Cloud Integration – How to Setup Secure Connection to sftp Server
This blog describes how to setup secure connections to sftp servers in the cloud integration system. It gives a step by step description what needs to be configured where. Furthermore, test options are described for testing sftp connectivity.
Setup Secure Connection to sftp Server
A typical task in an integration project is to connect sftp servers to the SAP Cloud Integration Tenant, either for sending messages to or for polling messages from the sftp server. Before going into detailed configuration of the communication lets first have a short look at the basics.
Basics of Secure sftp Communication
The sftp server can act either as a sender or a receiver of messages. The setup and the detailed configuration procedure differ according to the communication direction that is being set up: whether the sftp server is supposed to provide messages to the integration platform or the other way round.
For more detailed information about sftp communication in CPI refer to SAP Documentation chapter ‘How sftp works’.
The polling sftp scenario and which security artifacts are involved is described in SAP Documentation chapter ‘Inbound sftp with Public Key Authentication’.
For secure SSH communication a known hosts file has to be deployed in the cloud integration tenant containing the public host key of the sftp server so that the sftp server will be trusted.
Furthermore, for public key authentication with the sftp server, a private key has to be maintained in the cloud integration tenant keystore. Also User/Password can be used instead, in this case user credentials have to be deployed in the cloud integration tenant. Recommended configuration option for secure communication is public key authentication.
If you want to configure the connection to an on-premise sftp server via Cloud Connector refer to the blog How to Connect to an on-premise sftp Server via Cloud Connector.
Configure Connection in sftp Server and Cloud Integration Tenant
Retrieve User and Public Host Key from sftp Server
For SSH based communication, the cloud integration tenant needs the host key of the sftp server, which has to be added to the known hosts file and deployed on the cloud integration tenant in the next step. The host key can either be downloaded from sftp server or has to be provided by the administrator of the sftp server.
You can download the host key with the SSH connection test as described in more detail below in the Connectivity Tests chapter using the Copy Host Key option.
In case you have access to the sftp server yourself, you’ll normally find the public key of the sftp server in the .ssh directory with the name id_rsa.pub.
To communicate with the sftp server you need an user account on that sftp server. Cloud integration needs the user name to connect to the sftp server. The user name has to be provided by the administrator of the sftp server. The corresponding user must have sufficient authorization to create/move/delete files on the sftp server.
Configurations in Cloud Integration Tenant
For SSH based communication in the cloud integration tenant, the public host key of the sftp server provided in previous step is needed in the cloud integration tenant. Furthermore, for using public key authentication towards the sftp server, a private key pair with the alias id_rsa or id_dsa is required in the cloud integration tenant’s keystore. With the June-2020 update the key pair for the connection to the sftp server can be chosen by defining the respective key alias in the sftp adapter configuration.
Maintain and Deploy Known Hosts File
You need to add the sftp host key you received in previous step to the known hosts file deployed in your cloud integration tenant. For this download the file from Manage Security Material view available in the Operations View in Web in section Manage Security. If no knwon_hosts file is deployed yet on the tenant you have to create it as described below.
Open the file with notepad or some other text editor and add the host key of the sftp server. If no known_hosts file was deployed create it.
The file needs to have the name known_hosts and shall contain the host keys for all connected sftp servers in a list. Each line contains the hostname, the applicable public key algorithm -“ssh-rsa” (for RSA key pairs) or “ssh-dss” (for DSA key pairs) and the public host key encoded using base64. See the following example:
ld2345.wdf.sap.corp ssh-rsa AAAAB3NzaC1yc2EAAAo………2pOx2ADnZ1WwtjW48=
Deploy the known_hosts file in the Manage Security Material view available in the Operations View in Web via the Add -> Known Hosts (SSH) action. Browse the known_hosts file and deploy it.
Maintain Private Key in Keystore
As explained above, for public key authentication a private key pair needs to be maintained in the cloud integration tenant keystore. Before the June 2020 update, there were pre-defined aliases reserved for the communication with the sftp server: these are the aliases id_rsa, id_dsa or id_ecdsa.
With the June-2020 update any key pair can be chosen for the connection to the sftp server by defining the respective key alias in the sftp adapter configuration.
Check for id_rsa/id_dsa/id_ecdsa or any other key pair in Keystore
In Keystore Monitor available in the Operations View in Web in section Manage Security check, if there is already an entry with the alias id_rsa, id_dsa or id_ecdsa available. If so, you may use it and skip the next two steps, continue with download of the public key.
