Skip to Content
author's profile photo Former Member
Former Member

Changing the expiration time of a URL signed with a SecKey

Hi

We are using an external archive server in our system to store documents and data. The content in the HTTP server is accessed through a URL generated by SAP which is signed with a SecKey.

The URL contains an 'expiration time' parameter, once which is passed, the URL is considered invalid and the external archive server rejects the request.

Does anyone know where this expiration time setting is made? (i.e. expire the link 20 mins / 1 hr after the link has been generated) and how can this be changed?

Thanks and Regards

Joy Kaushish

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Sep 22, 2008 at 02:31 PM

    Hi,

    The URL is generated just before being used. How can you get an expiration time problem ?

    I don't think it is possible to change this time out because the system is designed to make it difficult (or impossible ) to use the URLs directly from a web browser.

    The URL has to be generated by the SAP system...

    Regards,

    Olivier

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Olivier

      Thanks for ur reply. Yes you are right, the URL is generated from SAP just before being used. I am not getting an expiration time problem, but want to create an expiration problem 😊

      The reason is this:

      We are using Internet Exporer to view documents from the content server. What appears on the address bar of the IE window is ofcourse the URL of the document, signed with the SecKey and expiration time. The concern is that the generated URL can be passed from someone who is authorised to view the document (and is able to generate the valid URL) to someone who is not authorised.

      In this case, since the expiration time by default is 1hr after generation, the unauthorized person can also send the http request to the content server, which the content server will not reject. Thus creating a security problem.

      Here's a link that gives a brief overview of SecKey's from SAP help:

      http://help.sap.com/saphelp_nw04/helpdata/en/9b/e8c192eaf811d195580000e82deb58/frameset.htm

      This is another link that exactly describes my query:

      http://www-01.ibm.com/support/docview.wss?uid=swg21221290

      Since the URL is generated from SAP and depending on the url parameters such as expiration time, the content server can service or ignore the request; one possible way of making sure that the generated URL cannot be reused by someone who is not authorized to view the document is to reduce the expiration time to make the url expire in a short time. Can this be done in SAP?

  • Posted on Sep 22, 2008 at 11:14 AM

    You can Try this parameter.. <icm/keep_alive_timeout>

    revert back if it is working

    Edited by: Shabeer on Sep 22, 2008 4:44 PM

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.