Skip to Content

Though the concept had been very familiar among many, I couldn’t find a straight forward guide for implementing Key-based authentication, when I looked for. Thereby, I am blogging this article for those, who would be interested in implementing the same.

Entities Involved:

  • SAP PI 7.1;
  • Seeburger sFTP Adapter;
  • Open-SSL Key tool;
  • Putty Key-Gen;
  • Text Editor;

Key Words & Extensions:

.p8 (Private Key without Cert from PI Key store), .p12 (Private Key with Cert from PI Key store), OpenSSL (Platform to Convert/Generate  Keys), .key (OpenSSH format), PEM (OpenSSH Private Key from .p8), PUB (OpenSSH format from .key)

Assumptions:

  • Understanding of SSH connectivity;
  • Developments in PI is already completed;
  • Able to handle SAP PI Key Store Manager carefully & safely;
  • Downloaded & Installed Open-SSL tool kit for Key conversion;
  • Downloaded Putty-Gen software for generating Public Key;
  • Firewalls opened between SAP PI and the communicating party;

Procedure:

There are three sections in implementing this scenario.

SECTION-1:

  • Open SAP PI Net weaver administrator. (http://hostname:port/nwa)
  • Generate a Certificate & Key-Pair in SAP PI Key store manager, using ‘CREATE’ option.
SAP-PI-Key-Store-Managerimage
  • A Certificate & Key has been generated as shown below.
SAP-PI-Key-Store-ManagerSAP-PI-Key-Store-Manager
  • Post-generation, click on ‘Export to File’ option:

Test.p8
  • When prompted for a paraphrase, provide one, that’s easy for you to remember.
  • Download it.
  • Rename the file from ‘Test.P12’ to ‘Test.PFX’. 

SECTION-2:

As the public key needs to be supplied to the SSH-enabled communicating party (sFTP server), this has to be extracted from the file ‘Test.PFX’.This process involves the following steps:

  • Extract ‘.PEM’ private key from ‘.PFX’
  • Extract ‘.KEY’ Open-SSH private key from ‘.PEM’
  • Extract ‘.PUB’ from ‘.KEY’ using Putty Key-gen. (this could be achieved from an OpenSSH platform as well)
  • Open the Open-SSL tool kit downloaded earlier.
  • Follow the above steps & refer the screens provided below.

Open-SSL-PFX-To-PEM

Open-SSL-PEM-To-Key

Putty-Key-Gen-1

Putty-Key-Gen-2

Now you must have the following files available with you:

Folder-List

SECTION-3:

  • The last part is to supply the public key in the sFTP server.
  • Go to the root folder of the user account & check for the folder ‘.ssh’, if it’s not available, then create one.
  • If it’s available, check for file ‘authorized_keys’, if it’s not available, then create one.
  • This is tricky step where the format of the public key needs to be changed.
  • The public key usually looks like:

Public-Key-Format

  • This has to be aligned to a single line, prefixed with term ‘ssh-rsa ’ (without apostrophe) & can have a comment at the end of the line. Something like this ssh-rsa bidhfojlakejefdoelr== user@hostname
  • Now, place the line in the ‘authorized_keys’ file in the sFTP server.
  • For general reference, this will how a open-ssh private key look like:

Private-Key-Format
This will how your channel will look like:

SAP-PI-sFTP-Channel

Key-based Authentication is now implemented successfully. Test your interface. If everything as given above is followed properly, your scenario must work.

No more ‘User Locked’ issue. Good Luck…

Watch this space for: HOW TO IMPLEMENT KEY BASED AUTHENTICATION IN SEEBURGER BUSINESS INTEGRATION SERVER SOON…

P.S.: This could be implemented using ‘.p8’ file as well.

Credits: Christan Van Mook, Srikanth Srinivasan

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Venkat Boppana
    Hi

    Blog is excellent, In the Communication channel why the status is Inactive?
    If it is great when you post the SFTP receiver communication channel, If possible could you please provide the receiver SFTP communication channel parameters.

    Thanks,
    Ramesh

    (0) 
    1. Srikanth Srinivasan Post author
      Thanks Ramesh.

      Response for Q1: The channel is inactive because, I always put channels into inactive mode, when it is not being tested, unfortunately, captured the screen in that mode itself. (It actually has to be active, when you test)

      Response for Q2: I am not quite clear about the question, could you please help me better understand by rephrasing it?
      If it’s a question about SFTP receiver channel parameters, as long as the key store location is concerned, everything would be the same.
      If it’s a question about module, regular beans to be used.

      (0) 
      1. Venkat Boppana
        Thank you Srikanth,

        My second question is, you shown the sender SFTP communication channel and its parameters in this blog, at the same time requesting you to show the receiver SFTP communication channel and its parameters.

        Thanks,
        Ramesh

        (0) 
        1. Srikanth Srinivasan Post author
          In both the cases, Seeburger SFTP adapter will act as SFTP client. Hence, the private key specifications would be as same as how it was configured for sender. (Ofcourse, apart from the server details & other polling details)


          Srikanth Srinivasan

          (0) 
  2. Dheeraj Kumar

    Hello Srikanth

    Thanks for the very good blog.

    I have a question that

    • Open-SSL Key tool;
    • Putty Key-Gen

    Both the tools need to be installed in PI server or I can install in my local system also.

    Instead of using OpenSSL to extract below files

    • Extract ‘.PEM’ private key from ‘.PFX’
    • Extract ‘.KEY’ Open-SSH private key from ‘.PEM’

    can we use PuttyGen too.

    Thanks

    Dheeraj Kumar

    +919650308876

    (0) 

Leave a Reply