Deep dive in Hana Cloud Integration.
Don’t be scared by the title of the blog, don’t go away: It’s not you, it’s me!
It is me who joined the SAP Hana Cloud Integration Deep Dive training in Walldorf and I want to share some of the great things I learned there. Off course, just like my previous blogs (1, 2) I will keep it quite simple. If you want the full, deep diving deal, just check out Piyush Gakhar’s profile and keep an eye on his training sessions.
This time we will cover encryption and data stores. When all goes well your two iFlows will look like
iFlow 2: Decryption and getting from data store.
Preparing for encryption
Before we start with building our iFlow we need to add an RSA key pair to our keystore. If you do not know how to create (or adjust) your keystore please read my first blog (direct link to the document ‘How to create a keystore.pdf’).
For creating the RSA key pair I also used KeyStore Explorer (just like we used for creating the keystore). When you open yourkeystore.jks in KeyStore Explorer (KSE) you can right click on an empty space and choose for ‘Generate Key Pair’.
In the next screen you can choose the Key Size. For this example we leave everything as it is.
On the next pop-up screen we change nothing and go directly to the pretty address book next to Name.
There we fill out all the information is needed.
Then we get prompted for an Alias for our key pair:
Please name you RSA key pair “id_rsa”. This name is needed for a good HCI handling.
Now save your keystore and deploy it to your tenant.
Creating the first iFlow
Now everything is set up for the encryption part we are going to build our first iFlow. In this iFlow I choose SuccessFactors as a Sender. Off course you can use any kind of data from any kind of adapter for this exercise. I will not discuss setting up the sender (and the receiver). If you do not know how to set up a sender or receiver please read my previous blogs.
I begin with placing a Multicast on the integration project. You can find this under Message Routing in your pallet. Because I want to show you the different outcomes with and without encryption I multicast my incoming message (from SuccessFactors) two ways.
On one of the branches I add a Content Encryptor (under security elements). The other branch stays empty.
The properties of the PKCS7Encryptor are displayed below. You can change it to your likes but for the exercise I will only assign my public key alias.
Under Encryption choose add and set in “id_rsa” as the Public Key Alias.
Now we added the encryption to our SFSF data in one branch, and nothing in the other branch. Because I want to use the encrypted file for later, but also show you the different outcomes I will add another multicast right after the PKCS7Encryptor block.
Now we have a branch we will use to mail the encrypted file, and a branch which we can store in our data store.
On the end of the data store branch, put a Data Store Operation block, which can be found under Message Persistence.
In the properties of the Write block you can choose a name for your data store. Also you can change the visibility. Please change the visibility from Integration flow to Global, because we are going to need in in iFlow2. The option ‘Encrypt Stored Message’ can be checked on, but this is not the encryption we configured earlier. So if you choose to check this of, your stored message will still be encrypted with you own encryption. In this exercise I will leave it on.
I connected both branches to an end event and connect those to the receiver. For both I chose the Mail adapter. For the branch without encryption I set up the subject with something like: SFSFfileNOTENCRYPTED and the subject on the other branch will then be: SFSFfileENCRYPTED.
So now your complete iFlow1 should look something like this:
When we save and deploy the iFlow you should get three different things. One is an email with the encrypted file, the second one is a mail with an unencrypted file and the third is an entry in a data store. You can check the data store in your tenant under Data Store Viewer.
The emails should like something like this, but will be different based on your chosen input.
Creating the second iFlow
In the second flow we are not going to use a Sender shape, you can delete this. Instead of a sender shape we start this flow with a Timer Start (under events). From the timer start we place a Data Store Operations and select ‘Switch to Get Operation’.
When you select the Get Operation you need to enter the Data Store Name and the Entry ID. Both can be found in the Data Store Viewer on your tenant.
After you point the Get operation to the right data store and the right entry in that data store we create a multicast. This is to prove we really did decrypt the data, and where no decryption took place the file is still encrypted.
On the ‘to be decrypted’ branch we add, surprisingly, a content decryptor. This can be found under Security Elements.
Because we did not change the settings while we were encrypting, we do not need to change anything now.
Just like in iFlow1 we will connect the two branches to an endpoint and connect those via a mail adapter to the receiver. When you save and deploy this iFlow2 the result should be something equal to what we saw in the first iFlow, that means; a decrypted message (from the Not decrypted branch) and an encrypted message (from the decrypted branch).
I hope you learned something from this blog, if not; please let me know. If you want more detailed information please feel free to contact me, and don’t forget to check out Piyush Gakhar’s profile to see when the next HCI Deep Dive training is near you!