cancel
Showing results for 
Search instead for 
Did you mean: 

FTPS channel configuration queries

former_member637026
Participant
0 Kudos
444

Hi Experts,

I am using FTPS for the first time so have some questions: SAP PI 7.1 version:

>Where exactly should I ask Basis to keep the X.509 public certificate(which I have got from the third party system) in certificate keystore? Can you please share the navigation path in certificate keystore?

>In FTPS channel, what value has to be configured in "Keystore" and "X.509 Certificate and Private Key" ?

Thanks in advance, Surya

Accepted Solutions (1)

Accepted Solutions (1)

JaySchwendemann
Active Contributor
0 Kudos

I think there's a misunderstanding, on whether you are doing mutual /client certificate authentication. I think you are not 🙂

When you got the "public certificate" from the FTPS host party, that's most probably a server certificate of that FTPS host. You must then import that to TrustedCAs (providing you are not already trusting a matching root CA). Depending on your policy you will want to import the whole chain including the server certificate or only the root certificate or root and one or several issuing certificates.

What you would not want to chose then is "Use X.509 certificate for client authentication" in the FTPS receiver channel. Remember you only got the "public certificate" (that being the public key of the server certificate) from the FTPS host party, right? For any means of authentication, they'll need to send you either a user / pw, or a separate client certificate or the FTPS host may accept anonymous authentication.

If you are doing mutual / client based authentication, you will put the client certificate to a separate Keystore view (use an existing one (but not TrustedCAs and not the server's own views) or create a new one - when in doubt, create a new one). You will then specify that keystore view in the FTPS channel. You will also need the FTPS hosts server certificate in the TrustedCAs.

former_member637026
Participant
0 Kudos

Hi Jens,

I am new to PI, so need more details here:

All the details which I have got from the external third party for FTPS connection are:

HostName,

IP,

Port as TCP 990,

UserName,

Password,

Folder details+FileName and

X.509 Certificate

Kindly let me know what configuration I have to do in FTPS channel?

Should I check the option of "Use X.509 certificate for client authentication" in the channel? If yes then what should be given in "Keystore" and "X.509 Certificate and Private Key" in the channel?

What should I do with the X.509 certificate that is given to us?

Thanks in advance, Surya

JaySchwendemann
Active Contributor
0 Kudos

I think I me and the other participants already answered a great deal of those questions 🙂 In short

  • My relatively educated guess is you are not doing client authentication. You are doing basic authentication
  • You should not check "Use X.509 certificate for client authentication"
  • You will provide username and password in the respective fields of the receiver FTPS channel
  • You will import the X.509 certificate to your PI's TrustedCAs Keystore
  • When in doubt, ask the external party, which form of authentication they are offering (best bet would be they're offering basic auth)

Sidenote: Beneath the above guesswork, you should be sure about those three things (ask external party if needed):

  • The FTPS server should do explizit authentication. Implicit is not supported: https://launchpad.support.sap.com/#/notes/1554886
  • You should ask about whether data and control connection is encrypted.
  • You should ask about the command order (most of the time it is the default order PI provides but YMMV)
former_member637026
Participant

Thank you so much 🙂

Answers (2)

Answers (2)

0 Kudos

Hi Surya,

it is very easy you can navigate to the below path,

NWA-Certifications&Keys-TrustedCA's

Select Trusted CAs

And click on import entry then it will ask you the entry type(select X.509) and its done.

if it is Certifacate Auth then Use X.509 Certificate for Client Authentication, Set this indicator if the adapter, in contrast to the FTP server, is to use X.509 certificate and public-key cryptography to authenticate itself. The corresponding key/certificate pair must previously be saved in a keystore view of the J2EE server.

there are many blogs and questions already answered on the same.

https://answers.sap.com/questions/5716742/how-to-configure-certificates-for-ftps.html

https://blogs.sap.com/2010/04/13/how-to-configure-ftps-in-file-adapter/

Hope it is helpful for you thank you..

Regards,

Bhaskar.

former_member637026
Participant
0 Kudos

Hi Bhaskar,

Thank you. I could add the certificate in keystore. I did not understand what should be configured in "Keystore" and "X.509 Certificate and Private Key" in the FTP channel. Could you please help me with more detailed explanation.

Thanks in advance, Surya

JaySchwendemann
Active Contributor

TrustedCAs is not the right place to put your client certificates. I think, however, the OP really doesn't do mutual / client certificate based authentication in the first place, see my answer for more.

MetinD
Participant
0 Kudos

Hi Surya,

You have to add view and an entry to import the certificate in netweaver administrator.After that you can select and use the certificate in file adapter.