One of the new features of EhP1 for PI 7.3 is the ability to encrypt the message content at the DB level. That means that if any user will try to read the DB (doing that at DB level and not via PI tools like RBW, SXI_MONITOR, etc.) will not be able to as the content will be encrypted. This feature increases the security of PI message flows especially for some data sensitive interfaces (like those related to credit card numbers for example). If you’re using any data sensitive interfaces it’s higly advisable to start using this new encryption feature.
How to implement this feature?
Step 1
Configure key store – PI_KEY_STORE
a) Open NWA and navigate to – Configuration -> Security -> Certificates and Keys
b) add a new view – PI_KEY_STORE
c) in the details of the new view choose create and add an alias – TestKey
d) on the next page enter a description and while saving enter the key size – 2048
Step 2
Change the messaging system configuration
a) open XPI Service: Messaging System service configuration from NWA – Configuration -> Infrastructure -> Java System Properties -> Services tab
b) change properties:
messaging.security.persistenceLayerEncryption.enabled to true
essaging.security.persistenceLayerEncryption.currentKeyAlias add value – TestKey
Step 3
Now you need to enable encryption on the outbound and inbound Service Interfaces
a) select sensitive check in the Service Interface
Step 4
After running the scenario with those changed service interfaces you can view if they are using the secure store in two places
a) Messaging system monitor – from Persistence-Layer Encryption Monitor link
b) Netweaver Administrator – SOA -> Monitoring -> Persistence-Layer Encryption Monitor
What are the limitations/issues with Encrypting Message Content
– first of all your interfaces will be a little bit slower (as an additional step needs to be done – encryption).
– if you’d like to encrypt just a part of the message then this is not possible – you can either encrypt the whole message or nothing
– you cannot encrypt IDOCs and RFCs (only scenarios which use Service Interfaces are currently supported)
– encryption of logged sync messages on AEX does not work (as contrary to sync messages on IE where it works)
– user defiend message search does not work with encryption – so if’s you’d define credit card number as a user define field and make the whole service interface as encrypted – credit card number would not be encrypted
– some adapters (like RNIF, CIDX) do not support message encryption
For more info on limitations please have a look at – Encrypting Message Content on Database Level (Limitations)
Quite a neat feature..in comparison to the previous options where you create custom roles and then add your service interface to the roles..
Now if only this gets back ported to PI 7.3.. Will make my upgrade easier…:)
Post authorHi Bhavesh,
>>>to the previous options where you create custom roles and then add your service interface to the roles..
this stays… it only works on DB level π
Regards,
Michal Krawczyk
Ha ha..guess I have to look at the glass half full..would not be surprised if this gets extended in the future ehps..:)
Thanks for sharing.
Do we have methods to encrypting message at PI tools level( RWB, Monitor) ?
Hi Michal,
Thanks for sharing this…we have a requirement in IDoc to File scenario need to encrypt message in RWB and Message Monitor. We are on PI 7.3 JAVA only version.
Is there any way we can achieve this?
Post authorhi,
why encrypt in this case ? just set your java autorization for this one interface
and one will be able able to view it in RWB and message monitor – you can do it with java authorizatons only,
Regards,
Michal Krawczyk
sorry for the confusion… i think i framed the question wrongly…
In IDoc to File scenario we want to restrict developers from viewing the message content.
In RWB and in Message Monitor areas of RWB.
How to approach this?? plz advice.
Thanks.
Post authorhi Jan,
this is how authorizations on java stack work π
you can restrict anyone (including developers) from viewing message content
on particular interfaces (like interface name, sender/receiver system, namespace etc.)
if you use encryption/decription you still need to use authorizations:
let’s assume you encrypt data in IDOC creation module
and decript in adapter module for file adapter – still developers without proper authorization handling can view the message content after the adapter created it (so after the adapter module)
Regards,
Michal Krawczyk
Thanks for the response Michal…
I think I should have posted this in regular forum…
I tried to investigate on this and found this link
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4b/6858a98ec53260e10000000a42189b/frameset.htm
which suggests to use dispaly,payload Actions in Administrator.
But I could not able to proceed further.
Could you please share any documents or blogs which cne be used for reference.
Thanks much.
Hi Michal,
1)My source is file and target is also file i want to encrypt it at the source end and decrypt it at the target end so that my message can be secure.
Is there any way we can achieve this?
2)In my next scenario i took file as source and db as target and trying implement this feature it processed sucessfully.
But am unable to find.
a) Messaging system monitor – from Persistence-Layer Encryption Monitor link
b)SOA -> Monitoring -> Persistence-Layer Encryption Monitor
in SOA of NWA please guide me how to ensure the encryption of data.
Thanks
Hi Michael,
I need to pass some sensitive data through SAP PI. I want nobody to view the payload, not even me or the administrator to view the data.
I tried to use the steps you mentioned above
I can see the entries in Netweaver Administrator – SOA -> Monitoring -> Persistence-Layer Encryption Monitor but still I am able to view the payload in message monitoring. Do we need to do any more config apart from this to stop the payload getting displayed in message monitoring ?
Thx in advance
Ravijeet
Ravejeet, I think in this case regardless of using the encryption at the DB level, you will have to use security roles using the concept of denial roles (deny.xml) in order to restrict access to specific interface payloads since the encryption that Michal Krawczyk
refers to in his post are related to DB encryption preventing people from accessing the database, it’s content and etc, via no PI tools as e.g. a java API connecting directly to the database.
I would like to ask Michal Krawczyk to confirm what I mentioned above, since I am also looking for confirmation on this since I’d like to avoid investing on another runtime AEE to which would be encrypted then, if developers and system admins would still be able to see payloads containing SSN, credit card numbers, etc.
Diego
Very interesting Blog Michal, I am trying this. Can you please help me with the SQL query? I am not able to see any encrypted data. Please help me with Database table query.
BR,
Rashmi
Bravo, as usual π
Hi Mike,
You may need to update your blog as we have option now for IDOC’s for sensitiveness tag data like we have Β for service intreface.
Regards
Sreeram