SAP XI support SFTP and FTPS?

Hi Gurus,
  I would like to find out if SAP XI supports both SFTP and FTPS. If yes, how do I perform the configuration?
Thanks in advance.

Business Case:
In many implementations Business requirement is to "secure" the file/data transfer between XI and any third-party system. So there is a need of secured connection between XI/PI and any file based third-party legacy systems.
Following solutions are proposed to cater secure connection between XI/PI and any third party systems.
1) SFTP (Secure File Transfer Protocol)
"SSH File Transfer Protocol" or SFTP is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer. SFTP encrypts the session, preventing the casual detection of username, password or anything that is being transmitted. One key benefit to SFTP is its ability to handle multiple secure file transfers over a single encrypted pipe. By using a single encrypted pipe, there are fewer holes in the corporate firewall.
2) FTPS (FTP over SSL)
FTPS (FTP-SSL) is a real ftp that uses TSL/SSL to encrypt the control session and if required the data session. With FTPS, the control session is always encrypted, but the data session may not be always encrypted. FTPS is a file transport layer on top of SSL. SSL, or Secure Sockets Layer, is a method by which an encrypted u2018pipe' or tunnel is established between the FTP client and FTP server. Once the secure tunnel has been established (which is done using 128-bit encryption techniques), standard FTP is used to transfer data over the secure connection.
Feasibility of SFTP and FTPS in XI:
SFTP:
As per the latest SAP PI/XI support pack, it does not support SFTP via File Adapter.
So alternative approach to cater this requirement from XI is to make use of Unix Script at OS level to transfer the files from/to third-party systems.
Inbound Interface - i.e. third-party system ->XI->SAP:
      File is transferred to a folder in SAP XI landscape from the third-party legacy system using UNIX Script with secured protocol. Once the file is ready in the XI landscape, File Adapter will poll this directory and file is picked up by NFS protocol.
Outbound Interface u2013 i.e. SAP->XI->third-party system:
      XI is responsible for writing a file into a folder in the XI landscape. These files are transferred to the third-party system by executing UNIX scripts with secured protocol i.e. via sFTP.
Pre-Requisites:
Public key should be exchanged between external systems and the PI system.
UNIX shell script has to be developed and scheduled.
Advantages:
Highly Secured.
Ability to handle multiple secure file transfers over a single encrypted pipe .By using a single encrypted pipe, there are fewer holes in the corporate firewall.
Disadvantages:
Two-Step process i.e. XI>Temporary folder>External System and vice-versa
Files have to be temporarily stored in XI server.
Multiple failure points i.e. XI and Unix script execution
Maintenance of an external UNIX script.
Difficulty in monitoring the execution of the shell script as it cannot be monitored thru XI.
Need to generate keys and install it in the SFTP site as a pre-requisite i.e. SFTP clients must install keys on the server.
SFTP uses keys rather than certificates. This means that it can't take advantage of the "chains of trust" paradigm facilitated through Certificate Authorities.
Files from the XI server should be deleted/archived in a periodic manner to increase the disc space so that it will increase the performance.
Note: UNIX shell Script can be executed as a background job u2018or' can be triggered from SAP XI through OS command at File adapter level.
FTPS (File Transfer Protocol Using SSL/TLS):
This is a built-in feature of File adapter in XI. But SAP Java Cryptographic Toolkit must be deployed as a prerequisite. (Refer to note https://service.sap.com/sap/support/notes/821267 Question 28). By default following ports are used:
Implict FTPs 990 (Control) and 989 (Data)
Explicit FTPs 21 (Control) and 20 (Data)
Both use cases can be combined with active and passive mode.
Advantages:
Direct transfer of files to/from third-party systems. It is not required to store the files in the XI server temporarily.
Built-In feature from XI File adapter
No extra effort in development and maintenance of Unix Script.
Centralized Monitoring tool from XI
FTPS uses certificates and therefore can take advantage of "chains of trust" paradigm facilitated through Certificate Authorities. This paradigm makes it possible for two entities to establish a trust relationship without directly exchanging security information, which is important for some applications.
Disadvantages:
Requires opening multiple ports forenabling SSLin the firewall. So there are multiple holes in the corporate firewall.
Not every FTP server supports FTPS and many that do, require a configuration change to activate the FTPS protocol extension.
Cryptographic toolkit should be installed in XI system though it is not very complex or expensive.
Conclusion:
Though SFTP seems more secure as it works through one port, FTPS is easier to configure, monitor and maintain from XI point of view. However, the decision depends on many parameters like, cost/effort, flexibility in use, ease of maintenance, company security policy, failure possibilities etc.
regards
kummari

