cancel
Showing results for 
Search instead for 
Did you mean: 

File Adapter: FTPS using SSL/TLS

Former Member
0 Kudos

Hi,

I have few questions for implementing FTPS connection with server using SSL/TLS.

As per documentation, when we select "FTPS (FTP Using SSL/TLS) for Control and Data Connection", All communication with the FTP server is encrypted and uses TLS/SSL.

I would like to know what type of encryption is achieved using this option? Do we require partners and our certificates for encryption and decription? How it really works? Any additonal settings needs to be done apart from configuring the adapter for encryption/decryption?

We do not want to use any adapter module, interested to know what comes by default in PI 7.1?

Thanks,

Suraj Pabbathi

Accepted Solutions (0)

Answers (2)

Answers (2)

naveen_chichili
Active Contributor
0 Kudos

Hi Suraj,

I would like to know what type of encryption is achieved using this option? Do we require partners and our certificates for encryption and decription? How it really works? Any additonal settings needs to be done apart from configuring the adapter for encryption/decryption?

Please go through the [LINK|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/7036] [original link is broken] [original link is broken] [original link is broken]; which clearly explains you what kind of encription is achieved using this option.

also Check these help documents which will give detailed explination...

http://help.sap.com/saphelp_nw04s/helpdata/en/43/0e16bfd7b021aee10000000a1553f6/frameset.htm

http://help.sap.com/saphelp_erp2005/helpdata/en/e3/94007075cae04f930cc4c034e411e1/frameset.htm

http://help.sap.com/saphelp_erp2005/helpdata/en/bc/bb79d6061007419a081e58cbeaaf28/frameset.htm

Regards,

Naveen,

Edited by: chichilin on Jun 21, 2011 1:40 AM

Former Member
0 Kudos

Hi Naveen,

I have gone through all of these links already and still my question is not answered.

For File adapter do we require both our and partner certificates. If both are required, where do I use to configure them.

One in the FTP Connection Parameters, KeyStore, we use our certificate and other one (Partner Certificate) where do we use?

Thanks,

Suraj

naveen_chichili
Active Contributor
0 Kudos

Hi Suraj

For File adapter do we require both our and partner certificates. If both are required, where do I use to configure them


One in the FTP Connection Parameters, KeyStore, we use our certificate and other one (Partner Certificate) where do we use?


Yes we require bothh certificated please go through the below document which clearly explains you step by step.

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/197e6aec-0701-0010-4cbe-ad5ff6703...

Regards,

Naveen.

Former Member
0 Kudos

Hi Naveen,

Thanks for your answers.

The document that you have presented needs to be done for HTTPS communication.

Say we configure HTTPS communication, then in XI 3.0, we complete the certificates installation in Visual Administrator.

In PI 7.1 we use NWA.

Then in the adapter which ever supports HTTPS, using search help we select the private key of XI/PI, in sender/receiver agreement we specify the partner certificate for signing. That is how we establish the connection.

But regarding FTPS communication, we install the XI /PI certificate and using search help for FTP protocol, in the file adapter it selects only XI/PI certificates' private key. Now where do we use partner certificate. In sender/receiver agreement? But however it does not give us the option to select parter certificate. I want the particular step in configuration to indicate the usage of the partner certificate.

I hope you got my question.

Best Regards,

Suraj

naveen_chichili
Active Contributor
0 Kudos

Hi Suraj,

I got your question, so as per my understanding you need to know where exactly we maintain in PI am i right?

Gp throug the below link which explains your requirement [LINK|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18720] [original link is broken] [original link is broken] [original link is broken];

Regards,

Naveen.

Former Member
0 Kudos

Hi Naveen,

You got my question, thanks for being persistent.

I looked this blog already, if you watch it, as I explained, it gives provision to select only one certificate that is based on X.509.

In the screenshot heading, it specifies, "Entries for Private Key in Secure Store". It gives us option of selecting XI/PI 's Keystore and Private key. That is where we provide XI/PI certificate.

Now where is the location for selecting/providing Partner Certificate in the configuration?

Thanks,

Suraj

Former Member
0 Kudos

Hi All,

I got the solution.

