cancel
Showing results for 
Search instead for 
Did you mean: 

Non-Central Adapter Engine Installation in DMZ

MohamedAwny
Explorer
0 Kudos

Dear Experts,

We have a customer requirement to install a non-central Advanced Adapter Engine (AAE) in a DMZ for a Central Dual-stack 7.31 PI System behind the DMZ.

We have gone through the Installation Guide and the Online help for the Non-Central AAE and in both it is mentioned that it can be installed as a Standalone AS Java System.

We also have explored the other option of Adapter Engine J2SE but this one will not be fulfilling our requirements.

What the customer needs to know if their is a third option to install an Additional AS Java Instance to the existing Dual-Stack PI System as they don't want to have a Full AS Java System (AS Java Instance + DB) in the DMZ.

Thanks in Advance.

Mohamed Awny

Accepted Solutions (1)

Accepted Solutions (1)

bhavesh_kantilal
Active Contributor
0 Kudos

Hello Mohammed,

The whole point of a De-Central Adapter Engine in the DMZ is to control which flows goes through which Network and where authentication of messages happens. Installing and Configuring Interfaces to use a De-Central Adapter Engine will also control where the Interface traffic executes which is what most Network Security Experts would require in B2B Scenarios to ensure Authentication happens within the DMZ Layer itself.

Installing an Additional AS Java Instance will not help much as you cannot control which Interface flows through which AS Java Instance as having multiple AS Java Instances would mean you have a SAP WebDispatcher performing the Load Balancing  and this is not the same as installing a De-Central Adapter Engine.

With regards to DB Installation  on a DAE, do note - you can also install the DAE on the same DB Host as the PI server but you will need a separate SID. Likewise, UME can also be a shared UME,i.e, a UME from the Central PI.

In summary, a Additional AS Java Instance is not the same as a DAE Installation and which you choose depends on why you need this additional component in the DMZ. My knowledge says, it is for Security Reasons and Authentication which would mean - a DAE is the way to go!

Regards

Bhavesh

MohamedAwny
Explorer
0 Kudos

Thanks, Bhavesh.

This is also our understanding as per the design below:

Best Regards,

Mohamed Awny

bhavesh_kantilal
Active Contributor
0 Kudos

At a high level this is good!

What you would need to watch out for from our experiences in such an architecture,

  • SAP Web Dispatchers would be needed in the DMZ to ensure your DAE's are scabalable. What I mean by this is : You would need additional Application Server Instances for the DAE so that you have a High Available and Scalable Architecture. Basically one SID for the DAE with multiple app server instances in the DMZ with a LoadBalancer that could be a SAP Webdispatcher.
  • Your WebDispatchers would need to use URL FIltering in the DMZ. This is because if your external Partners can access PI, then they can access your entire PI Home Page and related URLs. The Webdispatcher can do a URL filtering to restrict URLs available for your partner. In our cases this was AS2, SOAP and HTTP Pipeline URLs.
  • Our external Firewalls would do IP Filtering to ensure no Brute Force Attacks could be triggered to our DAE.

There are multiple other factors to consider when you trigger the detailed design but your principle position is correct!

Regards,

Bhavesh

Answers (0)