Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member

Introduction

This article will guide you through an easy and secure setup of SAP Mobile Documents on-premise. It is part of the complete step-by-step setup guide for SAP Mobile Documents.

It will show and explain all the necessary steps to get started and will also shed some light at the main features and the architecture.

It will guide you through the setup of a single server installation which is suitable for smaller installations. As NetWeaver is the platform for Mobile Documents, of course bigger installations like high-availability clusters as well as using multiple network zones is supported, but this is out of scope for this instruction.

This guide is based on the SAP Mobile Documents 1.0 SP2 release and the screenshots in this guide were taken on a SAP NetWeaver AS Java 7.3 including enhancement package 1 and the links concerning AS Java and SAP KM respectively point to the 7.31 release.

Architecture

Before we start with the installation and configuration, let’s have a quick look at the architecture.

The main components of the SAP Mobile Documents solution are the clients, the server, and the document repositories. By using the open standard CMIS (Content Management Interoperability Services) for all communications from the clients to the server as well as from the server to the connected document repositories, a high level of flexibility and interoperability is achieved. The on-premise version of SAP Mobile Documents uses SAP Knowledge Management as document repository for the special scenarios “My Documents” and “Shared Documents”. Part of the SAP Mobile Documents server component is also a CMIS connector for SAP KM. The CMIS connector is also available as a standalone component, in case you want to connect a KM system that is running on a different NetWeaver installation.

Other document servers with CMIS-capable interfaces can be connected and their repositories can be integrated into SAP Mobile Documents as “Corporate Documents”.

My Documents Repository

The My Documents Repository is the repository where every Mobile Documents User can store his personal documents and sync it to all connected clients. Every user has a folder that is marked as his so-called home folder. All folders and documents inside this home folder are only visible and accessible by the user himself.

Shared Documents

This repository offers the possibility to share documents with other Mobile Documents users and external users. If "Shared Documents" is enabled on the server, every user can create shares, invite members to collaborate and manage their access rights. It is also possible to create public links to a share with security settings like expiration date, password, etc. A public link is accessible through a dedicated non-guessable URL that additionally can be password-protected. If enabled, anonymous users can also upload or delete documents in a public folder.

Installation

As a first step you have to download and install the newest version of SAP Mobile Documents. For your on-premise server installation you need an SAP NetWeaver AS Java as a platform.

You can find detailled installation description for this:


- How to install SAP NetWeaver Application Server Java

- How to install SAP Mobile Documents using the Software Update Manager (SUM)

These implementation steps (including this document) are listed in the step-by-step installation guide.

The system requirements can be found in the Product Availability Matrix (http://service.sap.com/pam). Please also check that you install the required patches that are mentioned in the central SAP Mobile Documents note 1832483 (https://service.sap.com/sap/support/notes/1832483).

The desktop clients for Windows and Mac OS can also be downloaded from SAP Service Marketplace, for the download path and the installation please consult the official help linked above.

The mobile clients can be downloaded from the iTunes App Store and Google Play.

Configuration

AS Java Settings

On AS Java level there are two configurations that are recommended when you use Mobile Documents. First, there is a file size restriction of 100MB in the Internet Connection Manager (ICM) which is really not very desirable when working with documents and second we want to activate HTTP response compression for the communications between clients and server.

Removing the 100 MB restriction in ICM: http://help.sap.com/saphelp_mdocs10/helpdata/en/a3/91f4d8384b46a0a3e72ef2d598d79c/content.htm?frames...

Enabling gzip compression for HTTP responses: http://help.sap.com/saphelp_mdocs10/helpdata/en/8a/e07df9305d4408ab6de9a8759eb5c1/content.htm?frames...

Creating KM repositories

In order to use “My Documents” and “Shared Documents” you have to create the repositories in SAP KM first.

Log into your Portal with a user with Administrator privileges by entering http://<yourserver>/irj into your browser’s address bar (Internet Explorer is recommended when working in the Portal).

Navigate to

System Administration -> System Configuration -> Knowledge Management -> Content Management -> Repository Managers -> CM Repository

Click on the button “New” and enter the following parameters:

Name:

mydocuments

Prefix:

/mydocuments

Persistence Mode:

dbfs

Repository ID in Database:

mydocuments

Root Directory:

$(sys.global.dir)/config/cm/mydocuments

Repository Services:

select “properties”

Property Search Manager:

com.sapportals.wcm.repository.manager.cm.CmPropertySearchManager

Security Manager:

AclSecurityManager

ACL Manager Cache:

ca_rsrc_acl

Memory Cache:

ca_cm

NOTE: This repository manager will store documents on the file system and metadata like properties and folder structures in the database.

