Skip to Content

I often get questions from both potential & existing customers about how content in the BI system is protected.  This in itself is a pretty big topic, but we’ll break it down into the major aspects of data storage and data transport, and what SAP Business Intelligence 4.0 offers in this respect.

Data storage in BI.

There are 2 main places where data of interest is stored in BI:

1) The metadata in the repository which represents the functionality of the BI system.  This includes information about data sources, report layout, users accounts, scheduling – everything that makes the BI system what it is. This is all stored in the database that the Central Management Server connects to.

2) The actual report content.    Data that you pull from external data sources and store in reports is never stored in the BI repository.  It is stored on the file system by the “File Repository Service” (FRS).

Let’s look at the metadata first.   You could always encrypt an entire database using the database vendors native encryption functionality, however this is probably overkill.  Is something like a report title or a report layout sensitive data?   In BI 4, we automatically encrypt any passwords to external systems such as universe connection credentials to a database you report off, or credentials to external identity providers.  These items are encrypted using FIPS 140-2 certified libraries.   For those that are really curious about the actual algorithms in play AES-128 is used to encrypt any sensitive  data that is used during the operation of the BI system.  SHA-256 one way hash is used to protect BI logon passwords for the native “Enterprise” users.

However entrance to your house is only as safe as is access to the keys to open the lock.   So how are the cryptographic keys protected?  In the Central Management Console (CMC) you will see a new entry for “Cryptographic Keys”.  Here you can manage these keys, including creating new keys, deleting old keys.

Crypto keys

There is always going to be one and only one Active key.  With the active key, any new content that needs to be encrypted, will be encrypted with that key.  When you create a new key, you will see the previous key with a status of ‘Deactivated’, and your new key being ‘Active’.  Here, the previous key is only being used for decryption of objects which were encrypted with this key (you can see the object count in the ‘Objects’ column).  All new content will now be encrypted with the new Active key.

You can revoke a ‘Deactivated’ key.  When you do so, all objects which were encrypted with the Deactiveated key will be re-encrypted with the new Active key.

By default, only the Cryptographic Officers user group can perform these rekeying actions.

Where are these above mentioned keys stored?  They are stored in the repository database encrypted by yet another key!   What this means is that if your entire database was compromised by say a rouge DB administrator, they would be unable to get any meaningful use from it.  The ‘master’ key is stored with the Central Management Server (CMS) and is used by the CMS in order to decrypt the keys in the repository which in turn are used to decrypt your BI connection objects, user data etc.  Make sure you protect access to your master key by securing the BI install directory!   You can change this master key at any time.  To do so, on windows:

1. Start the Central Configuration Manager,

2. Stop the Server Intelligence Agent (SIA)

3. Right click on the Server Intelligence Agent and select properties

4. Go to the Configuration tab

5. See the “CMS Cluster Key Configuration” and click on “Change…”

6. You can create a new cluster key or generate a new random one (most secure)

7.  If you have multiple CMS clustered, you will need to enter the same cluster key on all systems.

8.  The first system you perform this action on will automatically re-encrypt the keys in the repository with this new key.

Now let’s look at the second part, file repository server.  Instances of reports that are generated are stored on the FRS.  You can think of it almost like an FTP server.  At this time, this content is not universally strongly encrypted.  There are two steps you can take to secure this further.

1) Secure & restrict access to the folder where you FRS content is stored.  By default this is a subdirectory of where you installed your BI deployment to.

2) You can use OS level encryption to further encrypt this content.

Data in Transit

In your most basic workflow, a user will logon to the BI portal, access a report, and fetch some data from an external database.  Another common workflow will be a user logging on with a client like Crystal Reports Designer, or Information Designer tool, and similarly access some data.  The vector of attack we are concerned about here is the man-in-the-middle.  Here again there is functionality you can make use of to further protect your system.  Not of course that there is a performance penalty when the system has to do complex cryptographic calculations & key exchanges.

Let’s walk through our use cases.

