HCI: Testing Outbound Connections from HCI
One of the really handy feature in HCI is the ability to test outbound connections from HCI to target systems. Connectivity issues can sometimes be a pain point during integration, and it is an area that I personally will always focus first in an integration project prior to developing integration scenarios. With this feature in HCI, connections can be tested even before building and testing any Integration Flows.
This feature is available from the Eclipse HCI plugin, where it is accessible from the Node Explorer’s context menu.
As of the current HCI component versions, it is possible to test SSL, SMTP and SSH connections. In this blog, I will share on how to use this feature.
Below are component versions of the tenant and Eclipse plugins.
HCI Tenant Version: 2.8.5
Eclipse Plugin Versions: Adapter 2.11.1, Designer 2.11.1, Operations 2.10.0
A) SSL Connection
HTTPS (HTTP over SSL) is one of the most common connections these days. However establishing connection on it is not always straightforward as it requires the correct certificates to be installed on the client and possibly the server in order for SSL handshake to be successful. Below is one of the common errors that occur when SSL handshake fails due to the failure to verify the certificate chain of trust.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Following steps will show how we can test this out and rectify it.
Right click on the tenant in Node Explorer and select Test Outbound Connection.
Select SSL Connection and click Next.
Enter the hostname and post of the target system. In our example, we will try to establish connection with Google.
After clicking Run to execute the test, we will receive the following error indicating SSL handshake failure.
This error is most likely because the target system’s (Google’s) root CA certificate is not in the Trusted CA list of HCI’s keystore. Every HCI tenant comes with a default system.jks keystore (the password to access this keystore should be provided by SAP during creation of the tenant).
To add Google’s root CA to the keystore, we need to download this keystore, import Google’s Root CA into it and redeploy it into the HCI tenant.
The procedure to manage the keystore is comprehensively explained in the following blog by Paul Todd.
HCI First Steps Part 8 – Working with Certificates
In short, we will use Keystore Explorer to add the certificate to the downloaded system.jks keystore. Use Keystore Explorer’s “Examine SSL” feature to examine Google’s URL and view the certificate chain. We only really need to import the Root CA into the keystore.
Once it is imported, save the keystore and redeploy it into the tenant using the “Deploy Artifacts” from the Node Explorer.
Now we are ready to retest the SSL connection. Repeat the above steps for “Test Outbound Connection”.
As we can see, the SSL connection is successful now.
B) SMTP Connection
We can also test SMTP connections to mail servers.
Using the same steps as above, choose SMTP Connection instead and enter the SMTP server details. In the example below, it will test the connection to Gmail.
After executing Run, we can see the results of the connection test.
In our example above, the test is without authentication details. We can further test this with authentication credentials. For the Gmail example, the user credentials can be saved and deployed as a User Credentials artifact – refer to the following blog.
Building your first iFlow – Part 4: Configuring your credentials
Below are the results of retesting with credentials.
C) SSH Connection
Although it is possible to test SSH connection to an SFTP server, unfortunately I was unable to get it to work successfully.
As I do not have access to an SFTP server, I tried using a public one at Wing FTP Server Online Demo. In order to establish the SSH connection, the host key needs to be maintained in the Known Hosts file. I logged on to the demo SFTP server from a Unix system, accepted the host key and copied the value from ~/.ssh/known_hosts file.
I then deployed the Known Hosts artifact into the tenant.
However, even after deployment, testing the SSH connections fails with the error below.
A check in the Tail Log indicates that the keystore is not found even though it is already deployed.
2015 11 26 04:11:13#+00#ERROR#com.sap.cloud.crypto.keystore.service.KeyStoreValueReader##anonymous#EventAdmin Async Event Dispatcher Thread#na#avrhcit#t0311iflmap#web##Keystore with name: ‘known.hosts’, for tenant: ‘562d7668-fc93-440e-8785-927921a90522’ is not found neither in the cloud (domain db) nor in the local (file) storagecom.sap.cloud.crypto.keystore.api.KeyStoreNotFoundException: Keystore with name: ‘known.hosts’, for tenant: ‘562d7668-fc93-440e-8785-927921a90522’ is not found neither in the cloud (domain db) nor in the local (file) storage
As you can see, with the use of this handy feature, connection issues in HCI can be tested and resolved even before the integration flows are developed and tested.
Seems like SAP doesn't give out the key to your system.jks file anymore, we've had to ask support to update the file, and they won't give us the key.
Thanks for your comment. Unfortunately, I no longer have access to the trial tenant so I'm not sure what's the current practice.
I do know from previous discussions with others that there are different practices for different editions. Which edition are you using - partner edition or trial edition?
Hello Eng Swee,
Not sure if you figure out how to test the connection using the sftp demo.wftpserver.com but you need to specify the port to the ssh-keyscan command. I used the IP address instead of the domain name:
ssh-keyscan -p2222 -t rsa 188.8.131.52
Copy and paste the results to the known_hosts file, deploy the Know Hosts (SSH) artifact using the known_hosts file and it will works fine.