The root directory that you configure must exist. You can create the folder or you also can configure a mapped network share and adapt the parameter “Root Directory” to your needs.

Click OK.

If you want to check if the repository manager is working navigate to

System Administration -> Monitoring -> Knowledge Management -> Component Monitor -> Repository Managers ->mydocuments

The monitoring page should show a green icon. If the icon is red, you propably configured a non-existing or non-accessible path as “Root Directory”.

Create a second repository for “Shared Documents” by repeating the same steps, but use “shareddocuments” instead of “mydocuments”.

User Administration

Create a service user

Both scenarios - “My Documents” and “Shared Documents” – require a service user that the application uses to do operation on-behalf of the user, for example the initial creation of the users’ home folders. This service user must have privileges to operate in KM repositories despite of ACL permissions and should have a non-expiring password.

In the portal (http://<yourserver>/irj), navigate to User Administration, click “Create User” and enter the following parameters in “General Information”:

Logon ID:

mdocs-service

Define Password:

<super-secret-password>

Confirm Define Password:

<super-secret-password>

Last Name:

Mobile Docs

Security Policy:

Technical User

Assign the Content Admin role by clicking on the tab “Assigned Roles”.

In the box “Available Roles” on the left, enter content_admin_role in the search field and press “Go”.

Select the role pcd:portal_content/administrator/content_admin/content_admin_role and click “Add”

Save the user.

Assign Mobile Documents Roles

Users that want to access Mobile Documents need specific roles. A description of the available roles and an instruction on how to assign them can be found in the official help here: http://help.sap.com/saphelp_mdocs10/helpdata/en/8e/28904fa014430498a2ee03c36fb02e/content.htm?frames...

For now we assign the role “MCM_Administrator” to your Administrator user in order to be able to use the Mobile Documents Administration. Later on we have to assign the “MCM_User” role to all users that should be able to use Mobile Documents. A best practice is to assign the role to a group, which in most companies is a connected LDAP server like Microsoft Active Directory. That means all you have to do is assign the “MCM_User” role to existing LDAP groups.

TIP: You can use the role assignment to enable or disable Mobile Documents for users.

Configuring Destinations

In order to connect repositories to SAP Mobile Documents you have to configure connection data like server addresses, authentication methods, etc. Mobile Documents utilizes a service of SAP NetWeaver AS Java that is built just for these purposes, the destination service.

Log in to SAP NetWeaver Administrator by entering http://<yourserver>/nwa into the address bar of your browser.

Navigate to Configuration -> Destinations

Click the button “Create” and enter the following parameters:

Hosting System:

Local Java System <SID>

Destination Name:

LOCAL_SERVER

Destination Type:

HTTP

Click “Next”

URL:

http://localhost:<yourport>/cmis/json

NOTE: /cmis/json is the URI to the browser binding endpoint of the KM CMIS Connector

Click “Next”.

Authentication:

Basic (User ID and Password)

Username:

mdocs-service

Password:

<super-secret-password>

Save the destination by clicking “Finish”.

Configuring the repositories in Mobile Documents

All preparations are done by now, let’s open the Mobile Documents Administration by entering http://<yourserver>/mcm/admin into your browser’s address bar (since Mobile Documents uses SAP’s new HTML5 based UI library, I recommend to use Firefox or Chrome).

Navigate to Repositories -> Connections and create a new connection with the following parameters:

Display NameLocal Server
DestinationLOCAL_SERVER
Connection TypeLocal KM Connection

NOTE: For “My Documents” and “Shared Documents” only the connection types “Local KM Connection” and “SAP Assertion Ticket Connection” are supported.

Use the local connection for all KM repositories that exist on the same server, use ticket connections for repositories that are residing on remote servers.

After saving the connection, navigate to Repositories -> My Documents.

Select the connection “Local Server” and the Repository “mydocuments”. The value for “Document Classification” does not matter right now, pick any. You can change the default document classification when you want to start working with security policies which affect your clients. You can find more details about document classification here: http://help.sap.com/saphelp_mdocs10/helpdata/en/91/b3044f0a744cda9a980c89dadd5034/content.htm?frames...

Save your configuration.