Logon

The logon operation will be your user’s browser to the web application server.   Any data sent here could be subject to a man in the middle attack.  This connection can be secured in your web application server with TLS/SSL.  For the default Tomcat that ships with BI, you can refer to the Tomcat documents here for a how-to:  http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Server to Server Communication

The BI Servers communicate over the CORBA protocol.  You can enable CORBA SSL (it’s actually using TLS 1.0) to encrypt communication between servers and clients.   Note that when you configure CORBA TLS, all servers and clients must be configured for CORBA TLS.  That that are not will be unable to connect.  For detailed how-to, refer to the Administrator’s guide in the “Configuring servers for SSL” section.

Note that in BI 4.0, anytime a client connects directly to the server, the logon action is always done over a secure channel so credentials are never sent over the network in clear text.  However further communication will not be encrypted unless TLS encryption is enabled.

Accessing Data

The Business Intelligence Suite offers a number of reporting clients and data access methods.  Your communication channel encryption options here will vary depending on the database vendor.  Here again for maximum security you can enable secure communication between the data access driver and the database.

To report this post you need to login first.

19 Comments

You must be Logged on to comment or reply to a post.

  1. WILLIAM MARCY

    Interesting blog post.

    I’m trying to set up RSA SecurID token with SAP BusinessObjects XI 3.1 (or BI 4.0 if necessary) and I’ld like to know if you have some feedbacks or tips about this kind of project.

    Regards,

    (0) 
    1. Greg Wcislo Post author

      The BI platform does not support this natively, however you should be able to accomplish it with something called Trusted Authentication.   It relies on establishing a trust between the BI system and the application server it is running on.  Trusted authentication is documented in the Administration guide.   If the underlying application server can be set up to support SecureID, you should then be able propagate the user information to the BI platform.  Note that this will be limited to the BI web portal only.

      (0) 
      1. Patrick Melli

        I did a custom development for an agency that needed fips support for sso using the BCM and RSA libraries for XI 3.1 (retrofited BI 4 FIPS for XI 3.1)

        Import the following

        import com.businessobjects.bcm.*;

        import com.businessobjects.bcm.exception.BCMException;

        /**

        *  <p>Description: </p>

        * The BCM is the Business Objects Cryptographic Module. It is a wrapper around a low-level

        * cryptographic library that is certified for FIPS 140-2, a Federal Information Processing

        * Standard maintained by the US National Institute of Standards and Technology (NIST).

        *

        * The BCM is currently using libraries from RSA, and exposes the RSA FIPS 140-2 functionality.

        *

        * It is one of the approved cryptographic modules as per SAP security standards.

        *

        *

        *  1.    Read  the  JES  header

        *  2.    Parse  the  header  for  last name, first name and EDIPI or topaz server

        *  3.    Return  UID    (Firtsname.Lastname.edipi)

        *  4.    Pass  UID  to  BO_login  SSO  authentication  module

        *  5.    Pass shared secret to  BO_login  SSO  authentication  module

        *  6.    Set-up  SSO  xml  parser  to  look  for  UID  and  automatically  log  user  in

        *        If  UID  not  found  –  display  error  with  message  to  contact  help  desk  and  BO  User  Admin  Support

        *

        * <p>Copyright: Copyright (c) 2011</p>

        * <p>SAP</p>

        * @author Patrick Melli

        *         patrick.melli@sap.com

        * @version 1.0

        */

        (0) 
  2. Satish Soni

    Hi Greg,

    I have few question here in terms of Data Security.

    1. If I have Implemented Encryption on Reporting Database, how BO will Decrypt the data. Will it be the database drivers that’s going to do that JOB. Looking for a workflow for the decryption.

    2. How can we implement SSL from Database to BO, do I have to do it on Database or on BO.

    3. If we use Encryption on the File Store, how will BO decrypt that.

    Thanks,

    Satish

    (0) 
    1. Greg Wcislo Post author

      The encryption/decryption will happen at the DB driver level.

