Skip to Content

The main Moto of this blog was which explains FTP Secure configuration.

FTPS (also known as FTP Secure and FTP-SSL) is an extension to the commonly used File Transport Protocol(FTP) that’s adds support for the Transport Layer Security(TLS) and the Secure Sockets Layer(SSL) cryptographic protocols.

FTPS should not be confused with the SSH File Transfer Protocol (SFTP), an incompatible secure File transfer sub system for the Secure Shell (SSH) protocol. It is also different from the Secure FTP, the practice of tunneling FTP through an SSH Connection.

I am not going to compare FTPS with SFTP, and not going to discuss about SFTP, already blogs available on the same. (SFTP with PI the openSSH way).

Before configuring Communication channel, we have to deploy the certificates

1) SAP Java Cryptographic Toolkit has to be deployed in J2EE Engine.

2) Public key Certificate (SSL Certificate) which is provided by FTPS Server has to be deployed in J2EE Engine.

3) The CA certificate used to sign the server certificate must be added to the Trusted As key store view in J2EE Engine. (For PI7.1/7.0 no needs to deploy these toolkit and CA certificate. Because those will be already present in the Server itself).

Take basis people help to deploy required certificates in PI J2EE server.

Refer below link for more info

http://help.sap.com/saphelp_nwpi71/helpdata/EN/e9/a1dd44d2c83c43afb5ec8a4292f3e0/frameset.htm

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc?quicklink=events&overridelayout=true

1) Crete communication channel.

 

image

 

 

2) Select Connection security

 

FTPS (FTP Using/TLS) for control connection: The FTP control connection is protected using TLS/SSL (Transport Layer Security/Secure Sockets Layer).File transfer is unencrypted.

FTPS (FTP Using SSL/TLS) for Control and Data Connection:

All communication with the FTP server is encrypted and uses TLS/SSL.

image

 

3) In Command Order Specifies the sequence of commands used to authenticate and secure the connection. Retain the default setting. Only adjust the sequence of commands to match those expected of the FTP server if you encounter problems with the FTP connection.

 

image

 

AUTH TLS: Defines the authentication mechanism used for the current FTP session.

USER: Sends a User Logon ID to the Server

PASS: Sends a Password to the Server

PBSZ: Defines the largest buffer protection buffer size to be used for application-level encoded data sent or received on the data connection.

PROT : Defines the protection used for FTP data connections.

4) Use X.509 Certificate for Client Authentication, Set this indicator if the adapter, in contrast to the FTP server, is to use X.509 certificate and public-key cryptography to authenticate itself. The corresponding key/certificate pair must previously be saved in a keystore view of the J2EE server.

Give The Details in KeyStore and x.509 Certificate by selecting the help. If we already deployed the Certificates in J2EE Engine, help will be provided and we have to select from that as shown below.

Enter the Keystore and the X.509 Certificate and Private Key. To do this, you can use the input help.

Keystore contains certificates that are used for authentication and encryption.

 

image

5) An X.509 client certificate is a digital “identification card” for use in the Internet, also known as a public-key certificate. So public key Certificate has to be selected.

 

image 

6) Final configuration looks like below.

image 

The FTPS configuration for both sender and receiver communication channels is similar.

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Christian Krantz
    Hi,

    Thanks for the blog. I think it is very usefull. But I have a question about a bit different situation. Hope you can help. I have a SOAP receiver scenario and need to deploy the certificates. My partner gave me 3 .CER and 1 .CRT certificate. I need to delploy them in JAVA but I don’t know how? I tried it but I can’t see the certificate in the keystore selection of the communication channel.

    I your example you selected the service_ssl option. which writes CN=localhost etc. Don’t you have to select the certificate imported?

    I appreciate it if you can help me. Thanks.

    (0) 
  2. Pradeep Gangasani
    Hi ,

    We are facing issue regarding file adapter service.Issue is the some times file adapter will not pick the files which are placed at the common directory.

    We are not able to find the reason as it suddenly stop picking the files.When we restart the service it picks the files automatically.

    Please suggest a solution to resolve the issue.

    Regards
    Pradeep Reddy

    (0) 
    1. Raj Thukiwakam Post author
      Hi,

      This is Locking issue as per my knowledge, pls report this issue to SAP,because we dont have any solution for this,SAP procided some patch i guess.

      Regards,
      Raj

      (0) 
  3. Samiullah Qureshi

    Hi Raja,

    I would like to know if it is possible to implement XML signature(http://en.wikipedia.org/wiki/XML_Signature) in FTPS option available in File receiver communication channel.

    <Signature>

      <SignedInfo>

        <CanonicalizationMethod />

        <SignatureMethod />

        <Reference>

           <Transforms>

           <DigestMethod>

           <DigestValue>

        </Reference>

        <Reference /> etc.

      </SignedInfo>

      <SignatureValue />

      <KeyInfo />

      <Object>ACTUAL XML PAYLAOAD</Object>

    </Signature>

    Please share your view on this.

    Thanks and Regards,

    Sami.

    (0) 
      1. Samiullah Qureshi

        Thanks Raja for your response.

        Yeah. We do not have this option in file adapter. We have implemented the XML digital signature in java mapping using the solution given in following SAP help link. It is generating the digitally signed XML. However, it is having structure different than the one that I have explained above.

        http://help.sap.com/saphelp_nwpi71/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm

        The same code can be used in Adapter module as well. If someone wants to use it in adapter module.

        Thanks and Regards,

        Samiullah.

        (0) 
  4. Joan Llaully

    Hi, I have currently a similar scenario: FTPS –> PI –> FTPS. I would like if your blog apply for any kind of file encryption (PGP or X.509 SSL) and what encryption type would you recommend me?

    Thanks in advanced for your reply

    Best regards,

    Joan Llaully

    (0) 
  5. Tina zhang

    Hi Raja,

    I’m working on a receiver FTPS via PI 7.0 now, and I have some questions, could you please share your opinion if you know that?

    1. What certificate do I need to deploy in PI, is it provided by FTPS server?

    2.Do I need to provide a certificate to FTPS side, if yes, how can i generate a certificate?

    3.Do I need to use different certificates for control connection and control and data connection?

    Thank you and look forward to having your opinion on these.

    Regards,

    Candy

    (0) 
  6. krishnarjuna parimisetty

    Hi raja..

    My FTP server and PI 7.1 EHP1 are going t be same host(Its windows box)

    SO apps team is going to use FTPS to/from banks and externals.

    So from basis prospective , i have to go for trusted CA right ?

    do i have to apply them in PI as well as OS level ?

    So shall i take CSR from PI Visual admin and get the TrsustedCA and apply in both PI and OS level ? Please explain the process.

    Krishnarjun

    (0) 

Leave a Reply