on 06-20-2011 7:39 PM
Hi,
I have few questions for implementing FTPS connection with server using SSL/TLS.
As per documentation, when we select "FTPS (FTP Using SSL/TLS) for Control and Data Connection", All communication with the FTP server is encrypted and uses TLS/SSL.
I would like to know what type of encryption is achieved using this option? Do we require partners and our certificates for encryption and decription? How it really works? Any additonal settings needs to be done apart from configuring the adapter for encryption/decryption?
We do not want to use any adapter module, interested to know what comes by default in PI 7.1?
Thanks,
Suraj Pabbathi
Hi Suraj,
I would like to know what type of encryption is achieved using this option? Do we require partners and our certificates for encryption and decription? How it really works? Any additonal settings needs to be done apart from configuring the adapter for encryption/decryption?
Please go through the [LINK|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/7036] [original link is broken] [original link is broken] [original link is broken]; which clearly explains you what kind of encription is achieved using this option.
also Check these help documents which will give detailed explination...
http://help.sap.com/saphelp_nw04s/helpdata/en/43/0e16bfd7b021aee10000000a1553f6/frameset.htm
http://help.sap.com/saphelp_erp2005/helpdata/en/e3/94007075cae04f930cc4c034e411e1/frameset.htm
http://help.sap.com/saphelp_erp2005/helpdata/en/bc/bb79d6061007419a081e58cbeaaf28/frameset.htm
Regards,
Naveen,
Edited by: chichilin on Jun 21, 2011 1:40 AM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Naveen,
I have gone through all of these links already and still my question is not answered.
For File adapter do we require both our and partner certificates. If both are required, where do I use to configure them.
One in the FTP Connection Parameters, KeyStore, we use our certificate and other one (Partner Certificate) where do we use?
Thanks,
Suraj
Hi Suraj
For File adapter do we require both our and partner certificates. If both are required, where do I use to configure them
One in the FTP Connection Parameters, KeyStore, we use our certificate and other one (Partner Certificate) where do we use?
Yes we require bothh certificated please go through the below document which clearly explains you step by step.
Regards,
Naveen.
Hi Naveen,
Thanks for your answers.
The document that you have presented needs to be done for HTTPS communication.
Say we configure HTTPS communication, then in XI 3.0, we complete the certificates installation in Visual Administrator.
In PI 7.1 we use NWA.
Then in the adapter which ever supports HTTPS, using search help we select the private key of XI/PI, in sender/receiver agreement we specify the partner certificate for signing. That is how we establish the connection.
But regarding FTPS communication, we install the XI /PI certificate and using search help for FTP protocol, in the file adapter it selects only XI/PI certificates' private key. Now where do we use partner certificate. In sender/receiver agreement? But however it does not give us the option to select parter certificate. I want the particular step in configuration to indicate the usage of the partner certificate.
I hope you got my question.
Best Regards,
Suraj
Hi Suraj,
I got your question, so as per my understanding you need to know where exactly we maintain in PI am i right?
Gp throug the below link which explains your requirement [LINK|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18720] [original link is broken] [original link is broken] [original link is broken];
Regards,
Naveen.
Hi Naveen,
You got my question, thanks for being persistent.
I looked this blog already, if you watch it, as I explained, it gives provision to select only one certificate that is based on X.509.
In the screenshot heading, it specifies, "Entries for Private Key in Secure Store". It gives us option of selecting XI/PI 's Keystore and Private key. That is where we provide XI/PI certificate.
Now where is the location for selecting/providing Partner Certificate in the configuration?
Thanks,
Suraj
Hi All,
I got the solution.
In the File adapter, FTP Connection parameters -- You specify the <host address>.
Then on PI system, maintain entry in the host file to resolve host address to IP address.
Store the certificate of the partner (public key) with CN = <host address> in Certificate repository.
Internally, when a message is sent to the FTP server, it utilizes the partner's public key from Certificate repository for encryption. The message when received by partner's FTP server, it is decrypted utilizing its private key.
This is how FTPS works.
Thanks for your answers,
Suraj Pabbathi
>I How it really works? Any additonal settings needs to be done apart from configuring the adapter for encryption/decryption?
Basically depends on the business requirement, you can go for self signed certificate or trusted root chain certificate authentication. These certificates need to shared between your PI server and client.
> would like to know what type of encryption is achieved using this option?
DSA, RSA , etc are possible encryption
>Do we require partners and our certificates for encryption and decription?
yes
Once the certificate is shared, the public key is given for encryption and whoever generated keys will use private key to decrypt on their end to make sure that trusted partner is encrypted the data before they sent. Talk to Basis team for further details.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Baskar,
Thanks for the quick reply.
If we require both the certificates for encryption/decryption, then there should be provision to specify both in the configuration.
Where exactly the public/private keys of our/partner certificates are referred while configuring File Adapter?
Say: I have selected Connection Secuirty: FTPS for Control and Data Connection.
My PI server wants to connect to our partners FTP server in Passive mode. Then there is check box "Use X.509 Certificate for client authentication". Through search help, I get our PI server certificates only.
Two questions:
1. With the available options, as it is check box, still it is not required to use the certificates. Still encryption/decryption works?
2. If the above location is to specify our server's private key, I will share public key with our partner. Where do I configure partners certificate? In Sender Agreement/Receiver Agreement?
Thanks,
Suraj
Suraj,
>Do we require partners and our certificates for encryption and decription?
Yes
>How it really works?
With the help of key you/ partner can encryption & decryption
>Any additonal settings needs to be done apart from configuring the adapter for encryption/decryption?
HTTPS port need to be set up
>We do not want to use any adapter module,
You can use your own code in Mapping
>interested to know what comes by default in PI 7.1?
For encryption & decryption ? If so..answer is no
Cheers
Agasthuri
Suraj,
1. With the available options, as it is check box, still it is not required to use the certificates. Still encryption/decryption works?
Need to use the certificates
2. If the above location is to specify our server's private key, I will share public key with our partner. Where do I configure partners certificate? In Sender Agreement/Receiver Agreement?
http://help.sap.com/saphelp_nw04/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/frameset.htm
Cheers
Agasthuri
Hi Agasthuri,
Thanks for the answers. However I will consider the first one, but second one does not sounds correct.
because my question is about using file adapter not HTTP/HTTPS. So I keep my question open.
2. If the above location is to specify our server's private key, I will share public key with our partner. Where do I configure partners certificate? In Sender Agreement/Receiver Agreement?
Thanks, Suraj
>2. If the above location is to specify our server's private key, I will share public key with our partner. Where do I configure partners certificate? In Sender Agreement/Receiver Agreement
I believe we need to share the partners certificate in IE stack using STRUST transaction code or just in java stack.
Hi Baskar,
STRUST is transaction where we store certificates. After storing the Partners certificate, how to tell our scenario to use this certificate. We have to refer the certificate in the configuration? Where do we use it?
I think File adapter does not give provision or does not require partner certificate. Some where I have learnt that when FTPS 21 port is used, then TSL/SSL only encrypts control session.
I think we use our private key to encrypt control session, our partner uses the public key to decrypt the control session. A secure tunnel is established, then FTP is used to transfer the data over secure connection. This means there is no use of Partner certificate.
I am trying to confirm my understanding.
Anyone, please confirm my understanding.
Thanks,Suraj
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.