Skip to Content

One of the new features of EhP1 for PI 7.3 is the ability to encrypt the message content at the DB level. That means that if any user will try to read the DB (doing that at DB level and not via PI tools like RBW, SXI_MONITOR, etc.) will not be able to as the content will be encrypted. This feature increases the security of PI message flows especially for some data sensitive interfaces (like those related to credit card numbers for example). If you’re using any data sensitive interfaces it’s higly advisable to start using this new encryption feature.


How to implement this feature?

Step 1

Configure key store – PI_KEY_STORE

a) Open NWA and navigate to – Configuration ->  Security -> Certificates and Keys

b) add a new view – PI_KEY_STORE

c) in the details of the new view choose create and add an alias – TestKey

d) on the next page enter a description and while saving enter the key size – 2048

PI_key_store_1.png

Step 2

Change the messaging system configuration

a) open XPI Service: Messaging System service configuration from NWA –  Configuration -> Infrastructure -> Java System Properties -> Services tab

b) change properties:

messaging.security.persistenceLayerEncryption.enabled to true

essaging.security.persistenceLayerEncryption.currentKeyAlias add value – TestKey

/wp-content/uploads/2012/04/messaging_system_2_96525.png

Step 3

Now you need to enable encryption on the outbound and inbound Service Interfaces

a) select sensitive check in the Service Interface

/wp-content/uploads/2012/04/service_int_sensiti_3_96526.png

Step 4

After running the scenario with those changed service interfaces you can view if they are using the secure store in two places

a) Messaging system monitor – from Persistence-Layer Encryption Monitor link

/wp-content/uploads/2012/04/sensistive_mess_ssytem_4_96527.png

b) Netweaver Administrator – SOA -> Monitoring -> Persistence-Layer Encryption Monitor

/wp-content/uploads/2012/04/senstivei_nwa_5_96528.png

What are the limitations/issues with Encrypting Message Content

– first of all your interfaces will be a little bit slower (as an additional step needs to be done – encryption).

– if you’d like to encrypt just a part of the message then this is not possible – you can either encrypt the whole message or nothing

– you cannot encrypt IDOCs and RFCs (only scenarios which use Service Interfaces are currently supported)

– encryption of logged sync messages on AEX does not work (as contrary to sync messages on IE where it works)

– user defiend message search does not work with encryption – so if’s you’d define credit card number as a user define field and make the whole service interface as encrypted – credit card number would not be encrypted

– some adapters (like RNIF, CIDX) do not support message encryption

For more info on limitations please have a look at – Encrypting Message Content on Database Level (Limitations)

To report this post you need to login first.

15 Comments

You must be Logged on to comment or reply to a post.

  1. Bhavesh Kantilal

    Quite a neat feature..in comparison to the previous options where you create custom roles and then add your service interface to the roles..

    Now if only this gets back ported to PI 7.3.. Will make my upgrade easier…:)

    (0) 
    1. Michal Krawczyk Post author

      Hi Bhavesh,

      >>>to the previous options where you create custom roles and then add your service interface to the roles..

      this stays… it only works on DB level πŸ™‚

      Regards,

      Michal Krawczyk

      (0) 
  2. Jan K

    Hi Michal,

    Thanks for sharing this…we have a requirement in IDoc to File scenario need to encrypt message in RWB and Message Monitor. We are on PI 7.3 JAVA only version.

    Is there any way we can achieve this?

    (0) 
    1. Michal Krawczyk Post author

      hi,

      why encrypt in this case ? just set your java autorization for this one interface

      and one will be able able to view it in RWB and message monitor – you can do it with java authorizatons only,

      Regards,

      Michal Krawczyk

      (0) 
      1. Jan K

        sorry for the confusion… i think i framed the question wrongly…

        In IDoc to File scenario we want to restrict developers from viewing the message content.

        In RWB and in Message Monitor areas of RWB.

        How to approach this?? plz advice.

        Thanks.

        (0) 
        1. Michal Krawczyk Post author

          hi Jan,

          this is how authorizations on java stack work πŸ™‚

          you can restrict anyone (including developers) from viewing message content

          on particular interfaces (like interface name, sender/receiver system, namespace etc.)

          if you use encryption/decription you still need to use authorizations:

          let’s assume you encrypt data in IDOC creation module

          and decript in adapter module for file adapter – still developers without proper authorization handling can view the message content after the adapter created it (so after the adapter module)

          Regards,

          Michal Krawczyk

          (0) 
  3. Mohammed Gouse

    Hi Michal,

    1)My source is file and target is also file i want to encrypt it at the source end and decrypt it at the target end so that my message can be secure.

    Is there any way we can achieve this?

    2)In my next scenario i took file as source and db as target and trying implement this feature it processed sucessfully.

    But am unable to find.

    a) Messaging system monitor – from Persistence-Layer Encryption Monitor link

    b)SOA -> Monitoring -> Persistence-Layer Encryption Monitor

    in SOA of NWA please guide me how to ensure the encryption of data.

    Thanks

    (0) 
  4. RAVIJEET DAS

    Hi Michael,

    I need to pass some sensitive data through SAP PI. I want nobody to view the payload, not even me or the administrator to view the data.

    I tried to use the steps you mentioned above

    I can see the entries in Netweaver Administrator – SOA -> Monitoring -> Persistence-Layer Encryption Monitor but still I am able to view the payload in message monitoring. Do we need to do any more config apart from this to stop the payload getting displayed in message monitoring ?


    Thx in advance

    Ravijeet

    (0) 
    1. Diego J Schulz

      Ravejeet, I think in this case regardless of using the encryption at the DB level, you will have to use security roles using the concept of denial roles (deny.xml) in order to restrict access to specific interface payloads since the encryption that Michal Krawczyk

      refers to in his post are related to DB encryption preventing people from accessing the database, it’s content and etc, via no PI tools as e.g. a java API connecting directly to the database.

      I would like to ask Michal Krawczyk to confirm what I mentioned above, since I am also looking for confirmation on this since I’d like to avoid investing on another runtime AEE to which would be encrypted then, if developers and system admins would still be able to see payloads containing SSN, credit card numbers, etc.

      Diego

      (0) 
  5. Rashmi Joshi

    Very interesting Blog Michal, I am trying this. Can you please help me with the SQL query? I am not able to see any encrypted data. Please help me with Database table query.

    BR,

    Rashmi

    (0) 

Leave a Reply