      For example have a look at the MS site on how to enable encryption:

      http://support.microsoft.com/kb/316898

      For file store encryption, the account that the SIA is running under will need to have permissions.  Generally file encryption solutions (even the native one coming from windows) will decrypt content for specific users.  You can read about on the encrypted file system from windows, generally 3rd party file encryption tools will work in the same way

      What is Encrypting File System (EFS)? – Microsoft Windows Help

      (0) 
  3. Andreas J.A. Schneider

    Thanks for all the info,

    but how do I secure/encrypt the network traffic from SAP BI BusObjects platform to an SAP BW system (data source), e.g. Webi directly accessing an SAP BEx query (via BICS)? SNC does not come into play here (BICS) or does it?

    Note: STS has been setup to allow for SSO.

    (0) 
    1. Greg Wcislo Post author

      Yes, SNC does come into play.

      In the SAP Authentication configuration of the CMC, click on the SNC Settings.

      You want to enable the first checkbox  “Enable Secure Network Communication [SNC]”

      You also want to configure the “Quality of Protection” to at least “Encryption”.

      These should look familiar if you’re used to seeing SAP GUI.

      (0) 
      1. Andreas J.A. Schneider

        Thanks, Greg.

        And would that work with UNX (JCO against BEx queries/multi-source relational)?
        I thought SNC is not working for UNX?

        And is BICS access not really UNX access, keyword: transient universe?

        Sorry, I am having a hard time finding any info on this.

        (0) 
        1. Greg Wcislo Post author

          Yes, it is a bit of an overload.   The configuration of SNC there can be used for both SSO and for encryption.

          When you configure STS for UNX SSO, we still use SNC just for the encryption part.

          (0) 
    1. Greg Wcislo Post author

      It actually uses TLS already, so this is more of a legacy term being thrown around as it is still reference as SSL in the documentation section.

      However at this time, the ciphers or version of TLS is not configurable. 

      (0) 
      1. Brijendra Kumar Sharma

        Hi Greg,

        Thank you for your reply.

        I found one SAP KBA 2204379 – How to configure Corba TLS for BI 4.X to configure TLS.

        It worked on my end.

        Please let me know that, Is this a way to configure it?  🙂

        Regards,

        Brijendra

        (0) 
  4. Derek Hill

    Greg,

    Are the encryption methods provided in the BI 4.1 Java SDK (e.g., encryptPassword in the com.crystaldecisions.sdk.plugin.authentication.common package) FIPS 140-2 compliant?

    (0) 
  5. m'bark sadik

    Hello Greg,

    first of all, thanks you for your relevant blog. Very useful !

    I need some clarification about SHA-256 encryption protocole used to protect BI logon passwords for the native “Enterprise” users.

    Could you inform me how and where can i found this information on SAP BO 4.1 SP6 ?

    Is it set by default ?

    Install guide, and administration guide don’t talk about that. thanks you in advance for your help.

    Regards

    (0) 
    1. Greg Wcislo Post author

      Yes it’s encrypted by default.   Most (hopefully all) applications that store passwords these days would not rely on a user to turn password encryption “on”.   That aspect is not configurable.  And yes a “salt” is also used with the SHA-256 hashing to make it more secure.

      (0) 
  6. Andrew McFarlane

    Hi Greg,
    Thanks so much – very clear and informative post! 🙂
    Do you know the best way to encrypt emails being sent out from the platform?
    I understand the adaptive job server doesn’t support SSL or TLS, so scheduled reports etc are sent unencrypted.
    We are using 4.1 on Windows Server. I am thinking the best way for us is to add a local SMTP server and configure BO to send through it. What do you think?
    Thanks once again! 🙂
    Andrew

    (0) 
    1. Vishal Mour

      Hi Andrew,

      Starting from 4.1 SP06 release we do support sending emails out from the platform in encrypted fashion. There is a mechanism to configure SSL for SMTP destination.

      Regards,

      Vishal

       

      (0) 

Leave a Reply