With the June-2020 update any key pair can be chosen. It is recommended to use a dedicated key pair for the communication to the sftp server(s), and you may now even use a different key pair for each sftp server. You should not use the same key pair for communication against sftp server(s) and other backends.
Create SSH Key in Keystore Monitor
With the 02-September-2018 update, in the Keystore Monitor you can directly create SSH keys. There is no need anymore to use an external tool for this.
To create the SSH Key open the Keystore Monitor available in the Operations View in Web in section Manage Security. All certificates and private key pairs contained in the tenant keystore are shown. Choose Create -> SSH Key to create a key pair for the sftp connectivity.
In the creation dialog select and define the key specific values and define a validity period. Before the June 2020 update the alias is generated automatically based on the selected Key Type:
- Key Type RSA -> generated alias: id_rsa
- Key Type DSA -> generated alias: id_dsa (because of security reasons not available anymore after the 14-04-2019 update)
- Key Type EC -> generated alias: id_ecdsa (new with the 14-04-2019 update)
With the June-2020 update you can define the alias for the key pair used for the SSH communication. And with this change you can now have multiple SSH keys in your tenant.
Select Deploy to create the key. If a key with the respective alias already exists, an error message is given. In this case you may use the existing one for your scenario or use a different Key Type or rename the existing alias.
Upon Deploy the key pair is generated and the artifact is added to the list of keystore artifacts:
Alternative option: Upload SSH key
Instead of creating the SSH key in the keystore monitor, with the 12-May-2019 update you can also upload SSH keys to the keystore monitor. It is possible to upload SSH or putty keys.
To upload an SSH Key open the Keystore Monitor available in the Operations View in Web in section Manage Security. Choose Add -> SSH Key to upload a putty of SSH key for the sftp connectivity.
In the upload dialog select the putty or SSH key and specify the password for the key and define the key specific values and a validity period.
The alias is generated automatically based on the key type of the putty or SSH key:
- Key Type RSA -> generated alias: id_rsa
- Key Type DSA -> generated alias: id_dsa
- Key Type EC -> generated alias: id_ecdsa
With the June-2020 update you can define the alias for the key pair used for the SSH communication.
Select Add to create the key. If a key with the respective alias already exists, an error message is given. In this case you may use the existing one for your scenario or use a different Key Type or rename the existing alias.
- You should not share a private SSH key. Each CPI tenant (e.g. test tenant and productive tenant) should have their own SSH key, the same applies to each natural person (e.g. developer, administrator or consultant) who needs access to the SFTP server. This way access to a specific SFTP mailbox can be granted and revoked to each system and each person separately.
- You should not use username/password authentication to SFTP servers. Once you have configured multiple systems to access a mailbox via username/password authentication, it becomes very hard to change this password again, because you must change it synchronously on the SFTP server and all involved systems, which are at least two (one writing to the mailbox and one reading from it). Furthermore, you may need to share this password with administrators and maybe even integration flow developers or external consultants involved in the set-up of the scenario. Once you have shared the password, you cannot make anyone to forget it again, so to remain secure, you would have to change it each time someone leaves the project, which is difficult and error-prone as stated above.
More information about maintaining keys and certificates in Keystore Monitor, about migration of existing keystores into the new monitor and about existing naming conventions can be found in blog ‘How to use Keystore Monitor to maintain your keys and certificates’.
To maintain keys and certificates in Keystore Monitor your user needs the Group Role AuthGroup.Admin or Single Roles IntegrationOperationServer.read, NodeManager.read and
Download Public Key from Keystore Monitor
For public key authentication at the sftp server the public key of the cloud integration tenants private key is needed in the sftp server. For this, export the public key of the private key pair in the Keystore Monitor. You can export either the X.509 certificate or the public key in OpenSSH format; choose the format your sftp server supports.
This option is available as single line option, select Download Certificate or Download Public OpenSSH Key from the actions Button in the line of the private Key Pair to be used for the connection to the sftp server.
Download Public OpenSSH Key will create an <alias>.pub file in the download directory. The file contains the public key in openSSH format, which can be used to be put to the sftp server.
Download Certificate will create a file with the name <alias>.cer in the download directory. This X.509 certificate file can be imported to sftp server, if the sftp server supports the format.
If the sftp server needs SSH2 format according to RFC 4716 you need to download the OpenSSH key and transform it to an SSH2 public key with the ssh-keygen tool, which can for example be installed using cygwin on Windows machines. Use following command for the transformation:
$ ssh-keygen -e -f id_rsa.pub -m RFC4716 > id_rsa.pub_ssh2
To download entries from Keystore Monitor your user needs the Group Role AuthGroup.IntegrationDeveloper or Single Roles IntegrationOperationServer.read and NodeManager.read.
