLs
Protection Against Unauthorized Access to Stored Content
To &revent %na%thori?ed a""ess to stored "ontent on the SAP Content Server the SAP s#stem "arries o%t an a%thori?ation "he"9. *owever the SAP Content Server is a""essed b# means of the o&en SAP Content Server interfa"e +see also SAP Content Server *TTP 4., $nterfa"e-. 380s m%st be se"%re so that the# allow onl# a%thori?ed a""ess to stored "ontent and "orres&ondin)l# so that for)ed re(%ests are reAe"ted. To ma9e a 380 se"%re it is )iven a "hara"teristi" +li9e a watermar9 on a ban9note- whi"h allows the re"eiver to dete"t whether or not the 380 has been tam&ered with +li9e if the watermar9 is missin) from a ban9note-. $n the "ase of a Content Server 380 the "hara"teristi" in (%estion is the si)nat%re. The si)nat%re is an en"oded "o&# of the 380 itself and is transferred to the "ontent server as &art of the 380. A si)ned 380 "ontains the additional &arameters expiration +see also Parameters and :e#words- and se":e# +di)ital si)nat%re-. A si)ned 380 is onl# valid if the e!&iration time has not been e!"eeded and if it "ontains a valid si)nat%re.

The "ontent server de"odes the si)nat%re and "om&ares it with the 380 it re"eived. The "ontent server onl# e!e"%tes the re(%est if the 380 and the si)nat%re mat"h. $f an intr%der "han)es the &lainte!t in the 380 the si)nat%re will not mat"h the 380. The "ontent server will a""ordin)l# reAe"t the re(%est. The si)nat%re is based on the 8SA &ro"ed%re and 1D, hashin). The 8SA &ro"ed%re is also 9nown as the &%bli" 9e# &ro"ed%re. This &ro"ed%re is based on a &rivate and a &%bli" 9e#. >o% need the &rivate 9e# to "reate the si)nat%re. >o% need the &%bli" 9e# to "he"9 the validit# of the si)nat%re. .or a des"ri&tion of the te"hni"al details of this &ro"ed%re see the do"%mentation Se"%re Store B .orward C Di)ital Si)nat%res +BC'S;C' SS.-. As the main &artner in the three'wa# relationshi& of "lient D SAP s#stem D "ontent server the SAP s#stem is the onl# &artner that ma# send re(%est 380s to the "lient. Be"a%se of this the SAP s#stem has to "reate the 380 si)nat%re %sin) a &rivate 9e#. The &%bli" 9e# + Certifi"ate- of the SAP s#stem m%st be stored on the "ontent server and the relevant re&ositor# m%st have a""ess to it +see also Content 8e&ositories-. Transa"tions OAHT OAC0 +from release 4.6C- and CSADMIN +from release 4.6C for SAP Content Server see also Content Server and Ca"he Server Administration- are %sed to transfer the "ertifi"ate. The "ertifi"ate has to be a"tivated on the "ontent server for the re&ositor# in (%estion. This is done %sin) transa"tion CSADMIN +for SAP Content Server-.

;ver# SAP s#stem m%st have its own %ni(%e "ertifi"ate so that the SAP s#stem<s di)ital si)nat%re "an be %sed &ro&erl#. See the se"tion Creatin) a S#stem'S&e"ifi" Certifi"ate for Content Server A""ess.

Protection Against Tapping and orging of the !ata Stream

Data transfer m%st also be en"oded so that a &otential intr%der "annot a""ess the data while it is in transit between "lient and server. Standard &ro"ed%res e!ist for this s%"h as se"%re *TTP +*TTPS-. *TTPS en"odin) is %s%all# im&lemented between the "lient and the server and is not &art of the SAP *TTP Content Server interfa"e.

Si)ned 380s "an slow down &erforman"e as it ta9es in"reased &ro"essin) &ower to "reate the si)nat%re.

Security Mechanisms Against !ata Loss

SAP Content Server is based on the SAP DB +see also SAP Content Server-. To avoid data loss ta9e the %s%al meas%res a)ainst data loss in databases. These meas%res "o%ld in"l%de the followin)4 8ed%ndant hardware 1irror dis9s 8A$D s#stems and so on 8e)%lar standard se"%rit# meas%res 0o) files ba"9%&s

"ote #hen ma$ing a %ac$up that in addition to the data%ase& the file ContentServer.ini and the directory Security must also %e %ac$ed up. See also note 6EF662 +Content Server Ba"9%&
Strate)ies-.

