Encrypting Message Content on Database Level (Local IE) 
This section describes all the configuration steps to be performed to enable message encryption at the database level in business systems with a local Integration Engine.
Note
All SAP systems based on Application Server ABAP release 6.20 or higher contain a local Integration Engine, also when used as an application system. This local Integration Engine enables the system (when used as an application system) to connect to another system via an SAP NetWeaver PI runtime engine. This kind of connectivity is also referred to as connectivity based on the proxy runtime. All other systems – either SAP or third-party – connect to the SAP NetWeaver PI runtime using adapters.
Define the encryption keys and maintain the Personal Security Environment (PSE):
Call transaction SSFA.
Choose New Entries.
Select the SSF application PI Key1 DB Message Encryption.
Note
This SSF application is predelivered.
For Encryption Algorithm, select the value TRIPLE-DES.
Save your changes.
Caution
SAP recommends not to change the name of the PSE file (field Private Address Book). In case you nevertheless like to change the name, consider the fact that the maximum name length is 25 characters. The reason for that is that the ENCRYPTION_KEY parameter value is restricted to this length.
Repeat these steps for the SSF application PI Key 2 DB Message Encryption.
Call transaction STRUST.
Position the cursor on the entry SSF PI Key 1 DB Message Encryption.
In the context menu, choose Create.
For Algorithm, select the value RSA.
Repeat these steps for the entry SSF PI Key 2 DB Message Encryption.
Check if entries for all application servers are indicated as ok (green traffic light).
Note
Note the following recommendations related to your activities using transaction STRUST:
Choose a suitable key length (recommendation: 2048 bytes).
As far as the requirements of the scenario allow, choose a suitably long validity period for the key. Otherwise take suitable measures to prepare your business processes and systems for key expiration.
Create backups of the keys by exporting them. Furthermore, be careful when deleting keys. There might still be messages stored in the database that cannot be read without the key.
Finish encryption configuration on the Integration Engine and prepare to activate encryption for the sensitive service interface.
Call transaction SXMSIF.
Choose New Entry.
Enter an ID for the service interface (field Sender/Receiver ID).
Call the input help to select the sender service interface for which encryption should be activated (fields Interface Name and Interface Namespace).
You can select the service interfaces from the Enterprise Services Repository.
Under Component, enter *.
Note the value of Sender/Receiver ID for the following steps.
Depending on your scenario, you need to perform the same steps for the receiver service interface.
To finish Integration Engine configuration, perform the following steps:
Call transaction SXMB_ADM.
Choose Integration Engine Configuration.
As Category, choose Runtime.
Choose Configuration.
Create a new entry with the following settings:
In the Parameters column, select ENCRYPTION_KEY.
In the Current Value column, select the key that was defined previously using transaction STRUST.
Use the input help to make your selections.
Create another entry with the following settings:
In the Parameters column, select ENCRYPTION_ACTIVE.
In the Subparameter column, select the ID defined (for the service interface) previously using transaction SXMSIF.
In the Current Value column, enter 1.
You can find out for each key which messages are encrypted by this key.
Example
If a key has been compromised, the administrator can find out if the key is still in use for message encryption.
To do this, perform the following steps:
Call transaction SXMB_CHK_ENCKEY.
Note
You can alternatively call the Object Navigator (transaction SE80) and then start program RSXMB_CHECK_ENCKEY_USAGE.
You can display a list of messages encrypted either for a specific key or for all keys in use.