Network and Communication Channel Security

Communication Channel Security

Used Technologies

The following technology is used for communication between the individual TREX components and between TREX and the applications that use TREX:

·        HTTP/HTTPS

·        TCP/IP (TREXNet)

·        RFC/SNC

·        SSL

The graphic below displays the individual TREX components and the way that they communicate with each other.

Communication between the TREX Java client and the TREX Web server, and between the Web server of the application using TREX and the TREX preprocessor, takes place using HTTP. You can configure communication so that it takes place securely using HTTPS. All other communication between the TREX components (name, index, queue, and Web server) and between the TREX Java client and the name server takes place using a TREX-specific protocol (TREXNet) that is based on TCP/IP. You can also implement a secure TREXNet (see Configuration of the TREX Security Settings). The TREX Java client is available in the J2EE Engine as a TREX service. It can be administrated using the visual administrator.

Communication Channels of TREX Components

TREX Component

Communication Technology

Type of Authentication

Java client

HTTP/HTTPS

Client certification

With the TREX name server using TCP/IP (TREXNet).

ABAP client

RFC/SNC

Web server with TREX extension

HTTP/HTTPS

Client certification

With other TREX components, using TCP/IP (TREXNet).

Preprocessor

With the application’s Web server, using HTTP/HTTPS.

Client certification

With other TREX components, using TCP/IP (TREXNet).

Name server

TCP/IP (TREXNet)

Queue server

TCP/IP (TREXNet)

Index server

TCP/IP (TREXNet)

Data Storage

TREX creates an index from documents in a document set. An index is a collection of selected terms that represent the content of the documents indexed. To produce this, TREX indexes the original data and stores the index generated. TREX is therefore a secondary data store.

The data that the TREX queue server (queues) and the TREX index server and its search engines (search index, text-mining index, and attribute-engine index) access is not stored in a database. It is stored unencrypted in the file system as flat files in the file system. You protect the TREX files and indexes located in your file system by configuring the security of your file system. You can find details on this in the security documentation for your operating system.

Data Transfer

The communication between the TREX preprocessor and the portal Web server is used to call up and transmit document content from the repositories of the application using TREX (for instance, SAP Enterprise Portal). The TREX Java client is used to transmit search requests and commands (for instance, create a link) from the application to the TREX index server. The Java client also transmits the search results, responses to commands, and document content. This takes place in a similar way to communication by an application and TREX using the TREX ABAP client and RFC. The data (search requests, search results, document content, and commands) is protected by securing the communication channels and the certification of communication partners.

Secure Usage of the ISAPI Server Extension for the TREX Web Server

On the TREX Web server, an ISAPI server extension for the Internet Information Server (IIS) is installed. This enhances the Web server with TREX-specific functions. This component is realized for the Internet Information Server (IIS) on Windows as the ISAPI server extension (TrexHttpServer.dll). It is located in the TREX installation directory by default.

TREX provides the separate DLL (Dynamic Link Library) TREXISAPIExt.dll for the IIS on Windows. For security reasons this file is stored in a separate directory, and merely calls up the actual ISAPI server extension (TrexHttpServer.dll).

Network Security

The TREX servers, components, and indexes can be distributed among various network segments using a scaling and load-balancing concept.

For more information on configuring a distributed TREX landscape, see the SAP NetWeaver 2004s Distributed Search and Classification (TREX) Systems configuration guide on the SAP Service Marketplace at service.sap.com/installation.

The TREX server ports are calculated during the installation according to the allocated number of index servers and preprocessor instances and the chosen TREX instance number.

The basis of the port numbers is 30000.

·        Name server: 30001 + 100 * <trex_instance_number>

·        Preprocessor: 30002 + 100 * <trex_instance_number> + 10* (<preprocessor_instance_number> - 1)

·        Index server: 30003 + 100 * <trex_instance_number>
+ 10* (<index_server_instance_number>
– 1)

·        Queue server: 30004 + 100 * <trex_instance_number>

·        HTTP server: 30005 + 100 * <trex_instance_number>

This method of calculation ensures that the ports do not clash with another TREX instance on the same host.

You cannot change the prescribed ports during the installation. However, the number of the TREX instance that you just chose in the Select the TREX Instance window determines the second and third places of the port numbers.

If you chose the instance number 48 and have specified two instances each for the index server and preprocessor, the ports are defined as follows:

Name server = 34801

Preprocessor 1 = 34802

Preprocessor 2 = 34812

Index server 1 = 34803

Index server 2 = 34813

Queue server = 34804

HTTP server = 34805

If you are implementing TREX behind a protective firewall, you can avoid further configuration steps for security measures and thereby retain the current performance levels of your system. Otherwise, you should configure secure communication between TREX and the application using it. The configuration of firewall settings depends on whether TREX is within the technical system landscape. If this is the case, you must use the configuration to ensure that the firewall is permeable to the ports of the TREX servers in both directions for TCP/IP (not for UDP).

TREX cannot be delivered with a preconfigured secure configuration as this would break the strict export rules for cryptographic software.

Communication Destinations

When the TREX installation takes place, you create one or more RFC destinations of connection type T in the SAP system so that the application can communicate with TREX. You choose the activation type Start or Activation when you create the RFC destination. The activation type determines how the SAP Gateway communicates with the RFC server. Secure communication between the TREX ABAP client and the RFC server using SNC is not currently supported.

In addition to the RFC connection, TREX uses HTTP/HTTPS for communication between the TREX components and the application using TREX. The ports used for this are described under Network Security.