Similar Messages

  • SFTP and FTPs with jsse

    Is it easy to implement the sFTP and FTPs with JSSE API? If it is, can anybody give me an sample for each of them?
    Can any kind of you show me some open source ftp client libraries which support secure ftp? Thank you very much!

    Is it easy to implement the sFTP and FTPs with JSSE API?On the contrary, it is impossible to implement SFTP with the JSSE API. What you need is an SSH API.
    You can implement FTPS with the JSSE API.

  • DW on Mac, CS3/CS5 using SFTP and/or FTP, need it secure!

    Folks:
    DW CS3 or CS5 running on an quad-Intel iMac, 10.6.4, connecting to a host that uses identical credentials for SFTP and FTP.
    It's important to be assured that the connection is in fact secure.
    If you set  "connect using SFTP" will DW CS3 complain if the connection cannot be made securely?  Will DW then default to ordinary, insecure FTP?  If so, will DW inform you?   Is there an easy way of verifying the current connection mode, SFTP or FTP, within DW? (The FTP connection log does not say.)  Is there an easy way of doing it in MacOS or with a simple utility? (Can be done, but not conveniently, with L'il Snitch.)
    Is DW CS5 any different?
    TIA,
    hen3ry

    Folks:
    Problem solved.
    It's clear that FTP and SFTP are fundamentally different protocols, but the DW protocol selection strongly implies similarity by offering SFTP as a minor option under the main selection of FTP.    I think it would be much clearer if SFTP were offered as a major option -- and then there would be an opportunity for offering SFTP options, too.
    Here's a way of distinguishing which of these two is active:  Connecting to the target site using FTP results in a succession of text entries in the optionally viewable FTP log  -- no surprise.   I discovered that connecting to the same site with the same credentials and the addition of checking the "Use SFTP" option results in only line feeds --scrolling, but no visible text-- in the FTP log window.  I guess that's a reasonable though a bit indirect way of informing users that the link is active and secure.   (What does one do to diagnose problems with SFTP for hosting services that don't support FTP?  I don't know there are such services but it should be the great majority of them.)  Works in DW CS3 but I didn't check CS5.
    Another option, untested but fairly obvious:  It's fairly easy these days to control host s/w (personal) firewalls -- even for low-tech users.  Establish and verify a link to your server using SFTP, then disable FTP; the link should fail.  And vice-versa.  This meets my specification of "simple" and should be  available with no extra expense and little trouble.
    Brief Editorial:  From the recent reading I've done on FTP versus SFTP,  it is clear that the time to discontinue all support for FTP  is long past.
    hen3ry

  • Does SAP support work and motion study

    Does any of the SAP module supports Time and motion study analysis. Something like the "Maynard Operation Sequence Technique (MOST)"

    Yes..I got a reply from SAP. It is valid for ECC 6 too.

  • Does SAP HANA supports JCo to call BAPI RFC's and to receive IDocs?

    Hi,
    We are using a WSO2 ESB to integrate our SAP 4.7 version system with SalesForce.com and as part of this integration we use JCo libraries to receive IDoc's and to execute RFC's from ESB.
    This year we are planning to migrate our SAP environment to SAP HANA and wondering if SAP HANA supports the JCo libraries? or is there any changes in the implementation how we use JCo libraries?
    Thanks in advance.
    Regards,
    Venkat

    BAPI_TRANSACTION_COMMIT doesn't have two import parameter, please check

  • Does Interconnect FTP Adapter support SFTP/SSH?

    Does Interconnect FTP Adapter support SFTP/SSH?
    Thanks!
    -mb

    No it doesn't!
    Actually, FTP adapter in BPEL support secure FTP (FTPS, FTP over SSL), but only on Solaris platform if believe documentation.
    You can try to connect BPEL FTP adapter to InterConnect using new JCA adapter (in IC 10.1.2.0.2), but I'm not sure wether BPEL FTP adapter is JCA-compatable or not (since it is not in Oracle AS adapters package but inside BPEL)...

