Skip to Content

SHA2 for SFTP with SBOP BI 4.2 SP5

Does anyone know if it is possible for SFTP with Business Intelligence 4.2 to use SHA2 (or SHA256, MD5, etc.) instead of SHA1, which was deprecated years ago? I can't get anyone from SAP to respond to this question with my submitted incident. I can't imagine that there is no way to get SHA2 to work considering almost nobody allows SHA1 with SFTP anymore. We must have a way to secure outbound transmissions that contain our company's private data. I know I can jump through six hoops to get some automation setup that will provide for this but SAP absolutely must provide for something more secure than SHA1. That is ridiculous if they do not.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Dec 22, 2017 at 03:59 PM

    But the problem is you're not going to find many FTP servers anymore that support SHA-1. Most companies today employ cloud FTP servers owned and hosted by someone else and they do not have access to modify security settings on those FTP servers. We need to send proprietary data across the internet so it needs to be secured. The only way to do so through BI is to use SFTP. So unless the receiving FTP server supports SHA-1 fingerprinting you're just out of luck. And so far I have not found a single SFTP server any of our customers or vendors use that support SHA-1 fingerprinting. SAP needs to provide another way.

    Add comment
    10|10000 characters needed characters exceeded

    • It doesn't matter what the SFTP server supports as far as fingerprinting goes.

      All the fingerprint step does is it hashes a public key presented by the SFTP server before starting a secure connection. The SFTP server has no idea what hash method the client uses. If you can connect to the SFTP server using password authentication from anything, you can connect using BI.

      Putty, WinSCP and a lot of other tools use MD5 for this hash, in BI uses SHA1.

  • Dec 21, 2017 at 10:10 PM

    Correction to what Denis replied.

    We still use SHA-1 for hostname fingerprinting in 4.2 SP04/SP05.

    MD5 is significantly LESS secure than SHA-1 and is still used with Putty, winscp, linux sftp command line etc.

    The purpose of the fingerprint is solely to identify that the machine you're connecting to - There is no authentication or data encryption with the SHA-1 hash.

    The hash is ONLY useful for that purpose, as a hash, it cannot be used to retrieve any data, and the data the hash is based off of is publicly available anyways if you can reach the sftp machine.

    For data transfer, it uses one the ciphers to encrypt data based on what the SFTP site provides:

    See this KBA:
    https://launchpad.support.sap.com/#/notes/2313938

    Regards,
    Leslie

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 21, 2017 at 09:11 PM

    Bi4.2 Sp4 no longer uses sha1, so it should be possible from that version on.
    I haven't tested this myself, but I don't see why not. And if it can't - it should.

    Add comment
    10|10000 characters needed characters exceeded