The KEY to unlock the “KEY GENERATION” mystery – SFTP/SSH
So a single point of reference for generating SSH keys is Generating SSH Keys for SFTP Adapters – Type 1 – Process Integration – SCN Wiki.
Recent observations from multiple projects where people create SSH public key and give to SFTP server team and mysteriously it connect then. It all left me searching here and there solve the problem. The causes of this are –
1. SAP PI Developer not aware whether keys are valid or not?
2. SFTP server administrator may just believe key provided are correct?
3. Basis team may not may also be unaware how the end ssh key should be? Is it uploaded at the correct place? Are the permissions correct.
So here I am, making an attempt to bridge the gap and provide you the “KEY for Key Generation”. Let us first know what all we may need, the so called –
1. WinScp (you may have other tools, but this one is simple and easily available 🙂 )
2. Cygwin installed with openSSH and openSSL packages
Text – Installing Cygwin/X
3. Putty (FAMOUS) – this and WinScp can be combined.
4. NWA keystore access to create keystores
The above is enough to generate the keys and have it ready for the development. But, we PI consultants end up getting erroneous results for a new configuration. So to make sure we give the tested keys to client here is a tutorial to create the SFTP server on your local windows machine.
Apart from the links in the Part2, I will explain hand-picked steps out of the tutorial to set up sftp server correctly and quickly in the first attempt ( 😉 ) . So enough of reading let us start with the configuration.
1. Start Winscp -> Click on Tools -> Run PuTTygen
2. Select Parameters – SSH-2 RSA and Enter number of bits -2048. Click Generate.
3. Now you need to save the PrivateKey (ppk), PublicKey and PublicKey to be saved in SFTP server.
Note- i) The public key saved from “Save Public Key” and the “Public Key” to be saved in SFTP server can’t be same. The public key saved starts with —- BEGIN SSH2 PUBLIC KEY —-, but the key to be pasted in SFTP server starts with ssh-rsa.
ii) In the file authorized_keys, each line refers to a separate public key. So we also need to make sure there are no new line characters in our key. So an authorized_keys file will look as below-
4. Below are the Keys generated. Please follow the instruction in screenshots carefully.
Once the keys are generated, click on Save Private Key, Save Public Key and copy paste the key to be pasted in authorized_keys file and save.
Now, you will have 3 files generated. PPK private key, SSH public Key, SSH Public key to be pasted on to SFTP server. I have named 3 files as privateKey_SFTP.ppk, publicKey_SFTP.pub and publicKey_SSH.pub. Files will look as below.
5. Now send publicKey_SSH.pub file to SFTP server team to install via mail. If you want to test it with a local SFTP server, refer part 2 or video link embedded above.
6. Before we put the key to SAP PO NWA KeyStore we must make sure our keys are set up correctly. To test this we can use WinScp or PuTTy.
Testing With WinScp
In Advanced->Click Authentication under SSH -> Select the ppk private key
When you login for the first time, you will get a warning with the server’s fingerprint. This is a good sign showing it is able to reach the SFTP server. Just click Yes.
If you have chosen Passphrase while generating the key it will ask the passphrase else it will connect.
And that is it, you will be placed at the SFTProot folder.
This must be your Hurray! moment. After this the task is easy. We need to convert PPK to PKCS12 and import in NWA. Lets see how to do that too.
6. Now we need to convert privateKey_SFTP.ppk to pkcs12 format for SAP PO to import in NWA key store. For this Cygwin must be installed with openssl package
i) We will generate a PEM private key. I am naming it as privateKey_SFTP.pem. So again launch WinSCP->Tools->Run PuttYgen
ii) Click on File->Load Private Key and choose your PPK key (privateKey_SFTP.ppk)
iii) Once the key is loaded, I recommend remove the passphrase this time and click Conversions->Export Open SSH Key, it will give warnign for blank passphrase. Just click YES and proceed. Name it as <yourname>.pem (privateKey_SFTP.pem)
It will look like
iv) Now launch cygwin as administrator . Right click -> run as administrator. Now run change directory ( cd) command to move to directory where you kept you pem file. for the ease place it in any drve G:\ , D:\ . This will save us to struggle with CD command 😉
v) use OpenSSL package commands to create X.509 certificate
openssl req -
-key privateKey_SFTP.pem -out x509_certificateSFTP.pem
v) Now we will create PKCS 12 key to be imported in NWA with a password. Continuing in the CYGWIN enter following command
openssl pkcs12 -export -in x509_certificateSFTP.pem -inkey privateKey_SFTP.pem -out sftp_keystore.p12
7. Now login to NWA of SAP PO/PI .. http://<host>:<port>/nwa…… Configuration->Certificates and keys
i) Click on Add View-> Give View Name
ii) choose SFTP_KeyStore -> Import Entry-> PKCS#12 and click choose file to select the p12 generated. Provide the password which we set in cygwin while generating P12 and click import
This is all. Now you can select the above private key in your SFTP channel and continue with your development.