2 weeks ago
The unilateral move by sap to fix the port number to third party sftp server to port 22
is breaking company-wide architecture that have been in place for more than 7 years :
we have Prod architecture hosting business data on company sftp server accessible on port X1X22
and test architecture hosting test business data on company sftp server accessible port port X2X22.
until H2 2023 we were able to have the test architecture still working on port X2X22 but
due to instance refresh we have the connection removed in test
and we are unable to recreate the sftp integration on port X2X22 despite SAP having these exception available on its network architecture.
Can SAP accept to put in place a standard support request where long time customer can request an EXISTING connection to be setup back in preview datacenter to have standard test working again ?
the standard response given by sap support :
- just change you sftp server for an other sftp server is not compatible with large corporation with strict & closed architecture principles .
- spreading business data across sftp servers due to lack of customer care is also not a good principle or practice
is not satisfactory
an alternative solution would be to support in Multiple Destinations selection in integration center a sftp server with a port number different than 22 : we have proactively created in Prod those entries but unfortunately after refresh those values can't be selected
Hi,
Integration centre does not support port other than 22 for any new integrations. This is due to security reasons.
HXM Security Governance requires the use of the standard port (SFTP/22) for SFTP type of connection. Using a non-standard port provides no real security protection and is only an example of Security Through Obscurity (https://en.wikipedia.org/wiki/Security_through_obscurity) which has been thoroughly discredited as a...
Having a non-standard port assignment increases HXM's risk (e.g., increased configuration complexity, increased management, etc) and on the other hand does not decrease the risk to the customer. Targeted attacks will mostly start with reconnaissance, part of which any service running on any port will be discovered.
Alternatively, IP whitelisting at customer’s SFTP side and other effective security controls (e.g., anti-brute force mechanisms, multi-factor authentication, etc) adds real security and renders concern of increased attack surface invalid.
Please let us know if you need any further information.
Thank you,
Regards,
Pavana
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
6 | |
3 | |
3 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.