Creating a System'Specific Certificate for Content Server Access

Use
To ensure that every SAP system has its o#n certificate (system'specific certificate)& a Personal Security *nvironment (PS*) (see also Personal Security *nvironment) must %e created on every SAP system #hen it is installed+ This only needs to %e done once for every system+ ,ou set up the PS* in the Trust Manager (transaction STRUST& see also Trust Manager)+ As a r%le the SAP s#stem PS; is %sed to "reate and verif# si)ned 380s in the SAP s#stem. .rom SAP Web A&&li"ation Server release 6.E0 #o% "an also %se #o%r own PS;. Two different s"enarios are &ossible here4 If the SAP system is functioning as a client and is using an e-ternal content server as a repository& once you create your o#n PS*& URLs are from then on signed #ith your PS* and not #ith the system PS*+ In this case& only private and public key are relevant. the certificate list is irrelevant+ $f the SAP s#stem is f%n"tionin) as a Content Server and is %sin) *TTP via SAP Web A&&li"ation Server the PS; then also has the effe"t that all &%bli" 9e#s needed for "he"9in) si)nat%res are stored in the "ertifi"ate list.

Content Server Administration is %sed for the "he"9in) &ro"ess itself +see also Content Server and Ca"he Server Administration-. This ta9es &la"e in transa"tion CSADMIN on the tab &a)e Certifi"ates.

Carr# o%t the &ro"ed%re des"ribed below for "reatin) a "ertifi"ate for Content Server a""ess %efore "reatin) re&ositories. $f #o% do this after #o% "reate re&ositories #o% will have to re'send the "ertifi"ates to all *TTP re&ositories and rea"tivate all the "ertifi"ates. This is be"a%se the "ertifi"ate "han)es when #o% "reate a new PS;. $f #o% are a""essin) the database via *TTP +see also *TTP A""ess for 8e&ositories on the SAP Web A&&li"ation Server- #o% also have to redistrib%te and rea"tivate the "ertifi"ates.

Procedure
Take the following steps to create your own PSE: 1. Call transaction STRUST. The Trust Manager opens. 2. Choose Applications. 6. Choose "e !ntries. 4. 3se .4 *el& to sele"t #TTP Content Server and "onfirm this b# "hoosin) !nter. Additional fields for a&&li"ation's&e"ifi" Se"%re Store B .orward +SS.- &arameters and standard val%es for em&t# fields are )ra#ed o%t. ,. 1a9e the followin) entries4 a. b. c. d. e. In the field Security/Product& enter SAPSECULIB+ In the field SS or!at& choose Internationa !"tan#ar#!P$CS%&+ In the field Priv. add. book& enter SAPHTTPCS.p"e+ In the field SS profile& also enter SAPHTTPCS.p"e+ In the field SS Profile"#& enter CN'(Co))on!na)e*+OU'(Or,ani-ation! Unit*+O'(Or,ani-ation*+C'(Country*+ or e-ample/ CN'BCECS+OU'DE.+O'SAP/A0+C'DE f+ 0+ 7. 1+ 2+ 34+ Chec$ #istribute PSE $%nly S&PSEC'(")*+

Save your entries+ Call transaction STRUST again+ Select +TTP Content Server+ Choose ,eplace from the conte-t menu+ Confirm this at the confirmation prompt+

33+ Confirm your entries %y choosing

in the ne-t popup (,eplace PSE)+

*-ample
The *TTP Content Server PS; lin9s to a s#stem's&e"ifi" PS;. This means that #o% "an s&e"if# that #o% no lon)er want to %se a s&e"ifi" "ertifi"ate for e!am&le. $n this "ase #o% have to o&en Content Server Administration and delete the "ertifi"ate in all re&ositories. >o% also have to delete it from the "ertifi"ate list.

Access Protection for Administration

Administration for the SAP Content Server is carried out partly inside the SAP System +see Content Server and Ca"he Server Administration)& and partly outside +see 8eferen"e 1an%al4 SAPDB 5.2 and 5.6-. Note the followin) se"%rit# "onsiderations in relation to administration on the Content Server4 1a9e s%re that onl# a%thori?ed &ersons have +administrative- a""ess to the "om&%ter on whi"h the SAP Content Server is r%nnin). 1a9e s%re that +administrative- a""ess to the database is a&&ro&riatel# restri"ted.

To ensure that only authorized persons have administrative access to the SAP Content Server from the SAP system& you need to set the parameter A#)inSecurity in the file ContentServer.ini on the SAP Content Server to 1/ A#)inSecurity'1+ .or more information see the se"tion CSAD1$N and the installation do"%mentation SAP Content Server Installation Guide.

