cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring CE as a decentral Adapter engine for PI. What about security?

Former Member

on ‎08-29-2013 2:27 PM

0 Kudos

Hello,

As part of the SAP business content for Global Data Synchronization (GDS) we have installed some Application on CE and configured the CE as a decentral Adapter engine for our PI system by execution the wizard "Advanced Adapter Engine" on the CE instance.

The wizard connects to the PI box and reads user and password information for system users (like PIAFUSER, PIISUSER, PIDIRUSER, etc) from the PI box to setup the comunication between CE and PI. Now we have security concerns because the CE instance is not hosted by our department and is not secured in the same way as the PI system.

Does anyone know:

  1. What exactly happens if a CE instance is configured as decentral Adapter Enginge for a given PI instance?
  2. Seems that CE is using the exchange profile on PI. Is it possible to use the exchange profile on CE (or the corresponding configuration services in NWA for systems >= 7.30)?
  3. Is it possible to configure/use different users than the standard users with less priviliges and a separate password?

Thanks in advance for any help on the matter. I know it is a very advanced topic.

Jochen

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎09-19-2013 3:36 PM
0 Kudos

Let me share some findings:

  1. In the above setting user and password is copied from the PI Instance to the CE instance as we initially suspected. We consider this as security risk.
  2. It is possible though not well documented not to use PIs exchange profile: "Disable ExchangeProfile access. This is done by setting the property *.usage_type=CE in service AII Properties. Then all other properties will be used instead of exchange profile. Set the correct values for sld host and port and PIAF user and password."
  3. There is a dedicated way of using AS Java as a pure PI client with java proxies. It is called "Adapter Engine in JPR Mode", see http://help.sap.com/saphelp_nw73ehp1/helpdata/en/C7/A8F675708143F58E49E5AA36FE95AD/content.htm?frame...
    However JPR Mode did not work in our specific setup

Until now we did not find a solution. I will keep you up to date if we finally do find one.

Show replies
Show replies
marksmyth
Product and Topic Expert
Product and Topic Expert
‎08-30-2013 10:22 AM
0 Kudos

Hi Jochen,

1. You can configure the decentral Adapter Engine to process PI messages. This offers improved resource handling, for example, you could use the CE/decentral AE to process messages from one, important, interface. But the decentral AE must always be connected to the central PI.

2. No, the Exchange Profile of the PI system must be used (or the NWA service in PI).

3. I am not sure if this is possible. The PI* service users are required for internal system communication with the SLD, Exchange Profile all involved. I'm not sure that having reduced authorizations for these users would allow the system to function correctly.

Install and configure NetWeaver PI 7.3 Decentralize Adapter part-2

Regards

Mark

Show replies
Show replies
Ask a Question