  • Role and responsibilities of SAP BW support consultant

    Hi Guru's,
    What is the Role and responsibilities of SAP BW support consultant?
    Regards,
    Sabari kannan.S

    XI Architect:
    He plays the role in the analyzing the landscape for which XI will be used...will take the special not on the number for legacy systems involved...type of system...how much amount of data will flow what has to be taken care for better performance etc........
    1. Design the XI for the currentl lanscape for high performance...
    2. Idebtiy the bottle necks which can appear.
    3. understanding the busnies requirement withrespective to XI
    4. Configure the XI according to the standrds
    5. Lays ground rules on the developemtnenv till golive.
    6. what's the good appproach of design when systems like CRM,BW etc are invloved.
    7 tranports methods till  production and so on

  • Re: Support project and Production Support Project in SAP

    Hi,
    What are the differences between a Support Project and a Production Support Project in SAP.

    Hi
    Both are same.
    Thanks/Karthik

  • When will UniverseDesigner support SAP ERP Tables,InfoSets and ABAP Func. ?

    Hi there,
    to the SAP guys in this Forum to keep the rumour mill running: is it planned to extend the connectivity of the Universe Designer to access to SAP ERP Tables, Infosets and ABAP Functions ?! Is there any date when this will happen ?!
    Thanks,
    Sebastian
    Edited by: smenzl on Apr 15, 2010 9:08 AM

    Hi,
    if you need an official statement i would recommend you open a SAP OSS Message for that.
    Regards
    -Seb.

  • Using SFTP with FTP Adapter: The SSH API threw an exception.

    Our SOA suite veriosn is 10.1.3.4.
    We have to get the file from SFTP server and put it on the SOA Server. (SFTP and SOA server are running in different machine)
    If Incoming file and outgoing file directory is located in SFTP server..GET and PUT operations works fine.
    but if I give Incoming File location = <SFTP location>... and Outgoing file location = <SOA server location>... I get the below error...
    <2011-01-28 01:45:51,043> <ERROR> <default.collaxa.cube.ws> <AdapterFramework::Outbound> file:/C:/OracleAS_1/bpel/domains/default/tmp/.bpel_FTPTest_1.0_f57b8d368277e2d025bfbd2992350d66.tmp/put.wsdl [ Put_ptt::Put(opaque) ] - Could not invoke operation 'Put' against the 'FTP Adapter' due to:
    ORABPEL-11445
    The SSH API threw an exception.
    The SSH API threw an exception.
    Check the error stack and fix the cause of the error. Contact oracle support if error is not fixable.
    <2011-01-28 01:45:51,043> <ERROR> <default.collaxa.cube.ws> <AdapterFramework::Outbound> file:/C:/OracleAS_1/bpel/domains/default/tmp/.bpel_FTPTest_1.0_f57b8d368277e2d025bfbd2992350d66.tmp/put.wsdl
    [ Put_ptt::Put(opaque) ] - Rolling back JCA LocalTransaction
    <2011-01-28 01:45:51,043> <ERROR> <default.collaxa.cube.ws> <WSIFInvocationHandler::invoke> Fault happened: file:/C:/OracleAS_1/bpel/domains/default/tmp/.bpel_FTPTest_1.0_f57b8d368277e2d025bfbd2992350d66.tmp/put.wsdl [ Put_ptt::Put(opaque) ] - WSIF JCA Execute of operation 'Put' failed due to: The SSH API threw an exception.
    The SSH API threw an exception.
    ; nested exception is:
         ORABPEL-11445
    The SSH API threw an exception.
    The SSH API threw an exception.
    Check the error stack and fix the cause of the error. Contact oracle support if error is not fixable.
    anyone can offer any help?
    Thanks,
    AB
    Edited by: AB on Jan 28, 2011 3:38 AM

    Hi,
    Thanks for the reply.
    As per client's requirement, we shouldn't be using java service for this functionality.
    And as you said, the oracle adapters are not taking anywhere, but guess have no other choice..
    Cheers,
    Varun

