cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Doubts regarding SSL in PI 7.1

vishal1889
Active Participant

on ‎02-04-2014 4:09 PM

0 Kudos

Hi All

I am currently working on SAP PI 7.1 with EHP1 and have some queries regarding the working of SSL encryption in PI System.

We have SSL configured in some of our scenarios which connects to other systems via HTTPS and FTPS protocols and want clarification on below points:

1) As per the normal functionality of SSL, an SSL handshake happens before any data transmission between two systems but I have read on some blogs      that PI System doesn't support this handshake at time of connection so we have to explicitly import the certificate of the server which PI system is      trying to connect. Is this true ?

2) If yes then in which keystore view we need to import this certificate of server to which PI system is trying to connect and also do we need this certificate      in STRUST as well?

3) If no, then is it sufficient to do the configuration as per the steps mentioned      in http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2b... or any other steps      are also required?

4) Which certificates are required to be imported in Keystore and which all are required to be imported in STRUST and in which scenario?

Regards

VJ

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

vishal1889
Active Participant
‎02-07-2014 7:37 AM
0 Kudos

Hi All

Thanks for you expert comments and help on this issue. I have got a bit
clarity on the certificate usage in NWA.

It would be great if I could get a clarification on type and usage of certificates
in STRUST as well for PI System

Regards

VJ

Show replies
Show replies
former_member184720
Active Contributor
‎02-04-2014 4:37 PM
0 Kudos

Hi Vishal -

AFAIK - there are two types of authentication i.e. Server & client.

If the client authentication is enabled, then you have import the certificate provided by your external system into NWA. For path and details you can refer to the below blog

http://scn.sap.com/docs/DOC-26940

Show replies
Show replies
vishal1889
Active Participant
‎02-04-2014 5:31 PM
0 Kudos

Thanks Hareesh for your response!!!

The blog which you have referred is to enable the authentication via X.509 Certificates, which however can be done with the help of credentials as well which can be maintained in the communication channel.

However my question is even though I have credentials to login to a FTP Server do I need to install the FTP Server certificate in the NWA of PI System or it will work perfectly without it?

Regards

VJ

Harish
Active Contributor
‎02-04-2014 5:46 PM
0 Kudos

Hi Vishal,

the credential you maintain at channel level is for normal FTP connection where FTP server can connect with given authorization.

If you want FTPS communication (secure FTP) then you need use the certificates, which provide transport layer security.

regards,

Harish

former_member184720
Active Contributor
‎02-04-2014 5:46 PM
0 Kudos

even though I have credentials to login to a FTP Server do I need to install the FTP Server certificate

Without configuring any certificates still it works as i believe the adapter uses standard security standards.

If you want your adapter/incase your client requires authentication and provides your with certificates to verify the authenticity then you have to import them into java Keystore.

former_member184720
Active Contributor
‎02-04-2014 6:07 PM
0 Kudos

I don't think this is true. Usage of certificate is not mandatory.

The only required thing is that the FTP server to which you are trying to connect must follow the RFC specification 4217.

Reference :  821267 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 / PI 7.3 File Adapter

Harish
Active Contributor
‎02-04-2014 6:35 PM
0 Kudos

Hi Hareesh,

Thanks for pointing it out, I was not aware if FTPS can be achieve with certificates.

Thanks for sharing the info.

regards,

Harish

vishal1889
Active Participant
‎02-05-2014 6:33 AM
0 Kudos

Hi Hareesh

Thanks for inputs. I am aware of client based authentication where we share our public key certifciate with the FTP server team and we maintain our private key certificate in the keystore and specify its name in the communication channel.

But my question here is if I am using credentials(username/password) based authetication, still do I need to import any certificate in PI System (like certifcate issued to the FTP server host name).

Similar is the case with HTTPS connection, if I am connecting to a HTTPS service and autheticating via username and password do I need to import the certificate which is issued to the HTTPS URL?

Regards

VJ

Former Member
‎02-05-2014 6:40 AM
0 Kudos

Hello Vishal,

>>But my question here is if I am using credentials(username/password) based authetication, still do I need to import any certificate in PI System (like certifcate issued to the FTP server host name).

It depends on ur FTP server (and how they want to communcate either using certificates based authentication or user/pass authentication or BOTH), so if u are able to connect FTP just by using user/pass then there is no need to install certificates and use it in CC.

>>Similar is the case with HTTPS connection, if I am connecting to a HTTPS service and autheticating via username and password do I need to import the certificate which is issued to the HTTPS URL?

Again, answer is same. So , u can use HTTPS URL without installing any certificates and just use user/pass based authentication.

Thanks

Amit Srivastava

former_member184720
Active Contributor
‎02-05-2014 2:48 PM
0 Kudos

Hi Vishal - May be i should've been more clear when i say  "Without configuring any certificates still it works as i believe the adapter uses standard security standards"

But my question here is if I am using credentials(username/password) based authetication, still do I need to import any certificate in PI System (like certifcate issued to the FTP server host name).

Similar is the case with HTTPS connection, if I am connecting to a HTTPS service and autheticating via username and password do I need to import the certificate which is issued to the HTTPS URL

>>> This is not at all mandatory. If the involved parties are ok with user based authentication then you are completly fine.

If you enable FTPS/HTTPS - PI uses certain security standards in transferring the messages over SSL.

Ask a Question