Configuration SAP / KGS Core of Tia CMIS (tokenseckey)

Owned by Matthias Rieck
Last updated: Oct 18, 2024
3 min read

The tokenseckey authentication type is a combination of token authentication and SAP seckey. For SAP users, that need the Document opened in an external application (like a Browser), SAP created this process.

The procedure ensure, that the machine Token (configured in SAP) is not exposed to a Browser where it could easily extract and access other resources on the CMIS Server for that repository.

As a requirement these two needs to be already configured:

 

The Process can be described in two major steps:

1.) Send the Certificate + Activation

2.) Request a CMIS Document to be opened in an external application/browser

 

Send the Certificate + Activation

In the first Step, ensure your SAP is ready configured with Oauth2 (Test-Connection in SM59 and OAC0)

1.) In SAP, go to the Transaction: OAC0

2.) Select the Repository you already configured for Oauth2

3.) Press the putCert-Button.

image-20241018-101852.png

4.) After the “successful send Certificte”-Message, open the GUI of the KGS tia Core CMIS Server

https://<servername/ip>:<port>

5.) Login with the basic-Auth-Credentials that got eighter generated at startup of the application (see log) or was provided beforehand via environment variable.

 

image-20241018-102228.png

6.) Open the “Manage Certificates” Page

7.) Click onto the Repository you initially sent your certificate to.

 

8.) Click on “Activate”.

9.) After all steps are done, the tia Core CMIS is capable of verifying secKeys for that repository.

Request a CMIS Document to be opened in an external application/browser

 

You can now test your configuration by opening CMIS Documents from that Repository in SAP. For everything internal (so no external Browser), the token authentication is used. For opening in an external browser, SAP will receive a token, send it to tia Core for verification of the token and upon success, SAP will genenerate a new URL and open it in that external application.

The URL looks like:

https://<Server>:<port>/browser/<CMIS-RepoID>/root?&ObjectId=<ObjectId>&cmisaction=getContentStream&authId=<CertificateAlias> &expiration=<expirationDate>&secKey=<secKey>

When the Browser tries to open this URL, the tia Core CMIS validate, if a token is in the Request and if not looks for a secKey-Parameter. In that case, the expiration date is verified and the seckey is validated against the certificate that was sent in Step 1.

The verification will fail when:

  • the expiration date is expired

  • the seckey does not fit

    • In that case, please check the logs for errors.

Flow Diagram

For a detailed Flow Diagram, please have a look into:

Flow-Process (tokenseckey)