Personal Insights
SAP PI SFTP Adapter Authentication
Overview
- In SAP PI, we can access SFTP server of client using SFTP Adapter.
- SAP-PI can use SFTP Adapter in below two manners:
- SFTP Sender Adapter: To pull files from SFTP server’s folder
- SFTP Receiver Adapter: To push files to SFTP server’s folder
- In this blog we conclude below aspects:
- Authentication technique for SFTP Server
- SFTP Sender Communication Channel Configuration
- SFTP Receiver Communication Channel Configuration
Authentication technique for SFTP Server:
To access SFTP server from SAP-PI using SFTP adapter, below details are required:
- SFTP Server IP
- SFTP Server Port (default port is 22)
- SFTP Server Fingerprint
- If SFTP Server Fingerprint details are not available then we can ignore it by providing input as * (star) in SFTP Communication channel
- SFTP Server Fingerprint can be generated using any standard tool like ‘FileZilla’, where we need to provide SFTP server details (IP/Port/User-id/Password) and while connecting, tool will show SFTP’s fingerprint
- SFTP Fingerprint looks like as below:
Authentication methods supported by SFTP server can be of either following types:
- Key Based Authentication
- In ‘Key Based Authentication‘, SAP-PI’s ‘Public SSH Key‘ need to be imported in SFTP server.
- While connecting SFTP- Server, SAP-PI uses following details for authentication in its SFTP-Adapter
- SFTP Sever’s IP / Port
- Authentication method ‘Private Key’
- SFTP Server’s user name
- SAP -PI’s ‘Private KEY Store View‘ details
- For reference, following screen of SAP-PI’s SFTP-Adapter is been given
- Password based authentication
- Here SFTP server is accessible via its user-id/password
- For reference, following screen of SAP-PI’s SFTP-Adapter is been given
- Password based authentication with case of ‘keyboard-interactive authentication‘ [This info is been added on 13-Sept2018 into this blog…….]
- Here SFTP server is accessible via its user-id/password but it requires keyboard interactions
- “Keyboard Interactive authentication”:
- Sometimes, sFTP server has enabled one property called “Keyboard Interactive authentication”.
- The standard keyboard-interactive authentication uses the ‘password’ as interactive question.
- Here, rather than the SFTP server ask for “Password”, it asks for “Enter Password” i.e. once SFTP server IP details provided to connect, SFTP server asks to enter password in ‘Password’ pop-up using keyboards.
- Such sFTP servers can easily be accessed using any standard tool like ‘FileZilla’ or ‘WinScp’, here we always provide input from keyboard
- But SAP-PI’s SFTP adapter throws following type of error for such sFTP-server connections where ‘keyboard-interactive authentication’ is required
- Exception received: java.lang.UnsupportedOperationException: received authentication request from server which could not be processed: destination=<sftp-UserId>@<sftp-IP>:<sftp-Port>; name=Password authentication; instruction=prompt=<sftp-UserId>’s password
- Reason:
- The current version of SAP-PI’s SFTP adapter does not support Keyboard-interactive authentication .
- Solution:
- Install “SFTP SP02 Patch 6” in SAP-PI server
- here, there is no need to re-import metadata of SFTP-Adapter in ‘ESB/R’ (Enterprise Service Repository)
SSH Key maintenance in SAP-PI for SFTP’s “Key Based Authentication” :
Summarized steps to maintain SSH key in SAP-PI, are as follows:
- In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’ (e.g. PItoSFTP_Key.p12 )
- In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file
- 2.1 Using tool ‘OpenSSL’, create ‘.pem’ key from ‘.p12’ file
- 2.2 Create ‘SSH Private Key’ (e.g. PItoSFTP_Key.key ) from ‘.pem’ key
- In SAP-PI: Upload ‘Private SSH key’ file (PItoSFTP_Key.key file) ‘ into directory path ‘ /home/<sid>/’
- In SAP-PI: Generate ‘Public SSH key’ (e.g. PItoSFTP_Key.pub) using ‘ssh-keygen’ from upload key itself
Now, let’s see detailed steps….
[Step-1] In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’
- Go to SAP-PI’s netweaver (nwa) page using below url
- http://<host>:<port>/nwa
- Create a new Keystore view, for same,
- Go to nwa url page => ‘Configuration Management’ => ‘Security’ => ‘Certificates and Keys’ => ‘Key Storage’ => ‘Content’ => ‘Keystore Views’
- To create a new keystore view, click on button ‘Add view’
- Enter ‘View name’, ‘Description’ and click button ‘Create’
- Create a Keystore Entry in same ‘KeystoreVview’ which just has created above
- Provide details as Entry Name, Algorithm as RSA and Key length 1024 or 2048, validity time
- Entry Type ‘Private Key’
- Follow the rest step to complete creation of Keystore Entry
- Export ‘Keystore View’ and ‘Keystore Entry’ (with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’)
- Select row of ‘Keystore view’ and its respective ‘Keystore Entry’
- Click on button ‘Export Entry’ -> export format ‘PKCS#12 Key Pair’ -> enter a password here and note it down
- Click on link ‘Download’ to extract .p12 file for example file name is ‘PItoSFTP_Key.p12‘.
[Step-2] In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file
- Now using tool ‘OpenSSL’ (in any windows local desktop) perform below activities:
- Extract ‘OpenSSL’ in to a directory for e.g. ‘C:/OpenSSL/’
- Copy ‘PItoSFTP_Key.p12‘ into ‘C:/OpenSSL/bin/’
- Create ‘.pem’ key file from .p12 file using below command in cmd prompt
- cd \OpenSSL\bin
- openssl pkcs12 -in PItoSFTP_Key.p12 -out PItoSFTP_Key.pem
- Enter Import Password: pass1234
- Enter PEM pass phrase: pass1234
- Create ‘Private SSH Key‘ from ‘.pem’ file
- openssl rsa -in PItoSFTP_Key.pem -out PItoSFTP_Key.key
- Enter pass phrase for PItoSFTP_Key.pem: pass1234
[Step-3] In SAP-PI: Upload ‘Private SSH key‘ file
- Now upload ‘Private SSH key‘ file ‘PItoSFTP_Key.key‘ in to directory path ‘ /home/<sid>/’ of SAP-PI server
[Step-4] In SAP-PI: Generate ‘Public SSH key‘
- Generate ‘Public SSH Key‘:
- Using SSH Key Generator in PI-server, we can generate SSH public key from private key file, with below commands:
- su <sappi-adm-id>
- chmod 600 PItoSFTP_Key.key
- ssh-keygen -y -f PItoSFTP_Key.key > PItoSFTP_Key.pub
- Thus SAP-PI’s ‘Public SSH Key‘ file ‘PItoSFTP_Key.pub’ has been generated
- Using SSH Key Generator in PI-server, we can generate SSH public key from private key file, with below commands:
- Note:
- Share this SAP-PI’s ‘Public SSH Key‘ (PItoSFTP_Key.pub) to external sFTP-Server-Team,
- which they need to import in their sFTP server,
- so that, while connecting from SAP-PI using SFTP-Adapter, access can be granted i.e. ‘Key Based Authentication’
SFTP Adapter configuration for ‘Key Based Authentication‘:
Example: Receiver communication channel configuration
- Business requirement case: To push/write files into external SFTP-Server’s specific folder
- As shown in following screen, in SFTP Receiver Communication channel, provide sFTP-server details (like server-IP/Port/Username/FilePath) and for authentication provide ‘Key View’ details as created above
- As shown in following screen, in SFTP Receiver Communication channel, provide sFTP-server details (like server-IP/Port/Username/FilePath) and for authentication provide ‘Key View’ details as created above
- Fingerprint:
- if specific sFTP-Server’s ‘Fingerprint’ string is been given from ‘sFTP-Server-Team‘ then provide same
- else it can also be ignored ‘Finger’ by giving input as ‘*‘ (star)
- In SFTP server folder, files will be dropped with same original name by enabling ‘Adapter Specific Message-Attributes‘ and using %FileName% in ‘FileName’ input field
- Note:
- Same authentication inputs will be required in case of ‘Sender Communication Channel Configuration’ too (where “business requirement case” is ‘to pull/read files from external SFTP-Server’s specific folder‘)
SFTP Adapter configuration for ‘Password based authentication‘:
Example: Sender communication channel configuration
- Business requirement case: To pull/read files from external SFTP-Server’s specific folder
- In Sender Channel, provide input for SFTP server’s IP/Port/Fingerprint/Authentication details as shown in below screen:
- Fingerprint:
- if specific sFTP-Server’s ‘Fingerprint’ string is been given from ‘sFTP-Server-Team‘ then provide same
- else it can also be ignored ‘Finger’ by giving input as ‘*‘ (star)
- Directory references starts from root directory of SFTP server
- And we are reading all files of that direcrtoy using Filename input .*
- To archive read files, we can use below parameters:
- Given ‘Archive name’ will move same read file to mentioned Archive path with prefix ‘ARC_’ in original filename
very good posting with screen shots...
Hi Dilip Kumar,
you mentioned after point 4 to "Now upload Private SSH key file ‘PItoSFTP_Key.key’ in to SAP-PI server".
Why should we upload the private key into SAP-PI-Server? It's already done by creating the keystore view in PI NWA (following your script).
If we have to upload anyway, where should it be uploaded?
For generating the public key, could we use puttygen instead of using the commands in the script (which I don't know where to use)?
Thank you very much for help!
Regards
Jürg
Hi Jurg Aebersold,
For more clarity, I have updated the blog with summarized steps, which may help you, please have a look once.
Thanks & Regards
Dilip
I don't think this question has been addressed yet. I think the confusion is that you are using the words "SAP-PI server" for both the viewstore server and the location where you upload the key. Are these the same? if you have already created the key in the viewstore, why would you import it back again?
[Step-3] In SAP-PI: Upload ‘Private SSH key‘ file
Hi Victor,
Let me again summarize for you:
I hope its clear now...
Thanks & regards,
Dilip
There is no need to maintain Private key /home/sid/, the key should be present in the NWA Keystore view that should be sufficient.
Dear Manoj,
As in blog (i.e. in our case), we had managed creation of SSH keys from different system (windows OS system) using tool ‘OpenSSL’, then we had imported into SAP-PI/PO (AEX) server.
Yes, its true, if we can manage creation of SSH keys in SAP-PI/PO itself, then there is no need for such import from external source into /home/sid/ of SAP-PI/PO.
Thanks & Regards,
Dilip Pandey
Dilip ,
Keys can be generated in PI/PO or any external tool, but the query is where do we need to maintain those keys in PI/PO for connection? As you have mentioned (step-3) it should be maintained in PO level folder which is really not required, as SFTP check Keystore view for the keys during connection and not at any OS-level folder. ( Irrespective of how the keys have generated the keys just needs to be present in Keystore view and not any folders)
Thanks,
Manoj
Dear Manoj,
If you see the steps followed by us, it is like:
[1] In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’ (e.g. PItoSFTP_Key.p12 )
[2] In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file
[2.1] Using tool ‘OpenSSL’, create ‘.pem’ key from ‘.p12’ file
[2.2] Create ‘SSH Private Key’ (e.g. PItoSFTP_Key.key ) from ‘.pem’ key
[3] In SAP-PI: Upload ‘Private SSH key’ file (PItoSFTP_Key.key file) ‘ into directory path ‘ /home/<sid>/’
[4] In SAP-PI: Generate ‘Public SSH key’ (e.g. PItoSFTP_Key.pub) using ‘ssh-keygen’ from upload key itself
And, w.r.t. your query, for connection (with SFTP), in NWA, in ‘Certificates and Keys: Key Storage‘, we have private key entry (1st step only). This is a working scenario in our premises, so I do not have any reason to doubt.
Please highlight if any query/part need to be enlighten that may help everyone who refer this blog.
The reason behind, download and upload of the keys was like, we wanted public SSH key from the created Key (in NWA of step 1), and we found that, it can be done using OpenSSL and SSH-KeyGen command lines. OpenSSL requries .p12 format key, so we exported same from NWA and created private key with PItoSFTP_Key.key format which was required by SSH-KeyGen of SAP-PI/PO to generate .pub key (Public SSH Key). Hope this para clarifies the things.
Thanks & Regards,
Dilip
Hi, the confusion is clarified now I think. See comments below.
Hi Dilip,
First and Foremost - Excellent Blog! Nice way to illustrate with pictures.
One question - Does the new SFTP adapter (SP05 Version) has listener services. Like any other middlewares out there which can get activated only when the third party pushes the data to it ?
Hi Nitin,
Thanks for the nice comments about blog!
@Listener Services in SFTP Adapater: Please find below comments if it helps to throw some light in same regard:
Thanks & Regards,
Dilip
Hi Dilip, thanks for your Blog,
I've set up the interface like you have described, but my SFTp adapter (sender CCV) gives the error message "Nullpointerexception" when I try to read the target file with content conversion mode. When I change the adapter and do a SFTP file download and open it in lokal FTP server with same CCV settings than I can process it.
I've made also some analysis with xpi_inspector and get the warnings like "The string "..." could not localized" or "Could not locate resource bundle entry" and "for resource bundle 'com.sap.aii.af.service.administration.impl.i18n.rb_AAM' and locale de"
and at the the result is the mentioned error message.
Do you know what the problem is?
Regards,
Ahmet
Dear Fressnapf GmbH,
Sorry for late reply..please find below input, hope it may help you if issue at your side still persists.
First you try to identify whether this error is related connectivity issue or due to CCV settings, make use of SFTP sender to just pick up files, once its ok, then go for CCV settings. Try to use XPI_Inspector every time to get detail errors.
Please let me know, if this issue is already resolved by you.
Thanks & regards,
Dilip
Hi @Dilip Kumar Krishnadev Pandey
Dear Shawn,
In Blogs (i.e. in our case), we had managed creation of SSH keys in different system (windows OS system) using tool ‘OpenSSL’, then we had imported into SAP-PI/PO (AEX) server.
If you (either basis team) can manage creation of SSH keys in SAP-PI/PO (AEX) system itself, then there is no need for upload from external source into directory path ‘/home/<sid>/’.
Thanks & Regards,
Dilip Pandey
Hi Dilip,
Me and several other comment writers regarding step 3 basically wonder why we need to save the created private SSH Key in a folder on PO. I assume the converted private SSH key is only required to create the public SSH key (both using the command line tools) in order to provide/store the public key to the SFTP server. But the private key eventually used by the SFTP adapter is the one created in the key store of PO (step 1), that’s why it’s configured in the communication channel under “private key view” and “private key entry”. (It wouldn’t make sense if the configured private key in the keystore would not be used and instead it used one that was uploaded to the /home/<sid> folder…)
That’s where the confusion comes from. Maybe you have a possibility to test it and let us know if step 3 is really needed. I will try it out too as soon as I have a chance on a system. Besides that, you’re blog is very detailed and very helpful!
Thanks,
Philippe
Dear Philippe,
Yes, converted private SSH key was only required to create the public SSH key (.pub file) using command lines, which we had shared with SFTP-Server.
In summary, below files were created to find publicSSHKey:
If you see the steps followed by us, it is like:
[1] In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’ (e.g. PItoSFTP_Key.p12 )
[2] In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file
[2.1] Using tool ‘OpenSSL’, create ‘.pem’ key from ‘.p12’ file
[2.2] Create ‘SSH Private Key’ (e.g. PItoSFTP_Key.key ) from ‘.pem’ key
[3] In SAP-PI: Upload ‘Private SSH key’ file (PItoSFTP_Key.key file) ‘ into directory path ‘ /home/<sid>/’
[4] In SAP-PI: Generate ‘Public SSH key’ (e.g. PItoSFTP_Key.pub) using ‘ssh-keygen’ from upload key itself
Thanks & Regards,
Dilip
Hi Dilip,
Thanks for the feedback. Now I see where the confusion comes from! You write in step 3: “Upload ‘Private SSH key’ file (PItoSFTP_Key.key file) ‘ into directory path ‘ /home/<sid>/’”. I, and other readers probably too, assume that you upload the file to this directory so that PO can use it for the adapter, but that’s not the reason! You upload it there just to use the Linux command line tool “ssh-keygen” to convert that key into the public SSH key. So it’s temporary and has no further usage. That is not so clear in the blog, maybe you could clarify it.
Furthermore, it’s not always necessary to upload it to the PO server, because basically every Linux , and by the way also Windows 10, system can be used to convert the key (I have “ssh-keygen” available on my Windows 10 PC and did it there). (It's also possible that PO runs on a Windows server, then it might not have ssh-keygen. )
Thanks again for the otherwise helpful blog,
Philippe
Dear Philippe,
Yes, the purpose to upload the key was to create public-key using SSH-Key gen tool in SAP-PO.
If it can be done using windows10, thats ok, we need publicSSH key finally. I will surly check utility of Windows10, as its a new and interesting information for me.
Thanks & Regards,
Dilip
Hi, the confusion is clarified now I think. See my other comments. Upload of the private key to PO folder is not necessary except to use the tool ssh-keygen there, if not present anywhere else on an available system.
Dear Philippe,
Yes, you are right, we had ssh-keygen in SAP-PO server only, so we had uploaded the key into respective dir and created public key.
