avatar image
Former Member

Configuring CE as a decentral Adapter engine for PI. What about security?

Hello,

As part of the SAP business content for Global Data Synchronization (GDS) we have installed some Application on CE and configured the CE as a decentral Adapter engine for our PI system by execution the wizard "Advanced Adapter Engine" on the CE instance.

The wizard connects to the PI box and reads user and password information for system users (like PIAFUSER, PIISUSER, PIDIRUSER, etc) from the PI box to setup the comunication between CE and PI. Now we have security concerns because the CE instance is not hosted by our department and is not secured in the same way as the PI system.

Does anyone know:

  1. What exactly happens if a CE instance is configured as decentral Adapter Enginge for a given PI instance?
  2. Seems that CE is using the exchange profile on PI. Is it possible to use the exchange profile on CE (or the corresponding configuration services in NWA for systems >= 7.30)?
  3. Is it possible to configure/use different users than the standard users with less priviliges and a separate password?

Thanks in advance for any help on the matter. I know it is a very advanced topic.

Jochen

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Aug 30, 2013 at 09:22 AM

    Hi Jochen,

    1. You can configure the decentral Adapter Engine to process PI messages. This offers improved resource handling, for example, you could use the CE/decentral AE to process messages from one, important, interface. But the decentral AE must always be connected to the central PI.

    2. No, the Exchange Profile of the PI system must be used (or the NWA service in PI).

    3. I am not sure if this is possible. The PI* service users are required for internal system communication with the SLD, Exchange Profile all involved. I'm not sure that having reduced authorizations for these users would allow the system to function correctly.

    Install and configure NetWeaver PI 7.3 Decentralize Adapter part-2

    Regards

    Mark

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 19, 2013 at 02:36 PM

    Let me share some findings:

    1. In the above setting user and password is copied from the PI Instance to the CE instance as we initially suspected. We consider this as security risk.
    2. It is possible though not well documented not to use PIs exchange profile: "Disable ExchangeProfile access. This is done by setting the property *.usage_type=CE in service AII Properties. Then all other properties will be used instead of exchange profile. Set the correct values for sld host and port and PIAF user and password."
    3. There is a dedicated way of using AS Java as a pure PI client with java proxies. It is called "Adapter Engine in JPR Mode", see http://help.sap.com/saphelp_nw73ehp1/helpdata/en/C7/A8F675708143F58E49E5AA36FE95AD/content.htm?frameset=/en/48/D11280B4073254E10000000A42189B/frameset.htm
      However JPR Mode did not work in our specific setup

    Until now we did not find a solution. I will keep you up to date if we finally do find one.

    Add comment
    10|10000 characters needed characters exceeded

Skip to Content