Show TOC

Data Storage Security for the Advanced Adapter EngineLocate this document in the navigation structure

Use

The Advanced Adapter Engine (AAE) processes messages at runtime. This section provides information on what kind of data is stored in the AAE during runtime and makes recommendations on how to increase the security level for that data.

Data Storage

At runtime, messages are stored in the AAE for different purposes:

  • To ensure reliable message processing

  • To guarantee processing according to a specific Quality-of-Service

  • To enable access to a specific message version for administration purposes (for example, monitoring)

During runtime, a message passes through different processing steps in the AAE. During processing, the message is changed subsequently.

As one example, during the receiver determination step, the receiver of a message is evaluated for an incoming message (according to the configuration settings in the Integration Directory). In order to ensure a correct outbound processing of a message, the receiver determined during that step is written into the message header. That means, during that step the message is changed. In other words, a new message version is created.

As another example, during the mapping step of the pipeline, the business data within the message payload is changed according to the applied mapping program.

Note

For administrative purposes you can configure which message versions are to be stored at runtime.

More information:

Each message version can contain sensitive data. Which kind of sensitive data that is, depends on the scenario.

A message consists of the following parts:

  • Message header

    The header of a message contains the address information, for example, the name of a communication component. This data should be considered as sensitive because it might be possible to draw conclusions from the header data on the internal system landscape of a business partner the message is addressed to.

  • Payload

    The payload of a message contains the business data that is exchanged at runtime. Therefore, the payload might contain sensitive data of any level. In particular, even personal data information might be contained in a message payload.

  • Attachments

    This can be non-XML data, for example, pictures.

Note

For more information on the structure of a message, see: Messages .

Data Protection

There are a number of measures in order to increase data security.

Encrypting Data

When a message is saved, it will remain encrypted also in case it has been sent already as an encrypted message.

To encrypt messages, you need to configure the corresponding communication channels and sender or receiver agreements. Note that not all adapters support message encryption.

More information: Message-Level Security

Note

In the AAE message storage, also message attachments are stored encrypted.

You have the option to encrypt message content (payload) on database level. This feature is supported for asynchronous messages that are saved on the AAE message database using the staging function.

Using this option, always the complete payload of a message is encrypted on the database.

More information: Encrypting Message Content on Database Level

Note

Note related to advanced (user-defined) message search: If you define filters that include payload elements with sensitive data, be aware of the fact that these elements are stored unencrypted.

Reducing Storage Duration of Data

Messages sent by the AAE to a sender (or canceled messages) are stored by default for 1 day (counted from the time when the message was either sent successfully or canceled). You can change the storage duration according to your needs. To increase data protection, you can in particular decrease the storage duration.

To do that, perform the following steps:

  1. Start SAP NetWeaver Administrator from the following page: http://<host>:<port>/nwa.

  2. Choose (tab) Start of the navigation path Configuration Next navigation step Infrastructure Next navigation step Java System Properties  End of the navigation path.

  3. In tab Services search for XPI Adapter: XI.

  4. In tab Properties search for xiadapter.outbound.persistDuration.default.

  5. Choose Modify and enter the new settings.

Caution

Note that the storage duration cannot be changed after a message has been sent. In any case the time as configured at the time when the message was sent has to be awaited. Therefore, be very careful when you configure long storage durations.

In case a message cannot be delivered, the Advanced Adapter Engine tries to re-send the message. There are three trials to re-send the messages (by default, within five minutes). If after the third trial the message can still not be delivered, its state will be changed to not delivered . You can configure the retry interval with the property xiadapter.outbound.retryInterval.default

Deleting Data

The standard procedure to clean up the message storage is to configure the persistDuration property in a reasonable way as described above.

An additional option is to use a message database re-organisation function to manually delete all messages that are older than a specified number of days.

Note

This function is part of the Messaging System Monitor .

  1. Enter the following URL in your browser: http://<host>:<port>/MessagingSystem/job/reorgdb.jsp.

  2. To specify an expiration date, enter a number (in days) and choose Expire Messages .

  3. To delete all messages that are older than the expiration date manually, choose Remove Messages .

    Note

    You cannot delete individual messages, you can only delete all messages that are specified by the expiration date.

Access Protection

You can prevent unauthorized users from accessing sensitive message content.

There are different tools to display messages. Depending on the tool, there are different measures to increase access protection:

  • SAP NetWeaver Administrator

    You can use SAP NetWeaver Administrator for message monitoring.

    More information: Monitoring Messages

    To prevent from misuse, restrict access permission to authorized users.

    These are in particular the following authorizations: for displaying message content in general: the display action, for displaying message payload: the payload action.

    More information: Monitoring Roles

  • Messaging System Monitor

    More information: Messaging System Monitor

For specific support use cases, there are special authorizations to access message content using the Open SQL Data Browser. These authorizations should be applied carefully to prevent malicious users to access message content.

More information: SAP note 1611852 Information published on SAP site

Change Protection

You can prevent unauthorized users from modifying message content.

Users with specific permissions can edit messages and re-start processing the modified message.

More information: Editing Messages

The following parts of a message can be modified:

  • Header

  • Payload

To prevent from misuse, make sure that the authorizations to edit messages are not granted to unauthorized users. These are in particular the following authorizations: for editing message header: the edit_header action, for editing message payload: the edit_payload action.

More information: Monitoring Roles

Note

Adapter-specific message attributes (which can be part of the message header) can be changed with the Integration Builder. To prevent unauthorized from changing these data, make sure that the authorizations for Integration Builder usage are configured accordingly.

More information:

Using Adapter-Specific Message Attributes in the Message Header

Role-Based Authorizations in ES Repository and Integration Directory

Logging Data Access

When you have encrypted message content on database level (see above), access to message content is logged with the Security Audit Log tools of AS Java.

More information: Security Audit Log of the AS Java