The “My Documents” scenario should be up and running now, let’s move on to Repositories -> Shared Documents. As before, select the “Local Server” and this time pick the repository “shareddocuments”. For the document classification pick any, as before.

To actually activate “Shared Documents” you have to configure the following settings. Go to “Settings” -> “Shared Documents”. To activate the sharing scenario, tick the checkbox “Allow Sharing” and save. For a description of the other settings see the help page:

http://help.sap.com/saphelp_mdocs10/helpdata/en/71/5a46a7dd0d4c0d844dcd1b3a53bb51/content.htm?frames...

In the menu bar you can also find the entry “Repositories” ->“Corporate Content”. Here you can configure additional repositories like new or existing KM repositories or other CMIS-capable systems. How you connect third-party servers to Mobile Documents is out of scope for this guide, but basically you define a destination and a connection, then you can create a corporate repository. See the help for more information.

Authentication Scenarios: http://help.sap.com/saphelp_mdocs10/helpdata/en/16/4ca5ad073a4c02878723f03834f2f3/content.htm?frames...

Creating Destinations:

http://help.sap.com/saphelp_mdocs10/helpdata/en/8c/2fd028cef6463a92984acf90c7f839/content.htm?frames...

Creating Corporate Repositories:

http://help.sap.com/saphelp_mdocs10/helpdata/en/f5/d2bce890f74927a4b8db7ef9751a71/content.htm?frames...

Making your server available in the Internet

SAP Mobile Documents is about accessing the documents you need – everywhere,anytime. To enable this for your users a web infrastructure is needed. Of course it is not desirable to expose your application server directly by putting it to the DMZ. Common setups include firewalls and reverse proxy servers that protect the access to the application server. Mobile Documents needs a special configuration when a reverse proxy is used. The CMIS responses of the server contain absolute URLs that the clients use for further communications. In the setting “External Server URL” you configure the URL that clients use to access Mobile Documents. A detailed description can be found in the help:

http://help.sap.com/saphelp_mdocs10/helpdata/en/c1/ebbe9a8a994942af9e7c7691ab769b/content.htm?frames...

Securing your setup

This chapter contains some hints on how to improve the security of your SAP Mobile Documents installation.

Setting Permissions in KM repositories

The personal documents that users store in “My Documents” or “Shared Documents” of course should be private. The application protects the documents by using Access Control Lists (ACL). However, Super-Administrators and Content Administrators are able to access all documents using KM UIs despite of ACL permission settings. In a productive system these roles should be assigned very carefully.

Furthermore, the initial permissions of a new repository contain “Full Control” for everyone. Although Mobile Documents removes this permission when the personal folders for users are created, you may also want to remove the “Everyone” permission from your repositories root folder. A description on how to achieve that can be found here:

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/42/89749d882d1422e10000000a114cbd/content.htm?frame...

Transport Level Security

Obviously, all communications – from client to server and from server to repository – should be protected with SSL. Regarding the client-server communication, most of the times SSL is terminated at the load balancer. If you need SSL encryption on AS Java, you can find more information in the help portal here:

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/015cc68d863132e10000000a421937/frameset.htm

The server to server communications – means AS Java to repository server should be SSL protected as well. You can setup mutual SSL authentication and create trust relationships for SSO between the servers. Mobile Documents uses the Destination Service, the keys and certificates needed for the setup of SSL to external servers are done in SAP NetWeaver Administrator. Please consult the SAP help portal for details.

The authentication scenarios that are supported by Mobile Documents are listed here:

http://help.sap.com/saphelp_mdocs10/helpdata/en/16/4ca5ad073a4c02878723f03834f2f3/content.htm?frames...

Backup and Restore

Of course you want to prevent data-loss in case of hardware crashes or other disasters. SAP’s recommendation is to do offline backups once in a week and online backups on a daily basis. This includes backing up the database and the file system. Good information about backup and restore of SAP AS Java can be found here:

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/AB/A24C409CEF4F4FA21F9777CE360B06/content.htm?frame...

If you configured root directories outside of /usr/sap/<SID> during the creation of the repositories for “My Documents” and “Shared Documents”, these directories have to be included in your file system backup. Since these repositories are DBFS repositories, there is a special backup flow that is described here:

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/82/37d8e1d1a5408ca6c9b9d8b460dfd5/content.htm

Virus Scanning

SAP does not deliver its own anti-virus programs, but SAP KM offers a virus scanner interface which is described here: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b8/f5af401efd8f2ae10000000a155106/frameset.htm

21 Comments
Labels in this area