Configuring file storage area security ensures that content files are safe from unauthorized usage.
The Content Platform Engine operating system user (cpe_os_user) who logs on to the Content Platform Engine server and starts the local application server process is the account that must be used to secure the folders and files in a file storage area. From a practical standpoint, the account that is used to install the application server should be the same account that is used to start the application server process. As an administrator, you will always log on using the same operating system account to secure the folders and files in the file system that Content Platform Engine will use for a file storage area.
Optionally, you can use an operating system group account. All cpe_os_user accounts would be members of the group account. If you do not set up such a group, then that single user account cpe_os_user must be used to log on to each Content Platform Engine and file storage server instance.
For a mixed environment of non-Windows and Windows, you will need an NFS Gateway product in order to provide interoperability between Windows-based and non-Windows-based clients.
A Content Platform Engine file storage area is always created under a shared root directory that has been created by the operating system user account, cpe_os_user. The cpe_os_user is responsible for securing the root directory in a way that grants full control access to the Content Platform Engine server (represented either by the cpe_os_user or group account) and preventing all other users from obtaining unauthorized access to files in the area.
The Create a Storage Area Wizard creates the storage area folder structures below the root directory, but does not directly set permissions on any of these folders. Instead, the folders are secured via inherited security. The inheritance scheme differs between Windows and AIX, HPUX, HPUXi, Linux, Linux on System z, or Solaris and is discussed in detail below. Note that when Content Platform Engine creates content element files within a storage area, it does not directly set permissions on the files; it always allows permissions to be inherited.
Under Windows, file and folder permissions can be inherited via true inheritance. Folders and files can receive inherited permissions from their parent folder, without an application setting permissions on the newly created file or folder. The Content Platform Engine file security scheme under Windows requires the system administrator (who is logged on as cpe_os_user) to create the root directory in a way that provides proper inheritance and provides proper access control.
Secure the root directory of a file storage area as follows:
Once it is secured, you must share the root folder so it can be accessed across the network. Permissions on a share cannot define access that is any less restrictive than the permissions of the folder that is shared. The recommended scheme is to grant full control access on the share to the same set of users and groups that have been granted full control access on the shared folder.
Under AIX, HPUX, HPUXi, Linux, Linux on System z, or Solaris, file and folder permissions are inherited via the file creation mask (called the umask) of the user that creates the file or folder. Files and folders do not inherit the access rights of the parent folder. The Content Platform Engine file security scheme under AIX, HPUX, HPUXi, Linux, Linux on System z, or Solaris is to require the system administrator to properly configure the creation mask of the Content Platform Engine operating system account (cpe_os_user) to grant the proper permissions on newly created files and folders. The root folder must be created with the same permissions as those granted by the cpe_os_user creation mask, which should grant the following permissions:
Creation mask example:
umask u=rwx,g=rwx,o=
or
umask 0007
The root folder must be exported via NFS on the server side (meaning the computer that hosts the file system) and mounted (via NFS) on the client side. Once the root folder has been properly shared via NFS, security is enforced via the user and group identifiers of the client (as if the client logged on locally to the server computer). The client in this case is the Content Platform Engine server running on a remote computer.
Make sure you prevent non-local root access to a folder that has been exported via NFS, as allowing non-local root access has serious implications for security. For example, in Linux the no_root_squash option must not be included in the export options.