Installation Manual

Introduction

To perform business analytics, SAP users extract numerous reports from BusinessObjects BI applications, often containing highly sensitive data. HaloCORE extends its support to monitor, block, classify, and protect the reports containing sensitive information directly from BusinessObjects BI applications (via BO/BI interfaces like WebI and Crystal Reports 20xx/4 Enterprise in Launchpad) by HaloCORE BO Add-On.

HaloCORE BO Architecture

The components of HaloCORE BO are explained in this chapter.

HaloCORE BO Architecture

HaloCORE BO Add-On

HaloCORE BO plugs into BusinessObjects BI applications and intercepts all download requests from users using BO/BI interfaces like WebI and Crystal Reports 20xx/4 Enterprise in Launchpad. Downloaded files are classified and protected. All download activity is aggregated into a fully customizable audit log, which can be integrated into the company's existing analytics framework and extracted to powerful tools such as SAP Business Intelligence and Analytics solutions.

1. It blocks a file download as defined in HaloENGINE.

2. Classifies and labels the file as defined in the HaloENGINE.

3. Encrypts the file as defined in the HaloENGINE.

HaloENGINE

HaloENGINE is a Java-based Server component that exposes a web service to a Non-SAP client such as BusinessObjects BI. It receives files from Non-SAP clients with the passed action and additional information; it applies the action (Monitor, Block, Label, and Protect).

1. Responsible for classification & action derivation.

2. Responsible for logging the audit logs.

3. Create log files for Security Information and Event Management solutions (Microsoft Azure Sentinel, Splunk, RSA, and others) in Common Event Format (CEF), IBM Standard LEEF, and JSON (JavaScript Object Notation).

HaloENGINE Service 

HaloENGINE Service is a Windows service that communicates with HaloENGINE over TCP/IP. It is the only component that directly talks with the Azure Right Management Service (Azure RMS).

1. Applies the classification labels to the document metadata.

2. Protects the content that the HaloENGINE sends to it based on MPIP.

3. Supports protection or label-driven protection. 

4. HaloENGINE Service is operated next to the HaloENGINE. 

Reference Manuals

Please refer to the manuals shipped with the product software for a comprehensive description of HaloENGINE and HaloENGINE Service.

Microsoft Purview Information Protection

HaloCORE solution effortlessly integrates Microsoft Purview Information Protection to protect your sensitive documents. Microsoft Purview Information Protection is an industry document security solution that enables businesses to ensure that only authorized users can open the protected content while also regulating what they can do with it such as print, edit, or save. Even if sensitive data is leaked accidentally or maliciously, unauthorized parties cannot view it in clear text, thus leaving it useless.

Quick Start Installation Summary

The following image shows the high-level idea of setting up HaloCORE BO.

HaloCORE BO quick start installation steps

Reference Manual

Before you can work with BO, you must read the following manuals and install the components in the given order.

Reference manuals

System Requirements

The following table lists the requirements for HaloCORE BO.

Requirements

Installation and Configuration

Restricted Content
Some sections of our documentation portal are exclusively available to licensed customers. If you are a licensed user, please log in to https://tech.secude.com to continue.

Why Restricted Access?
We believe in empowering our licensed customers with premium, in-depth materials to enhance their experience with our products. This ensures that our valued customers receive top-tier support and stay ahead with the most up-to-date information.

Interested in Gaining Full Access?
Our sales team is ready to assist you if you are not yet a licensed customer. Explore how our products and services can add value to your business. Contact us today to learn more about licensing options and benefits.

HaloENGINE Configuration 

Follow the below procedure to create bo_config.properties.

1. Extract the halo-engine-tools-<version>.zip file, which comes along with the installation package.

2. Open a Command Prompt window with administrator rights and navigate to the halo-engine-tools-<version>\bin.

3. Execute the following:

   1. For English − halo-engine-tools.bat EN setupBOConfig

   2. For German − halo-engine-tools.bat DE setupBOConfig

4. For Illustration purposes, the English language is used here.

Please refer to the below table for more details on the bo_config.properties.

Properties

Operating Instructions

This section outlines key operations procedures for working with HaloCORE BO.

Create a Classification Profile

1. Step 1: Configure classification properties and their values.

2. Step 2: Configure PII or Financial Information for certain tcodes. (optional)

   1. Create and configure Custom Pre-Expressions based on Client Metadata types (optional).

   2. Create classification rules based on metadata types and Pre-Expression.

3. Step 3: Create Action rules to indicate if a download needs to be blocked, labeled, or protected. 

4. Step 4: Assign systems to the profile.

5. Step 5: Make sure that you have configured the HaloENGINE local log and monitor properties.

How does it Work? 

