storage.yaml - Hyland Nuxeo

This section provides instructions on configuring the storage.yaml file to store documents from SAP S/4HANA through aqilink into Hyland Nuxeo. It includes detailed guidelines for specifying connection parameters and managing authentication to ensure successful integration with the Nuxeo repository.

Parameter Overview

The table outlines the available parameters in storage.yaml for specifying a connection to Hyland Nuxeo.

astuce

Use the parameter name to introduce a new element in the context of YAML syntax. This can be useful for easier identification, as this name must be referenced in the related connection from SAP in the sapHttp.yaml.

Parameter	Mandatory	Type	Default	Description
name	Yes	`string`		The value must be unique and should not contain special characters; only alphanumeric characters (0-9, A-Z) and dashes are allowed.
type	Yes	`string`		The type of the repository that should be connected. Since the connection routes to Nuxeo, the value must be `nuxeo`.
baseUrl	Yes	`string`		The URL for logging into Nuxeo, including the port number.
apiUrl	No	`string`	`api/v1`	The URL for the Nuxeo REST endpoint.
proxy	No	`string`		Specifies the URL to the proxy server.
auth	Yes	`Object`		Specifies the authentication credentials. Refer to Configure Authentication below.
verifyCertificate	No	`Boolean`	`true`	Enable or disable the validation of the SAP certificate for the Nuxeo endpoint. It is strongly recommended to always verify the certificate for security reasons.
adminPath	Yes	`string`		Path to the Admin folder in nuxeo where the certificates and repo files are stored
documentPath	Yes	`string`		Root path for all document from SAP.
documentPathScript	No	`string`		Dynamically adapts the documentPath using inline JavaScript. Refer to Parameter documentPathScript below.
ignoreArchiveId	No	`boolean`	`false`	Omit the `archiveId` parameter from the search.
ignoreSource	No	`boolean`	`false`	Omit the `source` parameter from the search.
defaultFileType	No	`string`	`File`	Specifies the Nuxeo type used to create the ArchiveLink document.
defaultFolderType	No	`string`	`Folder`	Specifies the Nuxeo folder type used to create the ArchiveLink folder for the ArchiveLink document.
certCache	No	`Object`		Caches the SAP certificate of the current storage configuration for a specified time. Refer to Parameter certCache below.
doubleSearch	No	`boolean`	`false`	if true runs the search against the Elastic Search index, then, if nothing found to the database. if false, the search is directly agains the database.

Parameter documentPathScript

Use this parameter to provide inline JavaScript that allows you to override or extend the current value of the documentPath parameter. This enables the creation of custom business logic to dynamically identify the root folder for all documents stored from the SAP system. For instance, it can be used to store the documents based on the current date in different folders during the storage process itself. With this approach, you can avoid the need to move documents later using business logic in Nuxeo.

astuce

There is no need to create the folder returned by the script. It will be done automatically by aqilink.

The following parameters and functions related to the document being stored are available within the script:

Parameter	Description
logger	The logging instance to provide log outputs for debugging purposes.
documentPath	The value of the `documentPath` parameter, as specified above. Use it to create, for instance, any arbitrary subfolder structure where the document will be stored.
source	The value of the `source` paramter. Refer to the sapHttp.yaml.
archiveId	The value of the `archiveId` parameter (SAP Content Repository Name).
compId	The value of the `compId` parameter .
docId	The value of the `docId` parameter.
creationDate	The value of the creation date of the current document.
Parse (`Function`)	Take advantage of the JavaScript `Parse` function in the inline script. For formats passed to the function, refer to Timeformat reference.
Format (`Function`)	Use the JavaScript `Format` function to format values. For formats passed to the function, refer to Timeformat reference.
now (`Variable`)	Use the JavaScript `now` variable to get the current time.
nowUtc (`Variable`)	Use the JavaScript `nowUtc` variable to get the current time in UTC format.

Example for `documentPathScript`

Assumptions for the example:

The value for documentPath is set to: /default-domain/workspaces/SAP/SAP Content.
A document from SAP is stored through SAP Content Repository (archiveId): N1.
The current date from now is: 2025-09-02

The following script creates a mapping based on the archiveId parameter. Depending on its value, a folder name is returned. The documentPathScript parameter will return a string that concatenates the value of documentPath with the mapped folder for the archiveId. In addition, it adds another subfolder structure that includes the current year, month, and day of month, where the document will ultimately be stored:

Example (inline JavaScript in storage.yaml)
documentPathScript: |
  function mapPath() {
    switch(archiveId) {
      case "N1":
        return "SAP-Human-Resources"
      case "X1":
        return "SAP-DataArchiving"
      default:
        logger.Warn('ArchiveId not yet defined. Use standard folder');
        return "SAP-Standard-Documents"
    }
  }

  documentPath + "/" + mapPath() + "/" + Format("2006", now) + "/" + Format("01", now) + "/" + Format("02", now)

With the script and the assumptions above, the document will be stored into folder:

/default-domain/workspaces/SAP/SAP Content/SAP-Human-Resources/2025/09/02

Parameter certCache

If enabled, aqilink caches the SAP certificate of the current storage configuration until the cache expires. During this time, the cached certificate is used for signature validation.

info

Enabling the certificate cache for a storage configuration can improve performance when storing documents, as it reduces the number of requests by nearly half. However, it may also introduce security risks, as the SAP certificate remains valid in the cache for the specified time, even if it is deleted or deactivated in the repository during that period.
Use this setting with caution!