Import Public Key to sftp Server
For public key authentication, in the sftp server the public key of the cloud integration tenant’s private key needs to be imported. Provide the downloaded public key to the administrator of the sftp server, so that he can add it there. On an OpenSSH server it’s done via adding it to the authorized_keys file in the .ssh directory.
With this last step the configuration of the communication to the sftp server using public key authentication is completed. You can now use public key authentication in sftp sender and receiver channels.
To test the connectivity, you can continue as described below in the Connectivity Test chapter or first create the integration flow with the sftp channel.
Setup SFTP Channel in the Integration Flow
After the connectivity is setup, you can connect to an sftp server using the sftp sender or receiver adapter. Create an integration flow with an sftp sender or receiver channel and define the Connection Parameters accordingly:
- In the Address field enter the host name of the sftp server.
- Define if the Proxy Type: On-Premise for connecting to an on-premise sftp server via cloud connector (see blog How to connect to an on-premise sftp server) or Internet if the sftp server is accessible from the internet.
- If On-Premise is selected you can configure the Location ID used for the cloud connector.
- Select the Authentication: Public Key, User Name/Password or Dual.
- For Authentication via Public Key you need to define the User Name set up in the sftp server and the Private Key Alias of the key pair you want to use for the connection. Note that the entry field for the Private Key Alias will only be available with a new version of the sftp adapter in June 2020.
- For Authentication via User Name and Password you need to define the Credential Alias, in which the user name and password are deployed.
- For Authentication with both, Public Key and User Name/Password, select Dual. In this case you need to define the Credential Alias, in which the user name and password are deployed and the Private Key Alias. Note that the Dual option will only be available with a new version of the sftp adapter in June 2020.
- The Timeout needs to be set high enough to ensure the sftp server is able to respond in this time.
- You can define the Maximum Reconnect Attempts and the Reconnect Delay.
- Select Automatically Disconnect if the connection shall be closed after the processing.
- For scenarios where messages are processed more often the connection should be kept open for better performance because additional time is required to establish the connection.
- If messages are only processed from time to time it is recommended to close the connection. This ensures there are not too many open connections in the sftp server. Besides, most sftp servers close an idle connection from their side after a certain period of time (i.e. the connection timeout of the sftp server).
- The general recommendation would be: if multiple messages are processed within the connection timeout of the sftp server the connection should be kept open.
After the deployment of the integration flow the access to the sftp server should work.
- In case of sftp sender the integration flow should start polling messages from the sftp server. Errors during poll would be shown in the Integration Content monitor.
- In case of the sftp receiver messages are written to the sftp server. Errors during writing to the sftp server are shown in the Message Processing monitor in the message processing log.
In case of errors you can use the connectivity tests for analysis, continue as described below.
After setting up the connection toward the sftp server, the connectivity test feature can be used to test the communication or even to download public keys.
SSH Connectivity Test
The Connectivity Test is available in Operations View in Web, in section Manage Security. Selecting the Connectivity Test tile from Overview Page will open the test tool offering tests for different protocols. To test the communication to the sftp server, the SSH option is to be selected.
To test the connection with host key and public key check, select Authentication option Public Key and enter the address of your sftp server, and the user name available in the sftp server and execute the test. The test will give a success message or an error with detailed error information.
Error: reject HostKey
If there is an error with the SSH connectivity (e.g. reject HostKey) it is possible to execute the test without the option Check Host Key. In this case the sftp host key is not checked, but it can be copied via Copy Host Key Button and added to the known hosts file as described in the above chapter. Make sure the fingerprint of the downloaded host key is checked with the administrator of the sftp server.
The public key authentication is checked via the authentication option Public Key. The authentication is done with the id_rsa/id_dsa key with the user entered in User Name.
Error: Auth fail
If there is an authentication error you get an Auth fail error. In this case either the id_rsa/id_dsa alias is not available in keystore, the public key was not added to the sftp server authorized keys correctly or the user is not valid.
The problem can also be that the connection timeout set is too low for specific slow sftp servers. In this case the timeout needs to be increase. This problem was seen from time to time in sftp communications.
If everything is setup correctly you will get a success message with Check Host Key using Public Key Authentication.
is there a way to connect an sFTP Host which is located on Prem via SAP Cloud Connector? I'm especially thinking about the new option to use TCP / TCP (SSL) for connection.
If not, are there plans to do so? I would think this requirement might be quite common for integration customers.
Many Thanks and kind regards
it's not possible yet, but it's planned. We will enable this mid term.