  • FTPS Sender and FTPS Receiver adapter. Pls help

    Hi All,
    I need to make file to file scenario with secure connection
    I am using FTP Sender and Receiver Adapter with Connectivity
    as FTPS.
    Please let me know the steps I need to do for this
    1. Integration Directory
    2. If I need to generate certificates what steps I need to do:
        a. How to generate certificates
        b. Where to install these certificates like File Servers, XI
            Server etc.
    3. How to use these certificates in File Server, Integration
       Directory etc.
    Please send me a document to do all steps.
    In advance thanks and Full Points will be awarded.
    Regards

    Hi,
    Deploy SAP Java Cryptographic Toolkit.&
    Add the CA certificate to the key storage as below.
    Keystore: service_ssl
    X.509 Certificate & Private Key: ssl-credentials
    This means that you need to import the CA hierarchy of your FTPs server certificate into the list of trusted CA's in XI ( either on J2EE side in the keystore service or in ABAP side via transaction STRUST , depending on where your client is ).
    If connection security parameter in communication channel for Sender FTP Adapter is set to "FTPs( FTP Using SSL/TLS) with Control Connection" only, file gets successfully created with data at the FTP server but as soon as we switch the connection security parameter to "FTPs( FTP Using SSL/TLS) with Control and Data Connection".The initial handshaking happens successfully and file gets created at the FTP Server but its empty, connection fails when attempt is made to write data into file and we end up with said error thereby closing the connection.
    SAP Note 821267
    Refer below link
    SAP Network Blog: SFTP vs. FTPS in SAP PI
    /people/krishna.moorthyp/blog/2007/07/31/sftp-vs-ftps-in-sap-pi
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/400580c1-8d16-2a10-3eb3-ec1026dae0d5

  • Sun 7210 Storage System - SFTP and Active Directory

    Good Afternoon
    I have recently acquired a Sun 7210 Storage System which I have joined to my Microsoft Windows Active Directory domain. I have also specified the required LDAP Directory Service details under the Configuration tab. I am fairly sure these are correct as I can add a Directory user to the Users part of the device.
    What I am having problems with is having my Windows A/D users connect to their shares via either HTTPS or SFTP. They are able to use the shares fine with CIFS and/or NFS.
    The only user that can connect with SFTP and HTTPS it the local "root" user on the appliance.
    Do people know if Directory users are able to use SFTP and HTTPS to access shares?
    My current O/S on the 7210 is 2009.04.10.1.1,1-1.9.
    Thanks in advance for any advice/help.
    regards
    Stephen Meatheringham
    College of Asia & the Pacific
    Australian National University
    E: [email protected]

    Stephen,
    I ran into this same issue yesterday with SFTP. Unfortunately the answer is that the storage system does not authenticate to AD for local logins (for which FTP, SFTP, HTTP qualify). I placed a support call yesterday to Sun on this matter and was given this information as well as the fact that there are no current plans to do so.
    You have taken the functionality one step further by "tricking" the system into using AD as LDAP. I'm not sure it's truly compatible, but that was my next step as well. I was also going to experiment with creative id maps to see if I could make it work. Unfortunately, I've found that if you take the system too far from it's designed use, strange things can happen. I'm not sure that is a chance I want to take with home directories or other "secure" information.
    Let me know how you fare and I'll do likewise.
    Eric

  • What is the difference between SAP NW PI7.1 and PI7.1 EHP1

    We have a customer using SAP PI7.1 EHP1. The application to be deployed
    isdeveloped on SAP Netweaver PI 7.1 SP06.
    We need to know if application developed and transported from PI7.1 is
    compatible with EHP1?
    Below are the Components used by the application .
    1) SSL communication using SOAP adapter
    2) Java mapping , Graphical mapping , XSLT mapping
    3) Customised EJB modules
    4) Adapter framework
    5) ALE layer for IDoc communication from ERP to PI
    6) RFC lookups to PI system and ERP system.
    Questions
    1)Will PI EHP1 be able to communicate with PI7.1 using SOAP adapter ?
    2) What is the difference between SAP NW PI7.1 and PI7.1 EHP1 ?
    Regards,
    Sneha

