on 01-20-2017 3:01 AM
Dear All,
Below is my clients requirement.
At present PI, ECC and Siebel (Webservice) are in same network.
Now they are migrating the Siebel system alone to new landscape and their system lie in different network LIA (Limited internet access).
LIA team has requested not to connect PI directly to the webservice, instead use any router in between PI and Webservice due to security reasons.
And Siebel team wants data only through webservice and not to their application or DB directly.
Is there any way to use router/other possibility(Method) for connecting PI and Webservice other than calling SOAP method?
Kindly let me know your valuable feedback to proceed further.
ThankYou
Regards,
Vinoth
Hello Vinoth,
It depends on Webservice,If they can pull from any FTP folder .You can write the XML as file and they can pick it up.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Then the connection has to be opened,even if you make a HTTP call the connection has to be opened to hit the Webservice.
Or in some cases reverse proxy might help
https://help.sap.com/saphelp_nw73/helpdata/en/09/184dff9cf845658091dd141844d0aa/content.htm
check if the below link helps
https://wiki.scn.sap.com/wiki/display/ABAPConn/Using+Reverse+Proxies
Hi all,
I have not worked with reverse proxies but it seems to be interesting, good idea Raghu.
Another way to do your requirement is to use a SAP web dispatcher to increase the security between PI and the new system outside your DMZ:
https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/99ac3a7f020e27e10000000a421937/content.htm
The web dispatcher would be transparent for the PI development and you only need to use the URL offer by the SAP web dispatcher and this one would act like a router.
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raghu,
Yes, that is the idea, the SAP WD is the only point to connect to the internet, in this way you can increase you security. All the PI connections with internet could go via SAP WD, another solution could be to install an Apache or similar.
The only disadvantage, in my opinion, is that you have one more layer or system that could fail.
On the other way ,i will read you recommendation about reverse proxy, i didn´t know this feature. Always, i can learn something in this forum. 🙂
Regard.
Hi Inaki,
Thanks for your reply.. I have checked this SAP Web Dispatcher. This can be done in PI 7.11?
Below mentioned options are not available in Web Dispatcher, But its available in Reverse Proxy.
Siebel system may compromise for web attacks, Since PI is connected to the WebService (FIrst Tire Architecture) in internet then whole system in intranet will be in trouble.
Still we can go with Web Dispatcher even it does not have "Sophisticated application firewall features against web-based attacks"?
Thank you.
Regards,
Vinoth
Hi Vinoth,
Check first this blog https://blogs.sap.com/2015/03/09/webdispatcher-faq/
Sophisticated application firewall features against web-based attacks
I recommend to you to read carefully:
https://help.sap.com/saphelp_nw70/helpdata/en/dd/06abeb76ef40868425940a5f6741f4/content.htm
https://help.sap.com/saphelp_nw74/helpdata/en/a1/5342ea0a4a4394adda45b522b3c13d/content.htm
The note https://launchpad.support.sap.com/#/notes/870127/E
You can avoid Dos attack, interception of the password, etc. I don't know the level of sophistication is the minimum that you need.
Authentication and single-sign-on (SSO)
AFAIK it is allowed
Authorization of resource access per user
You can avoid the access to resources of the endsytems and determinated paths. Per user?, i am not sure of this, however if you only have access via web dispatcher to the PI, you can use PI ACLs to restrict the access to you sender soap channels to the users that you want.
Regards.
User | Count |
---|---|
77 | |
9 | |
7 | |
6 | |
6 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.