Thanks & Regards,
Dilip
One more hint for readers: step 4 can also be done by the freeware tool puttygen (PuTTY Key Generator). Just load the .key file (private SSH key) from step 2 into the tool by choosing "Conversions - import key". The private SSH string required to put into the SFTP server (into the file "authorized_keys") is then displayed in the text box at the top of the tool (copy it from there, don't use "Save public key" as this generates another format).
thanks for the valuable input Philippe..
Dear Dilip,
In blog showing SSF key assignment. Can you please help me out how to create public key and private key for PI?
Regards,
Nagesh.
Hi Nagesh,
Creation and maintenance of SSH private/public key is been given in blog, please go through it.
There may be many ways for same, blog details are one of the alternative which I had followed.
Thanks & Regards,
Dilip
Hi Dilip,
Thanks provided information. Created SSH private key successfully. with online link.
Regards,
Nagesh.
Hi Dilip,
I want to test an existing interface using filezilla for which i need .ppk file. My i know how i can achieve this?
Thanks
Deb
Hi Philippe,
i would like to test an existing interface working in production using filezilla. I have the private key entry maintained in NWA as shown below:
certificate store
To access the SFTP box from filezilla is need .ppk file.
FileZilla
May i know how i can get the .ppk file?
Regards
Deb
Hi Deb,
sorry for late reply, I hope, by now, you may have already addressed the issue.
However, my comments are as: I think you are adopting "Key based Authentication", and for same, you need public SSH-Key (*.pub) file, which can be imported into SFTP-server. Respective steps are given in blog, plz refer, we have used openssl tool to generate keys.
thanks & Regards.
Dilip
Hi Dilip,
As I am running into a SFTP session being timed out. Is there a setting in adapter that can enable detail log behind the FTP session?
Currently we are tweaking with increasing the timeout and poll interval parameters to see if this timeout error goes away.
Regards,
Ajay
Hi Ajay,
Sorry for very late reply, till now, you may have already addressed the requirement
XPI_Inspector on channels always helps for detailed logs.
Regards,
Dilip
Hi Dilip,
Thanks for the detailed information, can you tell me if there is a way in using the SFTP server SSH key in SAP PO?
For example: When a external SFTP server Team provides a SSH-RSA .pub key? is there a way to implement that key in SAP PO?
Thanks & Regards,
Tejas
Hi Tejas,
Sorry for the late response.
Thanks & Regards,
Dilip P.
Thanks for the blog. I read thru the threads and don't think this question has been asked:
When running command "openssl pkcs12 -in PItoSFTP_Key.p12 -out PItoSFTP_Key.pem" on Unix/Linux, I got the error "unable to load private key
140482051856192:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY"
I think the problem is that NWA exports the P12 private key in RSA format.
Hi Jonathan,
Yes we had exported private key in PKCS#12 Key Pair format having extension ‘.p12’.
But same openssl cmd syntax had worked at our side. At your side, just re-try to export the key and run the cmd.
Thanks & Regards,
Dilip
We recently patched our SFTP adapter and we get the following error (keyboard interactive)
Catching java.lang.UnsupportedOperationException: received authentication request from server which could not be processed
name=Password authentication; instruction=prompt=
at com.sap.aii.adapter.sftp.ra.rar.integration.sftp.SSHConnection$MyUserInfo.promptKeyboardInteractive(SSHConnection.java:783)
at com.jcraft.jsch.UserAuthKeyboardInteractive.start(UserAuthKeyboardInteractive.java:141)
at com.jcraft.jsch.Session.connect(Session.java:468)
at com.sap.aii.adapter.sftp.ra.rar.integration.sftp.SSHConnection.<init>(SSHConnection.java:195)
at com.sap.aii.adapter.sftp.ra.rar.jca.SFTP2XI.getConnection(SFTP2XI.java:1559)
at com.sap.aii.adapter.sftp.ra.rar.jca.SFTP2XI.sftpConnection(SFTP2XI.java:326)
at com.sap.aii.adapter.sftp.ra.rar.jca.SFTP2XI.invoke(SFTP2XI.java:250)
at com.sap.aii.af.lib.scheduler.JobBroker$Worker.run(JobBroker.java:529)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:185)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:302)
Our patch level is 1000.1.0.5.43.20210728095300. We were on SP5 previously as well, and it worked.. Only it is broken with the new patch. Do we know if SAP changed something?
Is note 1945020 (the only option)?
Hi Krish Gopalan,
We are facing the same issue. How the issue got resolve ?
How to configure the ESR for SFTP ? or can we go for with out ESR ?