This is possible now, see blog How to connect to an on-premise sftp server via Cloud Connector.
Hi Mandy ,
Thanks for the article, so if we copy the Ssh in authorized_keys. That means this file will have key for only one integration.What if we have multiple integration with same public key concepts also how do we differentiate between authorized_keys file for testing in development/preprod/production as only one file can be placed in the folder with name authorized_keys
there are different options of using different SSH keys in Cloud Integration, you can create them in the tenant or you import them. With the import you could use the same private SSH key in multiple tenants.
Concerning testing in different landscapes, best would be using different sftp servers anyway to avoid test issues impacting productive scenarios. Also from security point of view I would recommend to separate them.
Thanks Mandy ,
In case we have same SFTP server for test and production. In that case can i add the SSH key to the same file for production and test environment.
I would say so, but as said this is not setup I would recommend for a productive scenario.
I see in the SSH Connectivity Test there is an option for Authentication: None. Does setting this option mean you are just pinging the SFTP sever?
The SSH test tries to establish a SSH connection to the SFTP server, but does not authenticate.
Hope you are doing well. I have worked on sFTP servers which is managed by SAP.
But out customer have sFTP server inside their secured zone. In this case IP/host name of the server should be public? Which means reverse-proxy is a mandatory so that HCI can reach the sFTP server?
It is planned to offer a connection via cloud connector, but this is not available yet. Currently the sftp server needs to be opened to the internet to be connected via cloud integration.
Thconnection via CC is possible now, see blog How to connect to an on-premise sftp server via Cloud Connector.
Good evening Mandy,
we are trying to use .ppk file sent by ADP Payroll (everytime they send it and we ask for plain password) but we can't use it.
On HCI / CPI SFTP Adapter we can't use it, could you integrate this good guide with passages for use putty private key sent by sftp server admins?
We tried a lot of guides online but we didn't find a solution, there is some plane to improve SFTP Adapter with this kind of keys?
what should work (I have not tried it as I dont have a ppk file for testing):
Please let me know if this solves your problem.
We will discuss internally if we can offer a more user friendly option to get this imported to the keystore.
Like Federico, I too am trying to use the .ppk file to authenticate against an SFTP. The steps given by you have been extremely useful.
I followed the steps to convert the putty key to openssh key and generate p12 key pair and then added the key pair to the keystore.
Having done this, how can I successfully authenticate against the SFTP using the added key pair? Any suggestions would be greatly appreciated.
important is that the alias of the key imported into the keystore is id_rsa or id_dsa (depending on the key type). Only those two aliases are used to connect to the sftp server.
Then you can use the ssh connectivity test to test the connection to the sftp server.
Thank you replying. How would this work with authenticating against multiple SFTP servers each having its own private key?
HCI allows only one alias with id_rsa.
you are right, currently Cloud Integration allows only two aliases for sftp connectivity depending on the key type - id_dsa and id_rsa.
Usually the private key is generated by the server (function generate SSH key), which is in this case the Cloud Integration tenant. And the public certificate for the key is downloaded and passed to all connected sftp servers.
With this you can connect multiple sftp servers.
But currently it is not possible to have multiple SSH keys for connecting to the sftp servers. It is on the roadmap, but not for the near future.
Just to clarify: I am able to exchange files with as many SFTP servers as I need, right?
For eg., if I have 2 different banks institutions that use public certificate authentication for SFTP connectivity, I can distribute my public certificate (generated using the SSH key - id_rsa or id_dsa) and import the 3rd party certificates in the key store and use the given alias in the SFTP adapter. Is that correct?
Yes, you can provide the downloaded public SSH key to multiple sftp servers. Important is that you import the sftp host keys of all those sftp servers to the known hosts file as described in the blog.
Hi Mandy Krimmel,
do you have news about :
-We will discuss internally if we can offer a more user friendly option to get this imported to the keystore.
It will be possible in a future?
Yes, this option will be delivered with the next update currently scheduled for 11/12 May if all integration tests run successful. I will update the blog within the next days describing the new option Add -> SSH Key. Using the option you can then import SSH and putty keys directly.
Very good news thank.
I will test this add on after updates.
I still don't see add ssh option. Is it still not available for all customers?
Also, what if there are multiple private keys for different sftp servers?
some datacenters did not have the T3 update yet because of problems during update.
Could you please check again? Last weekend the remaining data centers should have gotten the update.
thanks for a detailed blog Mandy, br Vikas
Thanks for this post. I would like to ask one question for sFTP outbound, can we set the adapter configurations like address, credentials from the variable set in the header or from property in the ilfow?