Content Server for 5usiness 6or$place !ocuments

Purpose
For the Knowledge Provider to be able to store documents on the content server, a class for these documents must be created. In the Knowledge Provider the class SOFFPHIO is provided for Business or!place documents. Storage categories are assigned to this class with content repositories.

"s shown in the graphic, SOFF#B is the default content categor$ assigned to the SOFFPHIO class. %his means the documents are stored on the S"P #B. %o use the S"P &ontent Server or an e'ternal content server, $ou have to ma!e some settings. %hen $ou can store Business or!place documents on the content server.

Process lo#
Process lo# 3+ Creation of content repository for connecting to the content server Procedure a+ In the Implementation 7uide (IM7) (transaction SPR8) choose )asis )asis Services -nowledge Provider Content Manage!ent Service #efine Content ,epositories + %+ Create a content repository for the storage category 9TTP content server+ This content repository #ill contain the connection details to your content server+ To do this follo# the IM7 documentation for this activity+ a+ In the Implementation 7uide (transaction SPR8) choose )asis

:+ Assignment of content category S8 9TTP to the content repository you

have created+

)asis Services -nowledge Provider Content Manage!ent Service #efine Content Categories + %+ Select the entry S8 9TTP %y dou%le' clic$ing on it+ c+ In the Content ,epository field enter the name of the content repository that you created for your content server+ d+ Choose +

;+ Assignment of S8 content category S8

P9I8 class to 9TTP

a+ %+

*nter transaction S<PR41+ The previous !e!ory category SO22DB! is already specified for the class S8 P9I8+ In the .ew Category field enter S8 9TTP+ Choose +

c+

Result
Once $ou have completed the settings, new P& documents created in the Business or!place and binar$ documents will be stored on the content server $ou defined. #ocuments stored in the Business or!place before this time point, will remain in the database used up to now.

The "ontent "ate)or# S/..DB establishes the "onne"tion to this database and m%st not be "han)ed or deleted.

Cache Servers
Purpose
The &%r&ose of the Ca"he Server is to &rovide the followin) benefits4 E. Seamless trans&arent inte)ration into e!istin) "ontent server lands"a&es 2. Si)nifi"ant red%"tion in "lient res&onse times 6. As little administration wor9 as &ossible Ca"he servers are %sed to s&eed %& a""ess to do"%ment "ontent. This is &arti"%larl# %sef%l if the "ontent is re(%ired for dis&la# in a Web browser for e!am&le. Ca"he servers "an also red%"e the networ9 load and thereb# enhan"e &erforman"e. $t is therefore also a tas9 of the "a"he to &rovide the "lient with do"%ments from a &h#si"all# "lose lo"ation even if the "ontent server is lo"ated on a different "ontinent.

Ca"hes are %sed in man# areas. .or e!am&le 1S $nternet ;!&lorer %ses a lo"al "a"he on the %ser=s hard dis9. Ca"he servers are similar to "ontent servers b%t re(%ire less administration with the same level of a""ess &rote"tion.

The Ca"he Server onl# %ses *TTP. To ma9e this &ossible SAP Content Server *TTP $nterfa"e has been e!tended +see SAP Content Server *TTP 4., $nterfa"e-. B# %sin) "a"he servers #o% are sim&l# e!tendin) #o%r e!istin) infrastr%"t%re in a trans&arent wa#. There is no need to re' str%"t%re the e!istin) "ontent server lands"a&e.

Implementation Considerations
The "a"he server is installed from the SAP Server Components2 CD'8/1 as &art of the installation of the SAP Content Server. $nstallation instr%"tions in PD. format are &rovided in both ;n)lish and 2erman on this CD'8/1 in the dire"tor# GC/NTS;8HGD/C3.

Architecture of the Cache Server

Des&ite their similar ar"hite"t%re the Ca"he Server and the Content Server have some basi" differen"es. The "a"he server "an set %& its own *TTP "onne"tions to other servers and "an forward in"omin) "lient re(%ests. The @other servers@ "an be "ontent servers or other "a"he servers. $f the server in (%estion is another "a"he server this ar"hite"t%re is 9nown as "as"aded or m%lti'la#er "a"hin) +see also Cas"aded Ca"hes-.

A notable feat%re of the "a"he is its almost "om&lete freedom in terms of administration. As soon as the "a"he is inte)rated into the server to&olo)# it "an start &erformin) its servi"es witho%t the need for lo) monitorin) or ba"9%&s. Ca"hes are alwa#s %sed for read access to do"%ments. @0a?# write@ is not s%&&orted. $n other words a "lient that wants to store do"%ments m%st alwa#s be dire"tl# "onne"ted to the "orres&ondin) "a"he server. As alread# des"ribed +see Content 1ana)ement Servi"e- SAP *TTP Content Server interfa"e s%&&orts si)ned 380s. Ca"he 380s "an of "o%rse alse be si)ned. *owever it wo%ld be ver# in"onvenient if the "a"he had to rel# on the Content Server to "arr# o%t si)nat%re "he"9s ever# time. $t therefore ma9es sense for the "a"he to "he"9 the si)nat%res itself. To this end the "a"he "ontains all the ne"essar# SAP "ertifi"ates or else it )ets them from the a&&ro&riate "ontent server.