In the File adapter, FTP Connection parameters -- You specify the <host address>.

Then on PI system, maintain entry in the host file to resolve host address to IP address.

Store the certificate of the partner (public key) with CN = <host address> in Certificate repository.

Internally, when a message is sent to the FTP server, it utilizes the partner's public key from Certificate repository for encryption. The message when received by partner's FTP server, it is decrypted utilizing its private key.

This is how FTPS works.

Thanks for your answers,

Suraj Pabbathi

baskar_gopalakrishnan2
Active Contributor
0 Kudos

>I How it really works? Any additonal settings needs to be done apart from configuring the adapter for encryption/decryption?

Basically depends on the business requirement, you can go for self signed certificate or trusted root chain certificate authentication. These certificates need to shared between your PI server and client.

> would like to know what type of encryption is achieved using this option?

DSA, RSA , etc are possible encryption

>Do we require partners and our certificates for encryption and decription?

yes

Once the certificate is shared, the public key is given for encryption and whoever generated keys will use private key to decrypt on their end to make sure that trusted partner is encrypted the data before they sent. Talk to Basis team for further details.

Former Member
0 Kudos

Hi Baskar,

Thanks for the quick reply.

If we require both the certificates for encryption/decryption, then there should be provision to specify both in the configuration.

Where exactly the public/private keys of our/partner certificates are referred while configuring File Adapter?

Say: I have selected Connection Secuirty: FTPS for Control and Data Connection.

My PI server wants to connect to our partners FTP server in Passive mode. Then there is check box "Use X.509 Certificate for client authentication". Through search help, I get our PI server certificates only.

Two questions:

1. With the available options, as it is check box, still it is not required to use the certificates. Still encryption/decryption works?

2. If the above location is to specify our server's private key, I will share public key with our partner. Where do I configure partners certificate? In Sender Agreement/Receiver Agreement?

Thanks,

Suraj

agasthuri_doss
Active Contributor
0 Kudos

Suraj,

>Do we require partners and our certificates for encryption and decription?

Yes

>How it really works?

With the help of key you/ partner can encryption & decryption

>Any additonal settings needs to be done apart from configuring the adapter for encryption/decryption?

HTTPS port need to be set up

>We do not want to use any adapter module,

You can use your own code in Mapping

>interested to know what comes by default in PI 7.1?

For encryption & decryption ? If so..answer is no

Cheers

Agasthuri

agasthuri_doss
Active Contributor
0 Kudos

Suraj,

1. With the available options, as it is check box, still it is not required to use the certificates. Still encryption/decryption works?

Need to use the certificates

2. If the above location is to specify our server's private key, I will share public key with our partner. Where do I configure partners certificate? In Sender Agreement/Receiver Agreement?

http://help.sap.com/saphelp_nw04/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/frameset.htm

Cheers

Agasthuri

Former Member
0 Kudos

Hi Agasthuri,

Thanks for the answers. However I will consider the first one, but second one does not sounds correct.

because my question is about using file adapter not HTTP/HTTPS. So I keep my question open.

2. If the above location is to specify our server's private key, I will share public key with our partner. Where do I configure partners certificate? In Sender Agreement/Receiver Agreement?

Thanks, Suraj

baskar_gopalakrishnan2
Active Contributor
0 Kudos

>2. If the above location is to specify our server's private key, I will share public key with our partner. Where do I configure partners certificate? In Sender Agreement/Receiver Agreement

I believe we need to share the partners certificate in IE stack using STRUST transaction code or just in java stack.

Former Member
0 Kudos

Hi Baskar,

STRUST is transaction where we store certificates. After storing the Partners certificate, how to tell our scenario to use this certificate. We have to refer the certificate in the configuration? Where do we use it?

I think File adapter does not give provision or does not require partner certificate. Some where I have learnt that when FTPS 21 port is used, then TSL/SSL only encrypts control session.

I think we use our private key to encrypt control session, our partner uses the public key to decrypt the control session. A secure tunnel is established, then FTP is used to transfer the data over secure connection. This means there is no use of Partner certificate.

I am trying to confirm my understanding.

Anyone, please confirm my understanding.

Thanks,Suraj