PGP and SFTP : FAQ Sheet
If you have read the following blogs on using the SFTP and PGP solutions in PI and still have questions unanswered, this blog with look at addressing the common queries on these subjects;
1. SFTP Adapter – SAP SFTP Adapter: A Quick Walkthrough
2. PGP Module
a. PGPEncryption Module: A Simple How to Guide
b. PGPDecryption Module: A Simple How to Guide
Note: The below list will be updated with further questions and answers appropriately.
Generic Questions:
The Big Question: Is the SFTP and PGP solution free or do I need a separate licence to use this?
The Simple Answer: It is free! If you are talking about licences, perhaps you are confusing yourself with the B2B add on, which is going to cost you. But the Secure Connectivity Add on i.e nothing but the SFTP adapter and the PGP modules, are absolutely free.
Dependencies? Is it mandatory to install the PGP add on along with SFTP adapter or vice versa?
Answer: NO. Both are independent of each other.
FAQ – SFTP Adapter
Q1. My file is not getting picked. What is going wrong?
Ans. Unlike the normal FTP adapter, the SFTP adapter expects a regular expression. Cross check your configuration and provide the correct regular expression for your file name.
Q2. I am getting the error, “Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)“
Ans: It could be a potential unlimited JCE issue. Try the settings as described in the section ‘Unlimited JCE’ of this document.
Q3. I am facing issues using the ASMA in the Receiver SFTP adapter.
Ans: Try to change the namespace to http://sap.com/xi/XI/System/File and the File Name Attribute as FileName
FAQ – PGP Module
Q1. When I have to do Encryption, what do I need to have?
Ans: You will need a public key, along with a confirmation on what Algorithm that needs to be configured.
Q2. Who will provide me the public key?
Ans: Usually, an encryption is used in scenarios where PI is supposed to send files to external or third party systems (vendors, suppliers, customers etc). In these cases, the public keys are provided by the respective vendor/supplier/customer.
Q3. When I have to Sign and Encrypt how is it different from Q1 and Q2?
Ans: To sign, PI will also need a private key along with its passphrase.
Q4: Who will provide me with the key for Signing?
Ans: Since this is a private key, your organization is responsible.
Q5. When I have to do Decryption, what do I need to have?
Ans: You will a private key and the passphrase associated with it.
Q6. Who will provide me the private key for decryption?
Ans: Usually, decryption is used in scenarios where PI is receiving files from external or third party systems (vendors, suppliers, customers etc). Your organization would have provided the public key to the third party and will own the private key. Hence your organization should be providing you with the private key for you to configure the adapter.
Q7. When I have to Decrypt and Verify how is it different from Q5 and Q6?
Ans: To verify, PI will also need a public key usually provided by the third party involved in the exchange of files.
Q8. Can I manage my keys using the PI Keystore?
Ans: No. At this point of writing this blog, SAP does not provide an option to do this. The keys are managed at an OS file directory level. The default location is ‘usr/sap/<System ID>/<Instance ID>/sec‘
Q9. Can I use PGP only for the File adapter?
Ans. No. PGP module is compatible with other adapters like Mail, JMS etc.
Hi Shabarish,
Really, good piece of questions and answers..... it will clear the basic concept what kind of keys (public/private) are required for what (encript/decript).
Regards,
Krishna Chauhan
Another question to consider:
You can use File Content Conversion after encrypt?
Answer: No, because after encrypting data will not be sorted in xml format, so no conversion can be made.
It would be good that the PGP module could work after making Content Conversion.
For this case, you will have to use a module to make your own File Content Conversion and then apply the PGP module.
Felipe Forero Guzman have you tried using the message transform bean? this can help with the content conversion and then later u can use the pgp module to do enc/dec
No, but thank you very much !! I'll check it.
For Question number 9:
Has this been updated? I mean..Is the file adapter still not compatible with PGP module?
Thank You!
Cheers,
R-jay
>>>Has this been updated? I mean..Is the file adapter still not compatible with PGP module?
It was always compatible
The question was can this be used with others adapters in addition to the File Adapter? and the answer is yes(works fine with all other adapters)
My Bad Hareesh. I read back the information and definitely compatible with most of the adapters. Thanks for clarifying.
Hi Haressh,
for Q9 I need further information, maybe you or someone else can help me. Is it possible to secure the SSL connection which is established by the REST-Adapter using PGP technology?
Thx & BR
Markus
Hi Shabarish,
Can we use\implement S/MIME message level encryption-decryption in SFTP Adapter in SAP PO 7.4. This is the urgent requirement.
Could you please provide your valuable inputs ASAP.
Is there any alternate for this. Thanks!
Hi Hanee,
I think its not possible. SSH keys can do encryption but for TCP communication, in case of SFTP communication it must serve only authentication.
Alternate is to use PGP for encryption/decryption.
From what I know, PI uses only PGP/AS2 for AES128 algorithm. So maybe you need to get back to them that these are the only approach your PI has unless you customized your adapter to adapt their needs.
Simple logic:
if you use PGP to encrypt..it will be decrypted using PGP
if you use AS2 to encrypt..it will be decrypted using AS2
Not that I know of (as an alternative) from experience I have. If there are people who have experienced it, hope the'lly reply to your query.
Cheers,
R-jay
Hi Shabarish,
will PGP decryption work when we use file as an attachement with SFTP sender, we need to pick different type of files from ftp folder and need to place in applicatin server where our sender is doing PGP encryption and i need to decrypt it in PI, its like pass through interface, can this work if we pick files as an attachments.
Thanks,
Venu.
Hi Experts,
I am working on a scenario where we are getting a encrypted file and we have to decrypt it and then do the FCC. we are using SAP SFTP adapter.
So when I use PGPDecyrption module and MessageTransformationBean module, the file gets decrypted and content conversion also happens perfectly fine.
But, when I keep only PGPDecryption module and use SFTP's content conversion tab, I am getting this exception :
Exception received: java.lang.NumberFormatException: For input string: "0'"
Any help would be appreciated.
Thanks in advance.
Regards,
Ajit