cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDoc to File Scenario with FTPS

Former Member

on ‎02-19-2014 10:50 AM

0 Kudos

Hi,

We are developing interfaces mainly Idoc to file, where in the file has to be placed at the receiver FTP location using FTPS connection Security.

I went through the links, and , after which I got some doubts in my mind.

As per my understanding, these are the steps that are to be followed for configuring FTPS, correct me if I go wrong.

1. Get the public/private key pair certificate from the client(FTP provider)

2. Deploy the certificate in Netweaver Administrator under Trusted CAs key storage view

3. Maintain the common name for the certificate entry with the ip address of the FTP server or the host name.

4. Configure the FILE adapter with Connection security as FTPS(control and data), select command order

5. Still not sure whether or not to enable the X.509 certificate for client authentication.

Am I missing any steps ?

Below are the doubts that I need clarification for,

1. What type of certificate should be demanded from the client ? is it X.509 ? or PKCS#8/12 ? Does X.509 certificate play a role in encryption?

2. Using FTPS, will the data in the file be encrypted as in PGP encryption ?

3. Is there any configuration to be done in STRUST Tcode in the ABAP stack ?

4. Correct me if I am wrong, We will be given a public key for the encryption and the receiving partner will be having the private key used for the decryption,. If this is the case, what is this private key (highlighted in the image) represent ?

Please guide me in completing this scenario as I have no prior experience with FTPS. Thanks in advance.

Thanks & Regards,

Vivek.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎03-03-2014 7:28 AM
0 Kudos

Hi ,

we received a newly generated certificate from the client and were able to deploy the certificate into the Trusted CAs keystore view in the Netweaver Administrator.

Now, I am getting an error as below, while trying to connect to the FTP server after enabling FTPS Connection Security.

I went through this link , after which I got some doubts.

> Is it enough that the port 21 alone be opened at the firewall ?

> Are there any specific ports to be opened for the FTPS (FTP over SSL) other than 21 ?

> How do we know the range of the random port number generated ? 

Please clarify me on these doubts.

Thanks in advance,

Regards,

Vivek.

Show replies
Show replies
Former Member
‎03-06-2014 10:48 AM
0 Kudos

Hi All,

We spoke to the FTP server admin and received the dynamic port range that should be used for the FTPS communication. These ports (4XXXX series) along with the control connection port 21 are open in the firewall.

whenever PI middleware tries to drop file to the FTP server, we are still getting the "Connection Timed Out" error.

This error keeps repeating on the PI Side regardless of any changes done in the firewall.

When we tried telnet from PI Server(Unix), the FTP server(Linux), we were able to hit the FTP server through both ports 21(Control Connection) and 4XXXX (Data Connection).

We even monitored the FTP server logs when tried executing the interfaces from the source system. In this case, we were able to see that the FTP server is getting hit through port 21 but not the port 4XXXX, hence the file is not getting placed in the FTP server.

Please let me know whether any of you faced such situation and found a solution ?

Thanks in Advance,

Regards,

Vivek.

former_member184720
Active Contributor
‎02-19-2014 7:42 PM
0 Kudos

Hi Vivek -

What type of certificate should be demanded from the client ? is it X.509 ? or PKCS#8/12 ? Does X.509 certificate play a role in encryption?

>>> I don’t think we demand something. It’s the FTP administrator who defines and provides you with the key pair and

It’s only the connection level encryption.

Using FTPS, will the data in the file be encrypted as in PGP encryption ?

>>> AFAIK - No. You have to configure PGP encryption to encrypt the message content.

Is there any configuration to be done in STRUST Tcode in the ABAP stack ?

>>> No. load the certificate into NWA keystore only.

Correct me if I am wrong, We will be given a public key for the encryption and the receiving partner will be having the private key used for the decryption,. If this is the case, what is this private key (highlighted in the image) represent ?

>>>It’s correct. As you noticed in the blog- When a messages gets processed by PI It uses the partner’s public key from the certificate and your partner will decrypt using their private key. 

And the option is nothing but the certificate provided by your partner

Another blog for reference : http://scn.sap.com/docs/DOC-26940

Show replies
Show replies
Former Member
‎02-20-2014 4:41 AM
0 Kudos

Hi Hareesh,

Thanks for the response. I have already gone through the blog that is mentioned by you. We are using PI 7.1 EHP1 SP05, is there a way to encrypt the data as in PGP ? say, using an adapter module ?

As per my knowledge, we can use the PGP add-on in PI 7.1 right from SP08. Under current circumstances, we cannot upgrade.

Regards,

Vivek.

Former Member
‎02-20-2014 5:57 AM
0 Kudos

Hello,

>>We are using PI 7.1 EHP1 SP05, is there a way to encrypt the data as in PGP ? say, using an adapter module ?

There are multiple ways to do PGP encryption u can check my reply in below thread

>>Under current circumstances, we cannot upgrade.

Why not? SP upgrades are generally quite smooth so if i were u then i would have convinced client to do so.

In addition to that there are two other reasons:

1) The option which i have mentioned in my thread are OK, but since SAP has already provided standard PGP modules so u don't have to invest ur efforts in doing custom development (and u can also avoid license cost in case u opt for third party library like DIDISOFT).

2) In case u use standard module then tomorrow while upgrading (to higher PI versions) u don't have to scrap ur previous configuration

Thanks

Amit Srivastava

Former Member
‎02-20-2014 10:22 AM
0 Kudos

Hi Amit,

>> Why not? SP upgrades are generally quite smooth so if i were u then i would have convinced client to do so.

I have spoken to the client regarding the upgrade as well, that is pending for approval from their HQ. Meanwhile, I wanted to know whether there is a way to achieve FTPS along with data encryption, as FTPS encrypts the communication with FTP server with SSL/TLS but not the data.

For now, I have received the public key certificate from the FTP service provider and working with the basis people to deploy it in the Netweaver Administrator Key storage views.

Thanks & Regards,

Vivek.

Former Member
‎02-20-2014 10:58 AM
0 Kudos

Hello,

If ur project is ready to bear the cost of third party libraries then i would suggest you to go with DidiSoft library it's quite easy to use and provide u all the methods for encryption/decryption/sign etc.

Otherwise, u can use cryptic libraries to do encryption using JM, check blogs which i have mentioned in my previous reply.

Thanks

Amit Srivastava

Former Member
‎02-20-2014 11:55 AM
0 Kudos

Thank you Amit,

I will check with the client if procurement of third party libraries are feasible.

Meanwhile, I am trying to achieve the FTPS without data encryption to make sure FTPS works fine.

Regards,

Vivek.

Former Member
‎03-06-2014 11:05 AM
0 Kudos

Hi Amit,

Client has refused the purchase for Third-Party libraries. Hence we are proceeding with FTPS (FTP over SSL) Connection Security.

please let me know if you can help me solve this issue.

Thanks & Regards,

Vivek.

Ask a Question