SFTP adapter with FCC and PGP encryption/decryption
My latest requirement was to do PGP(Pretty Good Privacy) encryption/decryption using SFTP adapter with File content conversion(FCC).
To have a good read about PGP, please check the below WIKI https://en.wikipedia.org/wiki/Pretty_Good_Privacy
Backgroung on my PI version :
I am working on SAP PI 7.4 (dual stack), with the latest Support pack(SP4) for SFTP adapter and for little more information we have built in FCC processing TAB now with SFTP as in FTP.(But in the scenario that I am describing today, standard FCC wont be of a much help)
Objects to be created in ESR :
- Data type : For receiver end, we will be creating a simple structure with just 1 level of hierarchy. I believe with FCC, we can go to as many as two level of hierarchy structure without having to do any further customization.
- Message type
- Service interface
- Message mapping
- Operation mapping
Objects to be created in ID :
- Receiver communication Channel
Please fill in the required details in the destination tab.If you only need to achieve FCC you can go with the FCC message protocol, but here we are going to use FTP.
Note : As observed while testing the encryption module that we are going to use, it was getting executed before FCC resulting in a xml encypted file, so we are avoiding using FCC as MP.
So, as to convert the xml into a .csv file, I used message transformation bean module followed by the PGPencryption module,
To check the parameter list allowed with both the modules, please visit the below links :
For PGPEncryption module : https://help.sap.com/saphelp_nw-secure-connect102/helpdata/en/8b/11483856d04f6b9c7bf378ecd1670c/content.htm
For MessageTranforamtionBean https://help.sap.com/saphelp_nwpi711/helpdata/en/57/0b2c4142aef623e10000000a155106/content.htm
NOTE : If your maintaining the public and private keys in the default path(E:\usr\sap\<SID>\<SAP instance>\sec) with this, you can avoid maintaining extra module configuration step for PGPmodule for maintaining path for the key mainatained
Issues faced while testing :
- Algorithm negotiation failed : SFTP error
This will trouble you a lot while dealing with PGP encryption. The most common cause for this would be that your JCE(Java cryptographic extensions) are not updated and you need to do that, as default JCE policy will only allow key sizes up to 128 bits and PGP keys are at least generated with a size of 1024 bits so for this you need to update your JCE’s in JVM (for help please refer : https://blogs.sap.com/2012/07/12/b2b-adapters-updating-to-jce-unlimited-strength-jurisdiction-policy/)
To check your JCE policy and allowed key size, please use the below link :
If the above search shows that keys with size more than 1024 bits can be used, then for further troubleshooting you can use another tool WireShark, which helps in determining the exact compression, signing, encryption algorithm’s used at the target SFTP server which help in accordingly modify our encryption module parameters(I faced the same issue showing the Algo negotiation error but my JCE’s were correctly updated and later after trouble shooting with Wire shark helped me understand that the issue was because of a compression algo, sometimes the issue doesn’t directly point you to the right direction)
2. For message Transformation bean
Previously, I used StructXML2Plain as my conversion type in my parameter list for converting the xml to .csv file format. The issue faced by me was the fields in my structure were getting populated as the first row in the target .csv file, which were not needed as per the requirement.To overcome the same, I used SimpleXML2Plain as my conversion type introducing a new parameter “xml.addHeaderLine” with value ‘1’ which helped me overcome at the receiver channel, same was achieved at the sender channel by introducing 2 parameters “xml.processFieldNames” with value “fromFile” & “xml.documentSkipFirstRows” with value “1”.
- Receiver determination
- Interface determination
- Receiver agreement