If it can not, does it is planned in the roadmap of future?
no, this is not possible as of now. It is in our roadmap, but not for the near future as this is a bigger change.
It will be available with the June 2020 update.
Do you have guide to get the private SSH key from CPI?
the private SSH key can be generated in the keystore as described in the blog in chapter 'Create id_rsa/id_ecdsa in Keystore Monitor'.
Thanks for the quick response. Sorry for not being more specific, but Im working on a concur interface in CPI in, which this setup I need to access the Concur SFTP server manually (privatekey access only - without password) in order to get some neccessary encryption files that i need in setup of the iflow. So i need to access the SFTP server with SFTP client using a ppk file. Do you know how the private ssh key (id_rsa.cer) can be converted to a ppk format?
the private SSH key cannot be exported from keystore for security reasons, so there is no way to generate a ppk key.
If you need a ppk key for connecting to the sftp server I would propose you generate an external putty (ppk) key and import this to the keystore using Add -> SSH Key.
Also if you are using a third party sftp server make sure one of the supported key exchange algorithms of CPI are supported or your integration with the sftp adapter will fail..
Hi Mandy Krimmel,
We have a requirement to connect multiple SFTP vendor using Public Key Authentication.
One of the vendor provided an .ppk file which I have deployed in the tenant using Keystore -> Add SSH Key. It automatically creates an id_rsa file as type key pair. now we have received another vendor .pub file, where and how should we update the public openSSH key in the keystore to establish the connection with both the vendors.
this is currently not supported in CPI. You should use one private SSH key in CPI and distribute the public key to the sftp servers.
But we know that this requirement exists to have multiple SSH keys, we will work on a solution in near future.
This will be available with the June 2020 update, blog will be updated.
I need to connect to the Kronos SFTP using 2 different platforms:
Dell Boomi to send the data from EC to Kronos (currently with username/password authentication) and CPI to process the time data from Kronos to ECPayroll (with public key authentication as the only option).
What would you recommend to resolve this problem since the SFTP account may have only one way of authentication?
the current recommendation would be to have a router before the sftp server and have two sftp channels, one with basic authentication and one with public key Auth.
Mid-term we will offer dynamic setting of authentication option, then you can go with one channel and configure authentication dynamically.
The dynamic configuration will be available with the June 2020 update.
We have a requirement to connect to the banks SFTP sever and the only authentication methods supported by the bank are Public key + username and password or Public key + IP address.
In CPI we only have option for Public key (with username) or username and password. Is there any way to use Public key + username and password.
at the moment it is either user/password or public key, but we work on an enhancement to support Dual authentication meaning user/password and public key. You can expect this feature in one of the next updates.
Thank you for the quick response. That is good to know. Is there a planned timeline for this new enhancement release?
it’s planned to be available in the May update, but this depends on the finalization of the implementation and the E2E tests that need to be executed. So, I cannot confirm the date.
Will be available with the June 2020 update.
It is very informative.
Thanks a lot!
thanks a lot for your post here.
I have one scenario that we would like to upload one PDF file from on-premise HCM system to SuccessFactors SFTP, can we use this solution to implement it?
Do we need to use cloud connector to connect CPI from on-premise and how to trigger the upload?
thanks a lot for your support.
Sure, you can store a pdf to the sftp server, but I'm not sure how to upload the file from HCM system. You need to check which options exist from HCM, is the pdf stored on a sftp server or is it stored in the system? How do you expect to trigger the upload? You can either use a sftp sender adapter in CPI to poll for messages on a on-premise system or you can trigger a call directly from on-prem system and send the pdf as attachment for example via a SOAP call.
thanks a lot for your quick feedback.
our scenario is that we would like to develop an abap program in on-premise HCM system and generate a PDF or CSV and then send to successFactors SFTP, so we can use CPI to integrate HCM and SF SFTP, right?
what I hope is to trigger the call directly from HCM on-premise system. for this scenario, do we need to use cloud connector between on-premise and CPI?
In the scenarios from HCM to CPI you don't need cloud connector. You can call the CPI tenant directly. You simply have to make sure you can execute calls to the internet from your HCM system, usually a proxy in your landscape is used for this. You administrator should know the landscape/system setup.
thanks a million for your always quick support.
it helps a lot.
Thanks for your post, it was truly useful.
However, I have now an issue trying to upload the id_rsa.pub key. I downloaded the key with option “Download Public OpenSSH Key” and I created a new id_rsa. Everything worked, but I broke one of the connections, so I would like now to restore the old id_rsa, but when I try to upload the old .pub key I get an error message “Cannot load key”.
