on 02-04-2014 4:09 PM
Hi All
I am currently working on SAP PI 7.1 with EHP1 and have some queries regarding the working of SSL encryption in PI System.
We have SSL configured in some of our scenarios which connects to other systems via HTTPS and FTPS protocols and want clarification on below points:
1) As per the normal functionality of SSL, an SSL handshake happens before any data transmission between two systems but I have read on some blogs that PI System doesn't support this handshake at time of connection so we have to explicitly import the certificate of the server which PI system is trying to connect. Is this true ?
2) If yes then in which keystore view we need to import this certificate of server to which PI system is trying to connect and also do we need this certificate in STRUST as well?
3) If no, then is it sufficient to do the configuration as per the steps mentioned in http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2b... or any other steps are also required?
4) Which certificates are required to be imported in Keystore and which all are required to be imported in STRUST and in which scenario?
Regards
VJ
Hi All
Thanks for you expert comments and help on this issue. I have got a bit
clarity on the certificate usage in NWA.
It would be great if I could get a clarification on type and usage of certificates
in STRUST as well for PI System
Regards
VJ
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Vishal - Below blogs will help you in understanding the usage of certificates in STRUST
http://help.sap.com/saphelp_nwpi711/helpdata/en/49/26af8339242583e10000000a421937/frameset.htm
Hi Vishal -
AFAIK - there are two types of authentication i.e. Server & client.
If the client authentication is enabled, then you have import the certificate provided by your external system into NWA. For path and details you can refer to the below blog
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Hareesh for your response!!!
The blog which you have referred is to enable the authentication via X.509 Certificates, which however can be done with the help of credentials as well which can be maintained in the communication channel.
However my question is even though I have credentials to login to a FTP Server do I need to install the FTP Server certificate in the NWA of PI System or it will work perfectly without it?
Regards
VJ
even though I have credentials to login to a FTP Server do I need to install the FTP Server certificate
Without configuring any certificates still it works as i believe the adapter uses standard security standards.
If you want your adapter/incase your client requires authentication and provides your with certificates to verify the authenticity then you have to import them into java Keystore.
I don't think this is true. Usage of certificate is not mandatory.
The only required thing is that the FTP server to which you are trying to connect must follow the RFC specification 4217.
Reference : 821267 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 / PI 7.3 File Adapter
Hi Hareesh
Thanks for inputs. I am aware of client based authentication where we share our public key certifciate with the FTP server team and we maintain our private key certificate in the keystore and specify its name in the communication channel.
But my question here is if I am using credentials(username/password) based authetication, still do I need to import any certificate in PI System (like certifcate issued to the FTP server host name).
Similar is the case with HTTPS connection, if I am connecting to a HTTPS service and autheticating via username and password do I need to import the certificate which is issued to the HTTPS URL?
Regards
VJ
Hello Vishal,
>>But my question here is if I am using credentials(username/password) based authetication, still do I need to import any certificate in PI System (like certifcate issued to the FTP server host name).
It depends on ur FTP server (and how they want to communcate either using certificates based authentication or user/pass authentication or BOTH), so if u are able to connect FTP just by using user/pass then there is no need to install certificates and use it in CC.
>>Similar is the case with HTTPS connection, if I am connecting to a HTTPS service and autheticating via username and password do I need to import the certificate which is issued to the HTTPS URL?
Again, answer is same. So , u can use HTTPS URL without installing any certificates and just use user/pass based authentication.
Thanks
Amit Srivastava
Hi Vishal - May be i should've been more clear when i say "Without configuring any certificates still it works as i believe the adapter uses standard security standards"
But my question here is if I am using credentials(username/password) based authetication, still do I need to import any certificate in PI System (like certifcate issued to the FTP server host name).
Similar is the case with HTTPS connection, if I am connecting to a HTTPS service and autheticating via username and password do I need to import the certificate which is issued to the HTTPS URL
>>> This is not at all mandatory. If the involved parties are ok with user based authentication then you are completly fine.
If you enable FTPS/HTTPS - PI uses certain security standards in transferring the messages over SSL.
User | Count |
---|---|
92 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.