SFTP vs. FTPS in SAP PI

Business Case:

In many implementations Business requirement is to “secure” the file/data transfer between XI and any third-party system. So there is a need of secured connection between XI/PI and any file based third-party legacy systems.

Following solutions are proposed to cater secure connection between XI/PI and any third party systems.

1) SFTP (Secure File Transfer Protocol)

 “SSH File Transfer Protocol” or SFTP is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer. SFTP encrypts the session, preventing the casual detection of username, password or anything that is being transmitted. One key benefit to SFTP is its ability to handle multiple secure file transfers over a single encrypted pipe. By using a single encrypted pipe, there are fewer holes in the corporate firewall.

2) FTPS (FTP over SSL)

FTPS (FTP-SSL) is a real ftp that uses TSL/SSL to encrypt the control session and if required the data session. With FTPS, the control session is always encrypted, but the data session may not be always encrypted. FTPS is a file transport layer on top of SSL. SSL, or Secure Sockets Layer, is a method by which an encrypted ‘pipe’ or tunnel is established between the FTP client and FTP server. Once the secure tunnel has been established (which is done using 128-bit encryption techniques), standard FTP is used to transfer data over the secure connection.

Feasibility of SFTP and FTPS in XI:

SFTP:

As per the latest SAP PI/XI support pack, it does not support SFTP via File Adapter.

So alternative approach to cater this requirement from XI is to make use of Unix Script at OS level to transfer the files from/to third-party systems.

• Inbound Interface – i.e. third-party system ->XI->SAP: 

  File is transferred to a folder in SAP XI landscape from the third-party legacy system using UNIX Script with secured protocol. Once the file is ready in the XI landscape, File Adapter will poll this directory and file is picked up by NFS protocol.

• Outbound Interface – i.e. SAP->XI->third-party system: 

  XI is responsible for writing a file into a folder in the XI landscape. These files are transferred to the third-party system by executing UNIX scripts with secured protocol i.e. via sFTP.

Pre-Requisites: 

• Public key should be exchanged between external systems and the PI system.
• UNIX shell script has to be developed and scheduled.

Advantages: 

• Highly Secured.

• Ability to handle multiple secure file transfers over a single encrypted pipe .By using a single encrypted pipe, there are fewer holes in the corporate firewall.

Disadvantages:

• Two-Step process i.e. XI–>Temporary folder–>External System and vice-versa
• Files have to be temporarily stored in XI server.
• Multiple failure points i.e. XI and Unix script execution
• Maintenance of an external UNIX script.
• Difficulty in monitoring the execution of the shell script as it cannot be monitored thru XI.
• Need to generate keys and install it in the SFTP site as a pre-requisite i.e. SFTP clients must install keys on the server.
• SFTP uses keys rather than certificates. This means that it can’t take advantage of the “chains of trust” paradigm facilitated through Certificate Authorities.
• Files from the XI server should be deleted/archived in a periodic manner to increase the disc space so that it will increase the performance.

Note: UNIX shell Script can be executed as a background job ‘or’ can be triggered from SAP XI through OS command at File adapter level.

FTPS (File Transfer Protocol Using SSL/TLS):

This is a built-in feature of File adapter in XI. But SAP Java Cryptographic Toolkit must be deployed as a prerequisite. (Refer to note https://service.sap.com/sap/support/notes/821267 Question 28). By default following ports are used:

• Implict FTPs 990 (Control) and 989 (Data)
• Explicit FTPs 21 (Control) and 20 (Data)

Both use cases can be combined with active and passive mode.

Advantages:

• Direct transfer of files to/from third-party systems. It is not required to store the files in the XI server temporarily.
• Built-In feature from XI File adapter
• No extra effort in development and maintenance of Unix Script.
• Centralized Monitoring tool from XI
• FTPS uses certificates and therefore can take advantage of “chains of trust” paradigm facilitated through Certificate Authorities. This paradigm makes it possible for two entities to establish a trust relationship without directly exchanging security information, which is important for some applications.

Disadvantages:

• Requires opening multiple ports forenabling SSLin the firewall. So there are multiple holes in the corporate firewall.
• Not every FTP server supports FTPS and many that do, require a configuration change to activate the FTPS protocol extension.
• Cryptographic toolkit should be installed in XI system though it is not very complex or expensive.

Conclusion:

Though SFTP seems more secure as it works through one port, FTPS is easier to configure, monitor and maintain from XI point of view. However, the decision depends on many parameters like, cost/effort, flexibility in use, ease of maintenance, company security policy, failure possibilities etc.

Thanks to my colleagues for their valuable inputs during the discussion.