    Hi,
    EHP Pi7.1 new
    IPv6 Support in SAP Systems (new)
    Async/Sync and Sync/Async Bridge in the JMS Adapter (New)
    High Availability (New)   Locate the document in its SAP Library structure
    Use
    A new concept is available for setting up a high availability environment for SAP NetWeaver Process Integration (PI). To do this, you need SAP Web Dispatcher for load balancing, and you must reconfigure your HTTP, RFC, and RMI connections so that they can be used for load balancing. You must also make various configuration steps in other components of your PI environment.
    [Level 4: Document: XML to Text Conversion Module (New)] XML to Text Conversion Module (New)
    Message Packaging (New)
    Monitoring Milestones (New)   Locate the document in its SAP Library structure
    Use
    You can use the new scenario variant Monitoring Milestones of the Business Process Management scenario to define a monitoring process that can monitor events from different applications. A monitoring process can subscribe to events from SAP or non-SAP systems.
    check  given Link
    http://help.sap.com/saphelp_nwpi711/helpdata/en/61/8c3842bb58f83ae10000000a1550b0/frameset.htm
    Regards,
    Amit

  • SAP BI 7.0 and BO XI 3.1 Integration Problems

    Hi everyone,
    After following through every step of:
    Re: Checklist for SAP BI 7.0 and BO XI 3.1 integration - Challenges
    I still get the following problems:
    1. Unable to find SAP in CMC Authentication
    2. At the login page of InfoView, I can select SAP as authentication method. However, after inputting the login information, I get the "The plugin secSAPR3 does not exist in the CMS (FWM 02017)"
    3. I was able to create a new connection in Designer to connect to SAP BW, and select one of the existing cubes. After uploading the Universe, I created a new Web Intelligence document and dragged couple of objects into Result Objects. After clicking Run Query, I get the following:
    A database error occured. The database error text is: The MDX query SELECT { [Measures].[0BBP_BILITM] } ON COLUMNS FROM [$0BBP_C01] failed to execute with the error See RFC trace file or SAP system log for more details. (WIS 10901)
    Even tried:
    Webi Stucks while trying to create report with BW7.0 (WIS 10901)
    and still no luck.
    Here's the environment information:
    Installed (In Order):
    1. BOE XI 3.1
    2. Xcelsius 2008
    3. LIVEOFFICE
    4. SAP GUI 7.0
    5. Crystal Report 2008 with SP1
    6. BO JCo
    7. BO Integration Kit for SAP
    Any help will be appreciated, thanks in advance!!
    David

    Hi Ingo,
    I've noticed that in your step by step manual, you are using BO XI 3.0. So I created a Virtual PC with Windows Server 2003, and installed BO XI 3.0, SAP GUI 7.0, Java Connector, BO Integration Kit for SAP.
    Without any errors nor issues, now I see "SAP' in CMC's Authendication (not the login). So now I can assume it's because BO Integration Kit only supports BO XI 3.0 and consider it solved?
    However, I still get the same error as my 1st post:
    3. I was able to create a new connection in Designer to connect to SAP BW, and select one of the existing cubes. After uploading the Universe, I created a new Web Intelligence document and dragged couple of objects into Result Objects. After clicking Run Query, I get the following:
    A database error occured. The database error text is: The MDX query SELECT { Measures.0BBP_BILITM } ON COLUMNS FROM $0BBP_C01 failed to execute with the error See RFC trace file or SAP system log for more details. (WIS 10901)
    or
    A database error occured. The database error text is: The supplied XML is not valid. [0COMP_CODE].[LEVEL00]. (WIS 10901)
    Any ideas?
    David

