Show TOC

Procedure documentationEncrypting Message Content on Database Level Locate this document in the navigation structure

 

To increase data security, you have the option of encrypting the payload (and any attachments) of messages at the database level. This means that all messages configured in this way are stored in the message database encrypted. Users that query the message database, for example using SQL, cannot read the content of the payload.

Message payload and attachments is abbreviated to message content throughout this documentation.

Note Note

You can use this feature if you run scenarios that involve the exchange of sensitive data and you want to prevent malicious users from accessing this data.

For more information on how this function is related to the Payment Card Industry – Data Security Standard (PCI-DSS), see: Using SAP NetWeaver PI in PCI-Compliant Scenarios.

End of the note.

The encryption of the message payload at the database level has the following characteristics:

  • It can be activated for specific service interfaces.

    This means encryption can be activated for specific scenarios that include the exchange of sensitive business data.

  • It affects the complete payload of the message.

    When you activate encryption for a service interface, the complete payload will always be stored encrypted.

Note that encryption of the message payload in the database does not affect how the message content is displayed in monitoring.

Encryption is supported for messages stored in both the Advanced Adapter Engine message database and in the Integration Engine message database.

Limitations

If you plan to use this feature, consider the limitations summarized under Encrypting Message Content on Database Level (Limitations).

Procedure

You can configure message payload encryption at the database level for the different kinds of message processing that are supported by the available installation options. In particular, these are the following options:

  • Dual-stack message processing

    In scenarios of this kind both the Integration Engine and the Advanced Adapter Engine (AAE) are involved in message processing at runtime.

    Scenarios of this kind are only possible with a dual-stack PI installation.

  • Message processing using AAE only

    In scenarios of this kind only the Advanced Adapter Engine (AAE) is involved in message processing at runtime.

    Scenarios of this kind can be implemented either as local message processing using a dual-stack implementation or when using the Advanced Adapter Engine Extended (AEX).

For more information on these options, see Installation Options.

The individual configuration procedure depends on the involved components. This is the general procedure.

Note Note

There are two examples below.

End of the note.
  1. Configuring service interfaces (applicable for dual-stack or AAE-only message processing)

    Indicate the service interfaces in the Enterprise Services Repository for which message encryption should be activated.

    More information: Configuring Service Interfaces for Encryption (ES Repository)

  2. Configuring Advanced Adapter Engine (applicable for dual-stack or AAE-only message processing)

    You need to configure message encryption in the AAE.

    More information: Encrypting Message Content on Database Level (AAE)

  3. Configuring central Integration Engine (applicable only for dual-stack message processing)

    You need to configure message encryption in the central Integration Engine (IE) that is part of the Integration Server.

    More information: Encrypting Message Content on Database Level (Central IE)

  4. Configuring business systems with local Integration Engines (applicable for dual-stack or AAE-only message processing)

    If the scenario involves business systems with a “local” Integration Engine, you need to perform additional configuration steps in the connected back-end systems.

    More information: Encrypting Message Content on Database Level (Local IE)

  5. Configuring message processing in the Integration Directory (applicable for dual-stack or AAE-only message processing)

    Proceed as described under Setting up Scenarios Using Dual-Stack Message Processing or Setting Up Scenarios Using Local AAE-Based Message Processing (in section 2. Configure Integration Content).

    Note Note

    End of the note.

    Also note the following:

    Make sure that the relevant service interfaces specified as sensitive are assigned to the involved communication components. If you are using business components, you need to assign the relevant service interfaces manually.

Recommendation Recommendation

Note these general recommendations on how to handle keys:

Be careful if you plan to delete keys. If you have deleted a key, a message (that has been stored encrypted) remains in the database but can no longer be opened. Do not rename keys during productive scenarios.

End of the recommendation.
Configuration Tasks for Different System Landscapes

The configuration procedure and the involved configuration tools depend on the involved components at runtime. The following figure illustrates a possible setup of components when using dual-stack message processing.

This graphic is explained in the accompanying text.

Setup of Components when Using Dual-Stack Message Processing

In the illustrated setup an adapter of the AAE is used to connect the PI instance to a system that is not specified in more detail. The Integration Engine is used to connect the PI instance to an SAP system (via the XI adapter).

To configure message encryption for this setup, you need to perform the following configuration tasks:

The following figure illustrates a possible setup of components when only the AAE is involved in message processing .

This graphic is explained in the accompanying text.

Setup of Components when Using AAE-Only Message Processing

In the illustrated setup, an SAP system is also connected to the PI instance based on the XI message protocol (configured in the SOAP adapter).

To configure message encryption for this setup, you need to perform the following configuration tasks: