Skip to Content

SAP PI SFTP Adapter Authentication


  • In SAP PI, we can access SFTP server of client using SFTP Adapter.
  • SAP-PI can use SFTP Adapter in below two manners:
    1. SFTP Sender Adapter:     To pull files from SFTP server’s folder
    2. SFTP Receiver Adapter:  To push files to SFTP server’s folder
  • In this blog we conclude below aspects:
    • Authentication technique for SFTP Server
    • SFTP Sender Communication Channel Configuration
    • SFTP Receiver Communication Channel Configuration

Authentication technique for SFTP Server:

To access SFTP server from SAP-PI using SFTP adapter, below details are required:

  • SFTP Server IP
  • SFTP Server Port             (default port is 22)
  • SFTP Server Fingerprint
    • If SFTP Server Fingerprint details are not available then we can ignore it by providing input as * (star) in SFTP Communication channel
    • SFTP Server Fingerprint can be generated using any standard tool like ‘FileZilla’, where we need to provide SFTP server details (IP/Port/User-id/Password) and while connecting, tool will show SFTP’s fingerprint
    • SFTP Fingerprint looks like as below:


Authentication methods supported by SFTP server can be of either following types:

  1. Key Based Authentication
    • In ‘Key Based Authentication‘, SAP-PI’s ‘Public SSH Key‘ need to be imported in SFTP server.
    • While connecting SFTP- Server, SAP-PI uses following details for authentication in its SFTP-Adapter
      • SFTP Sever’s IP / Port
      • Authentication method ‘Private Key’
      • SFTP Server’s user name
      • SAP -PI’s ‘Private KEY Store View‘ details
    • For reference, following screen of SAP-PI’s SFTP-Adapter is been given
  2. Password based authentication
    • Here SFTP server is accessible via its user-id/password
    • For reference, following screen of SAP-PI’s SFTP-Adapter is been given
  3. Password based authentication with case of ‘keyboard-interactive authentication‘ [This info is been added on 13-Sept2018 into this blog…….]
    • Here SFTP server is accessible via its user-id/password but it requires keyboard interactions
    • “Keyboard Interactive authentication”:
      • Sometimes, sFTP server has enabled one property called  “Keyboard Interactive authentication”.
      • The standard keyboard-interactive authentication uses the ‘password’ as interactive question.
      • Here, rather than the SFTP server ask for “Password”, it asks for “Enter Password” i.e. once SFTP server IP details provided to connect, SFTP server asks to enter password in ‘Password’ pop-up using keyboards.
    • Such sFTP servers can easily be accessed using any standard tool like ‘FileZilla’ or ‘WinScp’, here we always provide input from keyboard
    • But SAP-PI’s SFTP adapter throws following type of error for such sFTP-server connections where ‘keyboard-interactive authentication’ is required
      • Exception received: java.lang.UnsupportedOperationException: received authentication request from server which could not be processed: destination=<sftp-UserId>@<sftp-IP>:<sftp-Port>; name=Password authentication; instruction=prompt=<sftp-UserId>’s password
    • Reason:
      • The current version of SAP-PI’s SFTP adapter does not support Keyboard-interactive authentication .
    • Solution:
      • Install “SFTP SP02 Patch 6” in SAP-PI server
      • here, there is no need to re-import metadata of SFTP-Adapter in ‘ESB/R’ (Enterprise Service Repository)

SSH Key maintenance in SAP-PI for SFTP’s Key Based Authentication” :

Summarized steps to maintain SSH key in SAP-PI, are as follows:

  1. In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’ (e.g. PItoSFTP_Key.p12 )
  2. In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file
    • 2.1 Using tool ‘OpenSSL’, create ‘.pem’ key from ‘.p12’ file
    • 2.2 Create ‘SSH Private Key’ (e.g. PItoSFTP_Key.key ) from ‘.pem’ key
  3. In SAP-PI: Upload ‘Private SSH key’ file
  4. In SAP-PI: Generate ‘Public SSH key’ (e.g.

Now, let’s see detailed steps….

[Step-1] In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’

  • Go to SAP-PI’s netweaver (nwa) page using below url
    • http://<host>:<port>/nwa
  • Create a new Keystore view, for same,
    • Go to nwa url page => ‘Configuration Management’ => ‘Security’ => ‘Certificates and Keys’ => ‘Key Storage’ => ‘Content’ => ‘Keystore Views’
    • To create a new keystore view, click on button ‘Add view’
    • Enter ‘View name’, ‘Description’ and click button ‘Create’
  • Create a  Keystore Entry in same ‘KeystoreVview’ which just has created above
    • Provide details as Entry Name, Algorithm as RSA and Key length 1024 or 2048, validity time
    • Entry Type ‘Private Key’
    • Follow the rest step to complete creation of Keystore Entry
  • Export ‘Keystore View’ and ‘Keystore Entry’ (with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’)
    • Select row of  ‘Keystore view’ and its respective ‘Keystore Entry’
    • Click on button ‘Export Entry’ -> export format ‘PKCS#12 Key Pair’ -> enter a password here and note it down
    • Click on link ‘Download’ to extract .p12 file for example file name is ‘PItoSFTP_Key.p12‘.

[Step-2] In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file

  • Now using tool ‘OpenSSL’ (in any windows local desktop) perform below activities:
    1. Extract ‘OpenSSL’ in to a directory  for e.g. ‘C:/OpenSSL/’
    2. Copy ‘PItoSFTP_Key.p12‘ into ‘C:/OpenSSL/bin/’
    3. Create ‘.pem’ key file from .p12 file using below command  in cmd prompt
      • cd \OpenSSL\bin
      • openssl pkcs12 -in PItoSFTP_Key.p12 -out PItoSFTP_Key.pem
      • Enter Import Password: pass1234
      • Enter PEM pass phrase: pass1234
    4. Create ‘Private SSH Key‘ from ‘.pem’ file
      • openssl rsa -in PItoSFTP_Key.pem -out PItoSFTP_Key.key
      • Enter pass phrase for PItoSFTP_Key.pem: pass1234

[Step-3] In SAP-PI: Upload ‘Private SSH key‘ file

  • Now upload ‘Private SSH key‘ file ‘PItoSFTP_Key.key‘ in to directory path ‘ /home/<sid>/’ of SAP-PI server

[Step-4] In SAP-PI: Generate ‘Public SSH key‘ 

  • Generate ‘Public SSH Key‘:
    • Using SSH Key Generator in PI-server, we can generate SSH public key from private key file, with below commands:
      • su <sappi-adm-id>
      • chmod 600 PItoSFTP_Key.key
      • ssh-keygen -y -f PItoSFTP_Key.key >
    • Thus SAP-PI’s ‘Public SSH Key‘ file ‘’ has been generated
  • Note: 
    • Share this SAP-PI’s ‘Public SSH Key‘ ( to external sFTP-Server-Team,
    • which they need to import in their sFTP server,
    • so that, while connecting from SAP-PI using SFTP-Adapter, access can be granted i.e. ‘Key Based Authentication’


SFTP Adapter configuration for ‘Key Based Authentication‘:

Example: Receiver communication channel configuration
  • Business requirement case: To push/write files into external SFTP-Server’s specific folder
    • As shown in following screen, in SFTP Receiver Communication channel, provide sFTP-server details (like server-IP/Port/Username/FilePath) and for authentication provide ‘Key View’ details as created above
  • Fingerprint:
    • if specific sFTP-Server’s ‘Fingerprint’ string is been given from ‘sFTP-Server-Team‘ then provide same
    • else it can also be ignored ‘Finger’ by giving input as ‘*‘ (star)
  • In SFTP server folder, files will be dropped with same original name by enabling ‘Adapter Specific Message-Attributes‘ and using %FileName% in ‘FileName’ input field
  • Note:
    • Same authentication inputs will be required in case of ‘Sender Communication Channel Configuration’ too (where “business requirement case” is ‘to pull/read files from external SFTP-Server’s specific folder‘)


SFTP Adapter configuration for ‘Password based authentication‘:

Example: Sender communication channel configuration
  • Business requirement case: To pull/read files from external SFTP-Server’s specific folder
  • In Sender Channel, provide input for SFTP server’s IP/Port/Fingerprint/Authentication details as shown in below screen:
  • Fingerprint:
    • if specific sFTP-Server’s ‘Fingerprint’ string is been given from ‘sFTP-Server-Team‘ then provide same
    • else it can also be ignored ‘Finger’ by giving input as ‘*‘ (star)
  • Directory references starts from root directory of SFTP server
  • And we are reading all files of that direcrtoy using Filename input .*
  • To archive read files, we can use below parameters:
  • Given ‘Archive name’ will move same read file to mentioned Archive path with prefix ‘ARC_’ in original filename
You must be Logged on to comment or reply to a post.
  • Hi Dilip Kumar,

    you mentioned after point 4 to “Now upload Private SSH key file ‘PItoSFTP_Key.key’ in to SAP-PI server”.

    Why should we upload the private key into SAP-PI-Server? It’s already done by creating the keystore view in PI NWA (following your script).

    If we have to upload anyway, where should it be uploaded?

    For generating the public key, could we use puttygen instead of using the commands in the script (which I don’t know where to use)?

    Thank you very much for help!





      • I don’t think this question has been addressed yet.  I think the confusion is that you are using the words “SAP-PI server” for both the viewstore server and the location where you upload the key.  Are these the same?  if you have already created the key in the viewstore, why would you import it back again?

        [Step-3] In SAP-PI: Upload ‘Private SSH key‘ file

        • Now upload ‘Private SSH key‘ file ‘PItoSFTP_Key.key‘ in to SAP-PI server
        • Hi Victor,

          Let me again summarize for you:

          1. In PI: Create a ‘KeyStore View’ and ‘Keystore Entry’ and export it in PKCS#12 ‘.p12’ format
          2. In any Windows system:
            • Using OPENSSL tool -> convert ‘.p12’ file in to ‘.PEM’ file
            • then convert ‘.PEM’ file in to ‘.key’ file (i.e. private SSH Key)
          3. In PI: upload ‘.key’ file in to directory /home/sid/
          4. In PI: Using SSH-key-Generator, create public SSH key (‘.pub’ file) from ‘.key’ file
          5. Share this ‘.pub’ file to SFTP-Server team

          I hope its clear now…

          Thanks & regards,



  • Hi Dilip,

    First and Foremost – Excellent Blog! Nice way to illustrate with pictures.


    One question – Does the new SFTP adapter (SP05 Version) has listener services. Like any other middlewares out there which can get activated only when the third party pushes the data to it ?

    • Hi Nitin,

      Thanks for the nice comments about blog!

      @Listener Services in SFTP Adapater: Please find below comments if it helps to throw some light in same regard:

      • To place files in a SFTP-Folder, the Receiver SFTP-Adapter channel gets activated when Sender side pushes data on it.
      • And to read files from a SFTP-folder, the Sender SFTP-Adapter channels works on fix Poll-Intervals to watch any SFTP-folder.


      Thanks & Regards,


  • Hi Dilip, thanks for your Blog,


    I’ve set up the interface like you have described, but my SFTp adapter (sender CCV) gives the error message “Nullpointerexception” when I try to read the target file with content conversion mode. When I change the adapter and do a SFTP file download and open it in lokal FTP server with same CCV settings than I can process it.

    I’ve made also some analysis with xpi_inspector and get the warnings like “The string “…” could not localized” or “Could not locate resource bundle entry” and “for resource bundle ‘’ and locale de”

    and at the the result is the mentioned error message.

    Do you know what the problem is?





    • Dear Fressnapf GmbH,

      Sorry for late reply..please find below input, hope it may help you if issue at your side still persists.

      First you try to identify whether this error is related connectivity issue or due to CCV settings, make use of SFTP sender to just pick up files, once its ok, then go for CCV settings. Try to use XPI_Inspector every time to get detail errors.

      Please let me know, if this issue is already resolved by you.


      Thanks & regards,