  • Installation of SAP Business One client and required administration rights

    Dear community,
    I would like to kindly ask you for your feedback on the installation of SAP Business One client and its patches on end-user computers.
    The pain points I have heard so far are the following:
    - The installation of SAP Business One client and its patches has to be started by a user with administrator rights.  As far as I know (and please correct me if I am wrong), this is also required in case of installation of any other software.
    - End users usually do not have administrator rights and therefore the SAP Business One clients have to be manually upgraded by administrator.  This is time consuming (and therefore costly) activity.
    We are considering to design a new solution which would overcome the above limitations.
    I would like to confirm with you if my understanding is correct:
    Question 1:
    Is it a common situation that the end-users of SAP Business One client do not have administrator rights and therefore cannot install the patches of SAP Business One client by themselves?
    If yes, how do you resolve this currently?
    Question 2:
    Do you use Microsoft System Center Configuration Manager or Active Directory (or any other 3rd party solution) to automatically distribute software packages and updates to client PCs at your customers?
    Question 3:
    If the SAP Business One client installation (and its patches) is delivered as MSI package with silent installation capability, would you be able to automate the deployment of B1 client updates to client PC using the abovementioned technologies? Or can you still see some obstacles?
    Thank you
    Best regards
    Jan Ruzarovsky
    SAP Business One Product Management

    Dear all,
    Thank you very much for your comments, very helpful!
    @Marco - SAP Business One 8.8 client currently does not support the silent installation / upgrade. However we are currently considering this requirement and we would like to deliver it as soon as possible.
    We are currently considering several possible designs. One of them is as follows:
    1. A new SAP Business One Updater Service will be installed on each client workstation.
    It will be a windows service installed and running under a local system account.
    2. The updater service will check regularly if there are any new patches of SAP Business One client or add-ons uploaded to a configured shared directory.
    3. If a new patch is found in the shared directory, the updater service will SILENTLY install the new patch (add-ons, SAP Business One) on the client workstation.
    The service would be able to install patches even if nobody is logged in.
    Questions:
    If we consider the above design, there are a few open topics:
    1. During the upgrade of the SAP Business One server, the client patches (and SAP add-on patches, partner add-ons) would be placed to a SHARED directory instead of into SBO-Common (as it is implemented currently).
    - Does this have any impact on your tools, processes or add-ons?
    2. SAP Business One upgrade wizard will put the latest patch of SAP Business One client into a configured shared directory. The shared directory will have to be read-only for everybody in the network to avoid that the valid installation files are replaced by malware or virus infected files
    - Can you configure such a shared directory? 
    From customer perspective, if a new patch is put into the shared directory, the updater service can behave as follows:
    1. Manually initiated upgrade of the client
    Example: Customer starts the old (not upgraded) SAP Business One client. The client will inform him/her that a new patch has been found and it has to be installed in order to continue working with the client. After customer clicks "Yes", the upgrader service starts the silent installation of the client and informs customer about the progress. Once the upgrade is finished, the upgraded SAP Business One client will be started automatically.
    2. Automatic update:
       - Update the client automatically (e.g. overnight) if customer is not working with SAP Business One
       - If SAP Business One client is running, ask customer if he/she wishes to upgrade the client now or to delay the upgrade by X minutes.
    Question: Which of the above two scenarios would you and your customers prefer?
    If the upgrade is fully silent, automated and handled by the upgrader service, Is it acceptable for customers to trigger the installation manually and wait till the client is upgraded? Or would they prefer to have the client updated for them e.g. overnight so they can immediately start to work?
    Best regards
    Jan
    Edited by: Jan Ruzarovsky on Sep 29, 2010 9:37 AM

Maybe you are looking for

  • Handling Recurring Journal Entries in BPC 7.0NW

    Hi all, I'm looking for suggestions on handling the posting of Recurring Journal entries in a Legal Consolidation.  I'm new to BPC, and am afraid I don't know the "best" way to do this.  Currently, we are assuming that we would "copy" the previous mo

  • IWeb and guestbook

    Hello to everybody, Thanks in advance for the answers, but do you know how to link to the guestbook installed on my server, in iWeb, without iframes? I want to make a page with iWeb and integrate de guestbook in the middle of the page, but I don't wa

  • Share media and projects?

    Hi, I have a question regarding FCP 6, Xsan/Xserver & project sharing. Is it possible? I've read some things that say people used to be able to with FCP 5 but not 6. Permissions issue and all that. I come from several years of working on avid and sha

  • ITouch will not restore

    Hi, i need some help i recently tried to restore my itouch and an error message keeps popping up. I don't know what to do please help???

  • Submit Button won't work

    I need some help. I put a form on my page in Dreamweaver 8 and my submit button is not sending the data back to my email address. Is there particular settings I need to have this done. Can anyone help me?