I have used option Add -> SSH Key -> id_rsa.pub.
Could you help to understand what am I doing wrong?
Thansk in advance for your support.
the problem is that you have downloaded the public key with the option download public open SSH key and now you try to import the public key as privat ssh key. This for sure cannot work.
To have the option to go back there is the backup option available in the keystore monitor. Have you done this backup before doing your changes? then you can restore the keystore to the state before your changes.
The second option I could think of: Was the old id_rsa key also already created in the keystore or did you create this externally (maybe before the create ssh key option was available) and then imported it? If you would still have this private key externally available, you could import it via add -> key pair.
Else the only option is to get the broken connection fixed with the new key.
Hope this helps you,
Thanks for the quick reply. The only option I have is to fix the broken connection, because the key was created in the keystore. Fortunately it's only one iflow impacted.
Thanks for your advices. I will keep them in mind for the next time 🙂
Thanks for the informative blog.
How to split a Big file ( Upto 50 MB) while using Sender SFTP adapter in CPI ?
I couldn't find option of giving maximum file size in CPI which we have in SAP PO?
there is no option directly in the adapter. Splitting needs to be done in the integration flow processing via the splitter flow step.
The maximum file size is not yet configurable in the sftp adapter, but this is on the roadmap.
Thanks Mandy , will use splitter.
Appreciate your time and efforts for all this. Just wondering if you have any update on Dual authentications ? We need this for an SFTP interface with bank. Need to pass Public key and Username/Password together. Is it possible or we need to wait for next release for CPI ? Any timelines ?
we just finished development of dual Authentication for sftp, now it goes into a 4 week integration test cycle. So, if everything runs well, you will get it with the update in June 2020.
Thanks Mandy. I appreciate your quick response. Its very helpful. Looking forward for next month updates.
Hope all is well. I have configured the SFTP connection to a bank. The connection is established as expected by me sharing the public key id_rsa with the bank technical team. I have created this Key Pair directly in the tenant. Now I am trying to configure the SFTP folders using FileZilla client. The client is asking for a private key but when I look into the option I am unable to find the same. I can download the open ssh public key but am unable to use it. Please let me know if there a way I can get the private key for id_rsa key pair.
Second thing thing have tried is to generating key pairs using this SAP note 2518009. Now I have four files created as expected. In order for me to use this should I get CSR generated and get it signed.
Please let me know what is the best way around this issue.
Appreciate your support.
First, for sftp connection the key does not need to be signed.
Second, the private key cannot and must not be exported for security reasons. If you also want to connect to the sftp server with File Zilla you should generate your own private key and send the public key to the sftp server admin. Or use user/password to connect to the sftp server.
Hope this helps,
Appreciate your quick response. It helps.
While connecting to a sftp server from a tenant on eu1, we are getting the error "com.jcraft.jsch.JSchException: connection is closed by foreign host ". When we tried from tenants on eu3 and us2 it is getting succesful. I can think of the ip whitelisting issue only. But eu1 ip range was whitelisted by customer as per the page --> https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/d722f7cea9ec408b85db4c3dcba07b52.html.. Was there any change in the ip ranges?
Thanks in advance.
I'm not aware of any changes but I'm not in all the details there. Maybe it would be a good idea to open a ticket on LOD-HCI-PI-OPS to ask this question. I also sent a mail to the responsible colleagues. Whoever of us gets an answer first, could then update here.
According to our operations colleagues there were no changes and the IP ranges documented are still valid. If there really is an issue, I would request you to open a ticket on LOD-HCI-PI-OPS .
Your post has been very useful, but I've a few questions that maybe help others as well.
1) In my scenario, sftp vendor provided a .ppk file, as well user id and password. I tested initially with FileZilla to check if it works and it does. First attempt, FileZilla retrieves public key automatically and asks if host is trusted. If my understanding is correct, compared to CPI, accepting the sftp host as trusted would be the equivalent of maintaining known_hosts.
2) Following steps in this blog, when I tried to retrieve sftp public key through "Copy Host Key" functionality (SSH Testing Connectivity), when selecting authentication as Public Key, with user id I was provided, "Check Host Key" flagged or unflagged, I received message "java.lang.IllegalArgumentException: no key found in key store". From the .ppk file, I'm able to extract the public key. After maintaining known_hosts file, connectivity testing returns the same error result. Any clue on why this error message is returned?
