Though the concept had been very familiar among many, I couldn’t find a straight forward guide for implementing Key-based authentication, when I looked for. Thereby, I am blogging this article for those, who would be interested in implementing the same.
SAP PI 7.1;
Seeburger sFTP Adapter;
Open-SSL Key tool;
Key Words & Extensions:
.p8 (Private Key without Cert from PI Key store), .p12 (Private Key with Cert from PI Key store), OpenSSL (Platform to Convert/Generate Keys), .key (OpenSSH format), PEM (OpenSSH Private Key from .p8), PUB (OpenSSH format from .key)
- Understanding of SSH connectivity;
- Developments in PI is already completed;
- Able to handle SAP PI Key Store Manager carefully & safely;
- Downloaded & Installed Open-SSL tool kit for Key conversion;
- Downloaded Putty-Gen software for generating Public Key;
- Firewalls opened between SAP PI and the communicating party;
There are three sections in implementing this scenario.
Open SAP PI Net weaver administrator. (http://hostname:port/nwa)
Generate a Certificate & Key-Pair in SAP PI Key store manager, using ‘CREATE’ option.
A Certificate & Key has been generated as shown below.
Post-generation, click on ‘Export to File’ option:
When prompted for a paraphrase, provide one, that’s easy for you to remember.
Rename the file from ‘Test.P12’ to ‘Test.PFX’.
As the public key needs to be supplied to the SSH-enabled communicating party (sFTP server), this has to be extracted from the file ‘Test.PFX’.This process involves the following steps:
Extract ‘.PEM’ private key from ‘.PFX’
Extract ‘.KEY’ Open-SSH private key from ‘.PEM’
Extract ‘.PUB’ from ‘.KEY’ using Putty Key-gen. (this could be achieved from an OpenSSH platform as well)
Open the Open-SSL tool kit downloaded earlier.
Follow the above steps & refer the screens provided below.
Now you must have the following files available with you:
- The last part is to supply the public key in the sFTP server.
- Go to the root folder of the user account & check for the folder ‘.ssh’, if it’s not available, then create one.
- If it’s available, check for file ‘authorized_keys’, if it’s not available, then create one.
- This is tricky step where the format of the public key needs to be changed.
- The public key usually looks like:
- This has to be aligned to a single line, prefixed with term ‘ssh-rsa ’ (without apostrophe) & can have a comment at the end of the line. Something like this ssh-rsa bidhfojlakejefdoelr== user@hostname
- Now, place the line in the ‘authorized_keys’ file in the sFTP server.
- For general reference, this will how a open-ssh private key look like:
Key-based Authentication is now implemented successfully. Test your interface. If everything as given above is followed properly, your scenario must work.
No more ‘User Locked’ issue. Good Luck…
Watch this space for: HOW TO IMPLEMENT KEY BASED AUTHENTICATION IN SEEBURGER BUSINESS INTEGRATION SERVER SOON…
P.S.: This could be implemented using ‘.p8’ file as well.
Credits: Christan Van Mook, Srikanth Srinivasan