Functions:

1. Logs all data download and extraction activity from WebI and Crystal reports.

2. Classifies, labels, and protects data as defined in HaloENGINE.

3. Blocks downloading data.

4. Please note that E-mail, Scheduling, and Publication are not supported.  

Prerequisites: 

1. Configure rule in HaloENGINE.

2. HaloENGINE Service must be installed and configured in label-driven protection (MPIP) mode/protection mode. When configuring the action rule (protect) in the admin portal, HaloENGINE consumes the cached templates from HaloENGINE Service and displays them for selection.

3. HaloCORE BO must be installed and configured.

   

   HaloCORE BO

1. The user extracts data.

2. HaloCORE BO runs in the background to collect the requested metadata and sends it to HaloENGINE. For example,

   1. user_name = JOHN

   2. measures = Margin, Quantity sold, Sales Revenue

   3. queries = dataroot/variance_xtab

   4. custom preexpression_PII = Yes

3. Based on collected data and derived classification, HaloENGINE determines the actions (like block/protect) to be executed on the file.

4. If action = label and protect, the file is embedded with derived metadata and is encrypted with a template by HaloENGINE Service, and the exported file is saved in the user-specified location. If action = block. The download is blocked with a message.

Illustration

Protected Data Download

To download data, proceed as follows:

1. Login to your SAP BusinessObjects BI launchpad [http://[FQDN]:[port]/BOE/BI]. For example, http://svlu0443.secude-sap.com:8080/BOE/BI.

   

   SAP BOBI

2. Click Crystal Reports or Web Intelligence icon.

3. For illustration purposes, Web Intelligence is shown here:

   

   File download

4. You can export a report as PDF, XML, Excel, CSV, and Text files.

5. The following picture shows an example of HaloCORE BO in action on a client computer. In this example, the administrator has configured the action (label + protection) rules that contain the query "variance_xtab" in the Classification Engine. When the user saves a workbook that contains this data query, the file is labeled and protected. Once the file is protected, you may see a restriction banner displayed at the top of the file. Click View Permission to see the actual permissions that are applied to the file. The label that is added to the file is shown in cleartext.

   

   Protected file download

6. In this example, the administrator has configured the blocking rules. 

7. When the user saves a report, depending on the configuration, either the default Blocker.txt file or the custom Blocker.FileName.txt (e.g., Blocker_ABC.txt) file is downloaded instead of the actual report.

   

   Generic blocking message #1

   

   Sample of custom blocking message #2

8. In strict mode (ignoreSystemAbort=false), if there is an error during the process, then Aborted.txt file will be downloaded. 

   

   IgnoreSystemAbort

9. In non-strict mode (ignoreSystemAbort=true), the normal file will be downloaded.

Unprotected Data Download

If there is a need to download a file without protection when HaloCORE is deployed in your environment, you can do so by:

1. Log in to the HaloENGINE Admin Portal using the super admin account.

2. Disable the Classification Engine.

3. Restart the Halo Core Tomcat Service.

4. Open a new Web Intelligence or Crystal Reports

5. Extract data and specify a location to save the file.

6. The file is successfully downloaded without label and protection.

Customer Support 

Please be ready with the below-listed information before contacting our team to help you with the issue you are experiencing. The data that you provide will help us to serve you better. 

1. Full contact details.

2. HaloCORE BO, HaloENGINE and HaloENGINE Service build version.

3. Date, time, and description of the error (if possible, provide screenshots).

4. What (if any) third-party products (software or other) were used in conjunction with our product?

5. Any other information necessary to reproduce the error. 

Secude offers help and support through 

1. Technical support email: support@secude.com
   If you choose the email option to contact us, please provide your company details with a detailed description of the issue and attach the log file (if any). Our representative will respond to your email inquiry.

2. Phone support: Call +41 41 510 70 70 to talk to our representative to diagnose and resolve the technical problem.  

Other resources  

Please visit https://secude.com to know about upcoming events, press releases, and to download whitepapers.

Documentation Feedback

Secude understands the importance of technical content when attempting to gain product knowledge and strives to continuously improve product documentation to ensure that users receive the information they want. To provide feedback on the documentation, please send an email to documentation@secude.com. Please include the following details in your feedback:

1. Product name and version

2. Documentation topic

3. Details of the suggestion or error

The technical documentation team will consider your feedback and address it in future documentation updates.

Appendix

Appendix 1 - Metadata

The BO metadata present in the HaloENGINE is listed in the table below.

BO metadata

Appendix 2 - Open-source Software

Third-party software/code is included or bundled with Secude's products according to its appropriate license. Secude conducts testing to make sure the third-party products are compatible with and perform as intended with Secude applications.

The third-party libraries and dependencies used by HaloCORE BO are shown in the table below.

Open-source software