3) Then trying with authentication "User Credentials" (after adding credentials under Manage Security Material), "Check Host Key" flagged or unflagged, I received error message "com.jcraft.jsch.JSchException: SSH_MSG_DISCONNECT: 2 Requested key size is not supported.". After further analysis, I noticed that vendor generated their public key with size 3072. I'm not sure if this is a coincidence, but when looking at SSH Key generation in CPI, up to size 2048 we have multiples of 64, then after 2048 it jumps to 4096. Does it mean that CPI only works with ssh/rsa key sizes that were just mentioned?
4) I believe that once I overcome this key size issue, I'll fall into the dual authentication limitation. I understand it will be available at this month release. Is there any link with the release calendar? I was not able to find it.
to 1: if you upload the ppk file to the keystore as SSH key, this can be used to do public key authentication. Connecting to the sftp server does get the public key and checks it against the known hosts file. so the public key needs to be uploaded to the CPI known hosts file.
to 2: if you want to connect via public key the respective private key needs to be available in the keystore. Have you checked if there is an id_rsa or id_ecdsa or id_dsa alias in the keystore? If not then there is no key pair that can be used. You need a private key pair in the keystore to connect via public key, please follow the blog description.
to 3: could you maybe share the complete details of the public key type (RSA/DSA/EC), key size and key algorithm?
to 4: first data centers are planned for upcoming weekend, others one week later. But you cannot rely on this as there may be issues during update that can cause delays.
Thanks in advance for your lightening response!
1) I've added the public key from the vendor to the known_hosts file. For testing purposes I've uploaded ppk file as ssh key (considering the fact that id_rsa had not been created yet, otherwise we'd get "id_rsa" already exists") and tried to run connectivity tests, and I still get result "com.jcraft.jsch.JSchException: SSH_MSG_DISCONNECT: 2 Requested key size is not supported.". I've deleted that ssh key and generated a new one, considering that there will be other sftp hosts from different vendors to send files in the future. Note: when testing connectivity, error “java.lang.IllegalArgumentException: no key found in key store” is not displayed anymore.
2) Indeed, id_rsa had not been created up to the point I send my questions. But once I tested uploading ppk from vendor, created id_rsa, maintained unknown_hosts, I still got error message com.jcraft.jsch.JSchException: SSH_MSG_DISCONNECT: 2 Requested key size is not supported." during connectivity testing.
3) I've generated a sample key with the same characteristics. Key size of 3072 is highlighted below.
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAYEAtGSh78Wj/fnVRM5NFVXgYikbCMz7nr/fmS62jDZQQpvNuZ7Chp4RjbDOC8/ZVIRVO5fZY3i52Ecd50WJajRPQFesG/4ckKEEYPVhq7W6wcwv12DtagzFgACigjXJQHz2mjsQKeMHZ7c7T9cbXTBsOqvWheQLYSUEP9h3SamkvzfSYowGuIlK40iGbWtkXDoAAOmccIPXWHwgW2vNtX/4S1I/+BDg072DGFw35t98+qZAh3kcfIqcidZBa69bKlTjfSYtibWnw8bfDD0TnIu1r6L34hy+Tl88mjk3Sf0N+KHaaMibkiHvYGdcQZk7l5NmYIN/TpycLmOC028de+Seati6Z7BBvWNG6UUl/GB38DV6IOkZ5VkBRQf8iGofp5G1JibeH46ZUmLNCjLbZfxWf2nQXuWbS1V99PmhfOglGue8HMXyi58uYyg7NsvoLb9gxi7vfS2r8gnnuknI97Ap1whuVhTJY0KAEMaUW1rMbXVOKzDXKqvtYy1KCLaoWLmd rsa-key-20200603"
Key Fingerprint: "ssh-rsa 3072 64:a8:71:f9:dd:d0:2a:1a:e5:ce:f2:dd:5a:63:d3:2d"
4) Understood. Thanks for your update.
I am trying to achieve an scenario ECC-HCI- SFTP and back.
I have the public key from the SFTP server however rather than host name it has IP xx.xx.xxx.xx in the key – I have deployed that in the HCI tenant. Yet I got error using both None and User/password and Key.
Also I saw the keystore, do I still need to create the SSH Key in Keystore to download and share with SFTP server.PFA
Looks like the server cannot be reached at all. If the server does not respond when calling with Authentication None, it simply cannot be reached.
You need to make sure that the server can be reached over internet, maybe you have to open ports in the firewall. or you use the Cloud conector.