Parameter	Mandatory	Type	Default	Description
enabled	No	`boolean`	`false`	Enable or disable the certificate cache for the the current storage configuration.
expiration	No	`duration`	`1h`	Specifies the time before the cache expires. Specifies the time before the cache expires. Use the duration format (e.g., `h` for hours, `m` for minutes, `s` for seconds)

Example
certCache:
  enabled: true
  expiration: 1d

Configure Authentication

For authentication (see parameter auth in the table above), two methods are currently available: Basic Authentication, which uses a straightforward username and password mechanism, and Keycloak, a robust identity and access management solution that supports multiple authentication protocols.

Basic Authentication

To utilize basic authentication, set up the parameter as follows.

Parameter	Mandatory	Type	Description
type	Yes	`string`	The authentication type to be used. Since the connection is the basic authentication in this case, the value must be `basic`.
user	Yes	`string`	The user that should be used to log in to Nuxeo. We recommend creating a separate Nuxeo user for the connection.
password	Yes	`string`	The password for the user above. To enhance security, the password can be encrypted. Refer to Password Encryption.

Example
  auth:
    type: basic
    user: Administrator
    password: F_fGf567_A4DMdV3JWTs6!A3_7Kg

Keycloak Authentication

Parameter to configure the use of Keycloak, the open-source identity and access management system, for authentication.

Parameter	Mandatory	Type	Description
type	Yes	`string`	The authentication type to be used. Since the connection is the basic authentication in this case, the value must be `keycloak`.
authServer	Yes	`string`	URL to the keycloak server.
realm	Yes	`string`	Specify which Keycloak security domain your application should authenticate against.
username	Yes	`string`	The user that should be used to log in to Keycloak.
password	Yes	`string`	The pasword for the username above.
clientSecret	Yes	`string`	The client secret.
clientId	Yes	`string`	The client Id.
scope	No	`string[]`	The scope parameter in OAuth 2.0, defined as an array of strings (string[]), specifies the permissions or access rights that the client requests from the authorization server. It limits the access that the client will have to the user's resources on the server.
grantType	No	`string`	Specify the method by which aqilink obtains authorization and an access token from the Keycloak server. Default: `password`.

Example
  auth:
    type: keycloak
    authServer: https://keycloak.myserver.com
    realm: CompanyServices
    username: keycloak_user1
    password: A_990815f_1S8akco3JWTs6A99_cZG
    clientSecret: ePq8Z5E6TG1lVbRpqMzHTA4D5Q2bZ6e4
    clientId: 82ca0c64-d83e-4b45-ad00-3b2c800
    scope:
      - openid
    grantType: password

Example Configurations

These sample configurations include the most relevant properties as explained above.

Using Basic Authentication

An example with the minimum required settings to connect from aqilink to Nuxeo using Basic Authentication.

Example
- name: storage-nuxeo
  type: nuxeo
  baseUrl: http://nuxeo:8080/nuxeo
  adminPath: /default-domain/workspaces/SAP/SAP Administration
  documentPath: /default-domain/workspaces/SAP/SAP Content/Documents
  auth:
    type: basic
    user: Administrator
    password: F_fGf567_A4DMdV3JWTs6!A3_7Kg

Utilize multiple Connections

An example involving two connections to different Nuxeo systems (development and staging), where the Nuxeo development system uses Basic Authentication, and the Nuxeo staging system is connected via Keycloak and utilizes the certificate cache.

Example
- name: storage-nuxeo-dev
  type: nuxeo
  baseUrl: http://dev.nuxeo:8080/nuxeo
  adminPath: /default-domain/workspaces/SAP/SAP Administration
  documentPath: /default-domain/workspaces/SAP/SAP Content/Documents
  auth:
    type: basic
    user: Administrator
    password: F_fGf567_A4DMdV3JWTs6!A3_7Kg
- name: storage-nuxeo-staging
  type: nuxeo
  baseUrl: http://staging.nuxeo:8080/nuxeo
  adminPath: /default-domain/workspaces/SAP/SAP Administration
  documentPath: /default-domain/workspaces/SAP/SAP Content/Documents
  type: keycloak
    authServer: https://keycloak.myserver.com
    realm: CompanyServices
    username: keycloak_user1
    password: A_990815f_1S8akco3JWTs6A99_cZG
    clientSecret: ePq8Z5E6TG1lVbRpqMzHTA4D5Q2bZ6e4
    clientId: 82ca0c64-d83e-4b45-ad00-3b2c800
    grantType: password
  certCache:
    enabled: true
    expiration: 1d

storage.yaml - Hyland Nuxeo

Parameter Overview​

Parameter documentPathScript​

Example for documentPathScript​

Parameter certCache​

Configure Authentication​

Basic Authentication​

Keycloak Authentication​

Example Configurations​

Using Basic Authentication​

Utilize multiple Connections​