The Ca"he Server has the same se"%rit# me"hanisms as the Content Server.

!eletion Strategy and Performance

!eletion
A "hara"teristi" of "a"he servers is the &re'set limit on the amo%nt of memor# available for storin) obAe"ts. 3nli9e the "ontent server this memor# s&a"e does not @)row@ +b%t the si?e of the "a"he "an of "o%rse be in"reased at an# time-. $f the "a"he server fills %& to the level where it does not have eno%)h s&a"e to store the ne!t obAe"t it starts deletin) @old@ obAe"ts from the memor#. To fa"ilitate this the "a"he "arries o%t a statisti"al anal#sis of a""esses to "a"hed obAe"ts. $t then deletes the do"%ments that have been %na""essed the lon)est %ntil there is eno%)h s&a"e in the memor# to store the "%rrent do"%ment. This method is also "alled the least re"entl# %sed +083- me"hanism.

Performance Considerations
SAP<s own anal#ses have shown that the "a"he &rovides a "onsistent si)nifi"ant advanta)e in terms of s&eed ta9in) into a""o%nt both the fre(%en"# and si?e of re(%ests. $n the dia)ram below this is shown in the "om&arison of the res&onse times of the "a"he server and the "ontent server. .rom the dia)ram it is "lear that both "%rves r%n &arallel re)ardless of the re(%est si?e and that the res&onse times of the "ontent server e!"eed those of the "a"he server b# a fa"tor of E0. This res%lt is of "o%rse inde&endent of the bandwidth available to the "ontent server. .or e!am&le SAP has a hi)h'bandwidth "onne"tion between Walldorf and Palo Alto. $n a "%stomer environment m%"h hi)her im&rovements on s&eed "an be e!&e"ted.

The relationshi& between "a"he hits and "a"he misses is an essential "riteria in "a"he effi"ien"#. When the hit rate is near E00I "a"he &erforman"e is at o&tim%m level. $f the misses are in the maAorit# or if misses ma9e %& 20'60I of the total n%mber of re(%ests #o% sho%ld "onsider ta9in) &erforman"e o&timi?ation meas%res. What "a%ses a shar& in"rease in "a"he missesJ An almost f%ll "a"he A lar)e n%mber of widel# dis&ersed re(%estsK that is do"%ments that are not lo"ated in the "a"he are bein) "onstantl# re(%ested

Both fa"tors "a%se the "a"he to behave in the followin) wa#s. Stored do"%ments are deleted to ma9e wa# for new obAe"ts. The la"9 of s&a"e in the "a"he and the non'homo)eno%s nat%re of the re(%ests means that deletion "ontin%all# ta9es &la"e. $n e!treme "ases the "a"he "ontent is in a "onstant state of fl%! +also 9nown as @thrashin)@-. This )reatl# de)rades "a"he &erforman"e.

The onl# sol%tion to this &roblem is to e!tend the "a"he s&a"e so that the ma!im%m o""%&an"# of the "a"he "an be maintained at 5,I. Ba"9bone "a"hes are &arti"%larl# s%s"e&tible to thrashin) as these serve as "on"entrators for other "a"hes.

8ptimal Access Path for Client Re=uests

The SAP s#stem 9nows the lo"ations of the "ontent server "a"he server and "lient atta"hed to it. This 9nowled)e enables it to establish an o&timal "ontent a""ess &ath. The "a"he is sele"ted as follows4 E. The SAP s#stem establishes the lo"ation of the "lient. 2. The SAP s#stem then establishes the lo"ation of the "ontent server. 6. $f the "lient and the "ontent server are at the same lo"ation no "a"hin) is ne"essar# and the re(%ested 380 "an be retrieved dire"tl# from the "ontent server. $n other words the "ontent is dis&la#ed dire"tl# from the "ontent server. $f the "lient and "ontent server are not at the same lo"ation the SAP s#stem finds o%t the identit# of the "a"he server at the "lient lo"ation. 4. $f no "a"he server is available the 380s are dis&la#ed on the "lient dire"tl# from the "ontent server. $f one or more "a"he servers are available one of these is sele"ted to dis&la# the "ontent.