I am facing the below issue while connecting on premise sftp Server using user id / password in the connectivity test tab at CPI PI . Can you please suggest how to address the issue.
com.jcraft.jsch.JSchException: ProxySOCKS5: com.jcraft.jsch.JSchException: ProxySOCKS5: server returns 2 Cause: com.jcraft.jsch.JSchException: ProxySOCKS5: server returns 2
Note : Connection set-up is completed from clod conenctor to on premise system
This error comes from the Cloud Connector. Please check the logs there. It sounds like something is not setup correctly in the Cloud Connector.
Check setup and troubleshooting in this blog: https://blogs.sap.com/2018/11/16/cloud-integration-how-to-connect-to-an-on-premise-sftp-server-via-cloud-connector/
Make sure the known hosts file is setup correctly and uses the sftp address as specified in the sftp channel
Thanks for the quick response Mandy. Cloud Onnector set-up was done following your blog earlier. However i will get the logs from CC to analyze further.
Known host file is not yet maintained in the CPI as i am waiting for the key value from connectivity test. is there any way we can externally create the known host file by contacting SFTP Server admin (for fingerprints) copying teh finger prints into a .txt file or any changes required before placing the txt file into CPI PI. Please confirm.
currently the Port is used as 21 instead of 22 . does this cause issue with SFTP Adapter
Thanks for the informative blog.
I have two CPI’s that need to connect to the same SFT server.
The first CPI is connecting correctly via testing and integration, the configuration was made via SSH Key and is ok.
The second CPI was made the same SSH Key configuration and passed the public key to be imported on the SFTP server, when I do the test it returns ok, but when the integration makes the pooling on the server the authentication failure.
CPI does not have the Private Key Alias option on the adapter.
Did you have any idea what it might be?
if the adapter does not have the option in the adapter configuration it means that it is an old version of the adapter. Please remove the adapter and create the channel newly. This will use the latest version of the adapter, there the field should be available.
Thanks for the reply!
I made the change and now I am informing the 'Private Key Alias' but the error persists.
Did you have any idea what it might be?
We are trying to connect to SAP Concur using SAP PI and CPI/HCI.
We are using the same key for SAP PI and CPI.We are able to connect using SAP PI, but not with CPI.
Any idea? Where it is going wrong?
When we are doing a connectivity test, we are getting a successful message (Could you please let me know, what does 4096 mean here?)
But when we run the interface, we are getting the following error
org.apache.camel.component.file.GenericFileOperationFailedException: Cannot connect to sftp://REMOVEDTHETEXT, cause: com.jcraft.jsch.JSchException: Auth fail
Auth Fail usually means that the authentication configured in the channel is not correct.
Are you really using the same user and private key alias in the sftp channel? Is it sftp sender or receiver?
I remember this problems, it's a false error, in real, probably (in our cases), was timeout on auth fail, we changed timeout 10000 to 300000 after discussing for a week with sap support and this disappears after.
thanks for this feedback, I was not aware the Auth Fail could also be a timeout issue
We are getting this error on the Receiver Side.
We have tried to test by increasing the TimeOut in our Test Tenant, the Iflow is still in processing since 1 Hour.
If the file is not huge this should not be in processing for so long. Is it really expected to take that long? Do you see something for this call in the sftp server logs?
I would suggest you open a ticket so that the experts could have a look.
Thank you for your Suggestions, we were using an Old Version of the SFTP Adapter in our iFlow and it was not having an option for the PrivateKey.
As per the Suggestion from the SAP Expert, we had to recreate the Adapter in the iFlow, then we could see the Option of PrivateKey and it is working fine now. ( We did not increase the TimeOut)
thanks for the info, good that you got it working.
In the SFTP receiver we have Private key Alias, for that you mentioned in the blog add SSH key need to uploaded into Key store. while upload File->select the key. I would like to know , who will be providing SSH key ( Third party )? Thanks Vanga
either the provider of the sftp server will provide it, or, what I would recommend, you create the SSH key in the keystore (Create -> SSH key) and provide the public key to the sftp server admin as described in the blog.
Thank you very much Mandy and taking your time to answering my question. we have created and provided public key to SFTP server admin. My doubt is that you mentioned private key alias. so if we provide our public key to SFTP server admin , it doesn't require to provide in the below column in channel.
Thank you Vanga
the private SSH key is the one that is created in the CPI tenant and this is what usually shall never leave the system for security reasons. the public key if this private key pair has to be shared to the sftp tenant admin.
In the channel you have to specifiy the alias of the created SSH private key and this will be used in runtime to connect to the sftp server. the sftp server can then validate this against the public key.
Thank you Mandy. so private SSH key is created in CPI tenant and that is being used in receiver communication channel. Thanks Vanga
Thank you very much Mandy! Nice blog!