HaloCORE Protect

Quick Start Implementation

Quick Start Implementation
SAP System	Windows Server
Install SAP Add-On To activate the add-on, apply modification Apply necessary enhancements Set up the general configuration of Add-On Create a logical port for HaloENGINE Configure the add-on and select the "Activate HaloENGINE" check box in HaloENGINE Connection Parameters Set up classification derivation (if pre-classification is required)	Install HaloENGINE Service Install HaloENGINE Switch on Monitor and configure monitor properties Switch on the Classification Engine Configure classification rules and action rules Assign SAP Systems

Summarizes the high-level steps to install HaloCORE Protect

How does it work?

With HaloENGINE Classification, the metadata collected in the ABAP layer is interpreted by the rule engine in HaloENGINE, and all decisions (blocking, classification, labeling, protection) are taken by this engine.

Additionally, the original classification engine in the ABAP component can still be used; its results are then transmitted to HaloENGINE as metadata type "pre-classification". This allows the implementation of complex derivation logic that needs deep access into the ABAP context. Please refer to the section "Classification".

HaloENGINE Classification

HaloENGINE Connections

Prerequisites:

The logical port must have been created beforehand as described in the section "Web Service Configuration".
Make sure that the HaloENGINE certificate is imported into the SAP system and the SAP system’s certificate is uploaded into the HaloENGINE admin portal.
Make sure that the "Activate HaloENGINE" check box is selected in HaloENGINE Connection Parameters.

This step involves establishing the connection between SAP Add-On and HaloENGINE.

Call transaction /n/SECUDESD/SDSOAP.
HaloENGINE Connection Parameters screen
Enter a name for the connection in the Server Connection box.
Enter a brief description for the connection in Conn. Description box.
If you have installed several SAP application servers and several HaloENGINE Service instances, you may enter the SAP application server name in Application Server which is going to use the particular HaloENGINE Service mainly or exclusively.
Define how this connection is to be related to the specified SAP application server:
1. No Relationship: The connection is not related to a particular SAP application server.
2. Preferential: The connection is dedicated to the specified SAP application server but can also be used by others.
3. Exclusive: The connection can only be used by the specified SAP application server.
  Note: If no application server is entered, this field is ignored.
Server readiness:
1. Select ‘Active’ if the connection is ready to be used for applying RMS protection.
2. Click to clear the Active check box if the connection is temporarily not in the ready state.
Behavior after connection failure: Specifies the behavior of the system in case the connection is out of order.
1. Manual Reset: The connection will not be called anymore until an administrator has reset the Alive indicator.
2. Automatic Reset after 5': The connection will not be called for 5 minutes; after that, its availability will be verified again.
3. Immediate Automatic Reset: In case of an error, the connection will be called again immediately.
Logical Port: Specify the logical port of the HaloENGINE Service as defined in the transaction SOAMANAGER.
Click Save to save the changes.
Once the data is saved successfully, the Server is Alive check box indicates whether the server was found to be responding when it was last accessed; the HaloENGINE Version box displays the installed HaloENGINE version. The Last Checked box displays the last verified date and time of the connection. Note: If you have more than one HaloENGINE Service instance, follow the same procedure to configure it.

HaloCORE Health Check

HaloCORE has a mechanism that can alert the administrator via email in case of any error. There are two types of implementations available:

Method #1 (Proactive alerting): A background job can be scheduled (program name: /SECUDESD/HEALTH_CHECK and transaction: /SECUDESD/HEALTH_CHK) which can periodically monitor and notify the administrator in case of any error.
Method #2 (Reactive alerting): Method /SECUDESD/IF_EX_HCLOG_50~BEFORE_SAVING from BAdI /SECUDESD/BADI_HCLOG_50 (Enhancement Spot /SECUDESD/ES_HCLOG) can be used, which can trigger a notification to the administrator when any error is detected in a download done by the user.

Either any of the above two methods can be used or both can be implemented together as well.

Health Check Program—Proactive alerting (Method #1)

As per the requirement, the program can be scheduled to run in the background, which will try to protect a sample file with the given inputs. If the labeling/protection is unsuccessful, an email notification is sent to the administrator.

Following are the list of exceptions that could trigger an email alert:

SAP is unable to communicate with the HaloENGINE.
HaloENGINE and/or HaloENGINE Service are not up and running.
HaloENGINE is unable to communicate with HaloENGINE Service.
Unable to achieve communication with MPIP.

For illustration purposes, the program is executed manually:

Call transaction /n/SECUDESD/HEALTH_CHK - HaloCORE Health Check. Note: This transaction is not part of the standard HaloCORE menu.
Health Check Program
Enter the following required details:
1. Label GUID: Any MPIP label ID.
2. Label Name: Exact name of the label.
3. Author Email: Valid author email address with which the sample file will be labeled/protected.
4. Notification Email: Valid user email to whom the notification must be sent.
If the labeling/protection is successful, the below message will be displayed.
Health Check Program - success message
If there is an error in the labeling/protection process, the below message will be displayed.
Health Check Program - failure message
The following is the sample email alert sent to the email address which is provided as input in the program.
Health Check Program - email alert

HaloCORE Log BAdI—Reactive alerting (Method #2)

The HaloCORE Log BAdI (/SECUDESD/IF_EX_HCLOG_50~BEFORE_SAVING) can be used for sending notifications to the administrator in case of any error occurred during a download. An email notification will go out immediately to the mentioned email address in the BAdI implementation source code. If any download has an error because of:

SAP is unable to communicate with the HaloENGINE.
HaloENGINE and/or HaloENGINE Service are not up and running.
HaloENGINE is unable to communicate with HaloENGINE Service.
Unable to achieve communication with MPIP.

A value of 1800 (seconds) is assigned to the constant “lcv_max_seconds” (30 minutes). This value represents the time interval between the email notifications. For subsequent downloads (which also may have errors), the email notification will not go unless the time (mentioned in “lcv_max_seconds”) has passed since the last notification email. The idea is not to send an email notification for every download that has an error.

If any error happens during a download even after the time (30 minutes) has passed after the last sent notification, another notification email will be triggered. This interval value can be adjusted as per user requirements.

The email address to which the notification should be sent can be changed in the attached implementation source code, by replacing john.doe@example.com with the actual email address.

Kindly note that this particular section cannot be accessed in the online resources. To access it, please refer to the PDF file in the product package under the "Manuals" folder.