cancel
Showing results for 
Search instead for 
Did you mean: 

Changing the expiration time of a URL signed with a SecKey

Former Member
0 Kudos

Hi

We are using an external archive server in our system to store documents and data. The content in the HTTP server is accessed through a URL generated by SAP which is signed with a SecKey.

The URL contains an 'expiration time' parameter, once which is passed, the URL is considered invalid and the external archive server rejects the request.

Does anyone know where this expiration time setting is made? (i.e. expire the link 20 mins / 1 hr after the link has been generated) and how can this be changed?

Thanks and Regards

Joy Kaushish

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi,

The URL is generated just before being used. How can you get an expiration time problem ?

I don't think it is possible to change this time out because the system is designed to make it difficult (or impossible ) to use the URLs directly from a web browser.

The URL has to be generated by the SAP system...

Regards,

Olivier

Former Member

Hi Olivier

Thanks for ur reply. Yes you are right, the URL is generated from SAP just before being used. I am not getting an expiration time problem, but want to create an expiration problem

The reason is this:

We are using Internet Exporer to view documents from the content server. What appears on the address bar of the IE window is ofcourse the URL of the document, signed with the SecKey and expiration time. The concern is that the generated URL can be passed from someone who is authorised to view the document (and is able to generate the valid URL) to someone who is not authorised.

In this case, since the expiration time by default is 1hr after generation, the unauthorized person can also send the http request to the content server, which the content server will not reject. Thus creating a security problem.

Here's a link that gives a brief overview of SecKey's from SAP help:

http://help.sap.com/saphelp_nw04/helpdata/en/9b/e8c192eaf811d195580000e82deb58/frameset.htm

This is another link that exactly describes my query:

http://www-01.ibm.com/support/docview.wss?uid=swg21221290

Since the URL is generated from SAP and depending on the url parameters such as expiration time, the content server can service or ignore the request; one possible way of making sure that the generated URL cannot be reused by someone who is not authorized to view the document is to reduce the expiration time to make the url expire in a short time. Can this be done in SAP?

Answers (1)

Answers (1)

shabeer
Contributor
0 Kudos

You can Try this parameter.. <icm/keep_alive_timeout>

revert back if it is working

Edited by: Shabeer on Sep 22, 2008 4:44 PM

Former Member
0 Kudos

Shabeer,

This <icm/keep_alive_timeout> parameter has nothing to do with the problem...

Regards,

Olivier