cancel
Showing results for 
Search instead for 
Did you mean: 

SHA2 for SFTP with SBOP BI 4.2 SP5

former_member430130
Discoverer
0 Kudos

Does anyone know if it is possible for SFTP with Business Intelligence 4.2 to use SHA2 (or SHA256, MD5, etc.) instead of SHA1, which was deprecated years ago? I can't get anyone from SAP to respond to this question with my submitted incident. I can't imagine that there is no way to get SHA2 to work considering almost nobody allows SHA1 with SFTP anymore. We must have a way to secure outbound transmissions that contain our company's private data. I know I can jump through six hoops to get some automation setup that will provide for this but SAP absolutely must provide for something more secure than SHA1. That is ridiculous if they do not.

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member430130
Discoverer

But the problem is you're not going to find many FTP servers anymore that support SHA-1. Most companies today employ cloud FTP servers owned and hosted by someone else and they do not have access to modify security settings on those FTP servers. We need to send proprietary data across the internet so it needs to be secured. The only way to do so through BI is to use SFTP. So unless the receiving FTP server supports SHA-1 fingerprinting you're just out of luck. And so far I have not found a single SFTP server any of our customers or vendors use that support SHA-1 fingerprinting. SAP needs to provide another way.

former_member240871
Participant

It doesn't matter what the SFTP server supports as far as fingerprinting goes.

All the fingerprint step does is it hashes a public key presented by the SFTP server before starting a secure connection. The SFTP server has no idea what hash method the client uses. If you can connect to the SFTP server using password authentication from anything, you can connect using BI.

Putty, WinSCP and a lot of other tools use MD5 for this hash, in BI uses SHA1.

former_member240871
Participant

Correction to what Denis replied.

We still use SHA-1 for hostname fingerprinting in 4.2 SP04/SP05.

MD5 is significantly LESS secure than SHA-1 and is still used with Putty, winscp, linux sftp command line etc.

The purpose of the fingerprint is solely to identify that the machine you're connecting to - There is no authentication or data encryption with the SHA-1 hash.

The hash is ONLY useful for that purpose, as a hash, it cannot be used to retrieve any data, and the data the hash is based off of is publicly available anyways if you can reach the sftp machine.

For data transfer, it uses one the ciphers to encrypt data based on what the SFTP site provides:

See this KBA:
https://launchpad.support.sap.com/#/notes/2313938

Regards,
Leslie

denis_konovalov
Active Contributor
0 Kudos

Bi4.2 Sp4 no longer uses sha1, so it should be possible from that version on.
I haven't tested this myself, but I don't see why not. And if it can't - it should.