PI with Seeburger – A tip for Security Administrators
Recently I was performing an upgrade for Seeburger set of adapters on SAP PI 7.0 from version 1.7 to 1.8.1 (The latest version recommened for PI 7.0). During this upgrade, we faced some issues which made me realize that a basic flaw during installation of the Seeburger suite on PI could lead to a Security breach and could provide an opportunity for Mischief (a mild word) lovers or Swindlers (a harsh word) 🙂
You might have recognized this earlier, but the couple of PI systems I observed, the Security team missed it. This promoted me to share this small but “could be relevant” issue.
The Weak Point
One of the steps of Seeburger Installation is to create a user “seeburger” and assign the role “SAP_J2EE_ADMIN” to this user. Then it is advised to set the password of this user to “xxxxxxx” (I am not mentioning the password here as it could provoke some users to exploit it. This password is available with the installation manual). Wherever I happened to chek PI systems using Seeburger adapters, I knew there is a user “seeburger” with password “xxxxxxx” with quite good access to PI system information and configuration. I tried logging in and succeeded as this is a Dialog user. In most of the cases, a Basis consultant performing the installation doesn’t really dare to manipulate any such passwords to avoid security breach. This would mean that any developer who is part of Seeburger installations anywhere across the globe is able to access PI systems of their client with role SAP_J2EE_ADMIN. Access to this role, I believe, is not a recommended practice especially for large PI installation involving large number of PI developers.
What to do?
The simple solution is to change the password as per your conventions and the Security Administrator could maintain such passwords separately. The location where this password is used is
Visual Admin -> Server -> Services -> Connector Container -> Connectors -> Connector 1.0 -> seeburger.com/com.seeburger.xi.<Module> -> Managed Connection Factory -> Properties
Change the password of key “adapterUserPassword” to the new password and Save.
I hope the Security Administrators read it before the developers! 😉