on 10-15-2014 7:45 AM
Hi,
We're working with a scenario where we are sending signed files over sftp to a partner.
The files are generated by a SAP ABAP system and placed on a file system. They files themselves must secured on this file system to prevent tampering, and we've choosen to add a PCKS#7 signature to them via SSF_KRN_SIGN_BY_AS. (the data itself is not confidential, it's just important that it cannot be changed during transit)
Our plan was to just use the file adapter in PI to pick up the files, and use the SFTP add-on to deliver them to the partner with no mapping or changes in the file.
Unfortunately, the partner only supports pgp signatures (not PCKS#7) so we cannot follow our original plan.
It is theoretically possible to generate pgp files in the SAP ABAP system via installing pgp on the application servers and using an external command. However, this is not a path we want to go as it complicates the system landscape and increases dependency on application server operating system.
PI has good support for pgp through the SAP NetWeaver Process Integration, secure connectivity add‑on 1.0 SP04 – SAP Help Portal Page (same add-on as the sftp support).
But how can we make the mapping from a signature created by the SAP ABAP system(PCKS#7) to a pgp based signature?
My initial evaluation is that we need to create an adapter module for the PI file adapter for removing the PCKS#7 signature, before using configuration to add the pgp signature. Found some relevant code in this thread http://scn.sap.com/thread/3501375
Regards
Dagfinn
Hi Dagfin,
My few cents, You can avoide the module adapter bean implementation and to remove the signature tags with an XSL inside the adapter. You will need to deposit your XSL in a file path accessible by PI. You can do this with the MessageTransformBean: Inserting MessageTransformBean in Module Processor - Adding Modules to the Module Processor - SAP Li...
Hope this helps.
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
PI should have PGP module. I guess you can process the message thru a communication channel wiht the PGP module. Then let the PI process the message and set it back to the ABAP system.
I have not worked with the PGP.
The SAP PGP module look like it can just decrypt and decrypt& verific. Not verify alone.
Maybe you could create a detached signature (B_DETACHED = 'X') in the first phase and leave the original file untouched. In the second step sign the file using PGP module only if the original file is still intact.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.