Skip to Content
Personal Insights

SAP PI SFTP Adapter Authentication

Overview

  • In SAP PI, we can access SFTP server of client using SFTP Adapter.
  • SAP-PI can use SFTP Adapter in below two manners:
    1. SFTP Sender Adapter:     To pull files from SFTP server’s folder
    2. SFTP Receiver Adapter:  To push files to SFTP server’s folder
  • In this blog we conclude below aspects:
    • Authentication technique for SFTP Server
    • SFTP Sender Communication Channel Configuration
    • SFTP Receiver Communication Channel Configuration

Authentication technique for SFTP Server:

To access SFTP server from SAP-PI using SFTP adapter, below details are required:

  • SFTP Server IP
  • SFTP Server Port             (default port is 22)
  • SFTP Server Fingerprint
    • If SFTP Server Fingerprint details are not available then we can ignore it by providing input as * (star) in SFTP Communication channel
    • SFTP Server Fingerprint can be generated using any standard tool like ‘FileZilla’, where we need to provide SFTP server details (IP/Port/User-id/Password) and while connecting, tool will show SFTP’s fingerprint
    • SFTP Fingerprint looks like as below:

 

Authentication methods supported by SFTP server can be of either following types:

  1. Key Based Authentication
    • In ‘Key Based Authentication‘, SAP-PI’s ‘Public SSH Key‘ need to be imported in SFTP server.
    • While connecting SFTP- Server, SAP-PI uses following details for authentication in its SFTP-Adapter
      • SFTP Sever’s IP / Port
      • Authentication method ‘Private Key’
      • SFTP Server’s user name
      • SAP -PI’s ‘Private KEY Store View‘ details
    • For reference, following screen of SAP-PI’s SFTP-Adapter is been given
  2. Password based authentication
    • Here SFTP server is accessible via its user-id/password
    • For reference, following screen of SAP-PI’s SFTP-Adapter is been given
  3. Password based authentication with case of ‘keyboard-interactive authentication‘ [This info is been added on 13-Sept2018 into this blog…….]
    • Here SFTP server is accessible via its user-id/password but it requires keyboard interactions
    • “Keyboard Interactive authentication”:
      • Sometimes, sFTP server has enabled one property called  “Keyboard Interactive authentication”.
      • The standard keyboard-interactive authentication uses the ‘password’ as interactive question.
      • Here, rather than the SFTP server ask for “Password”, it asks for “Enter Password” i.e. once SFTP server IP details provided to connect, SFTP server asks to enter password in ‘Password’ pop-up using keyboards.
    • Such sFTP servers can easily be accessed using any standard tool like ‘FileZilla’ or ‘WinScp’, here we always provide input from keyboard
    • But SAP-PI’s SFTP adapter throws following type of error for such sFTP-server connections where ‘keyboard-interactive authentication’ is required
      • Exception received: java.lang.UnsupportedOperationException: received authentication request from server which could not be processed: destination=<sftp-UserId>@<sftp-IP>:<sftp-Port>; name=Password authentication; instruction=prompt=<sftp-UserId>’s password
    • Reason:
      • The current version of SAP-PI’s SFTP adapter does not support Keyboard-interactive authentication .
    • Solution:
      • Install “SFTP SP02 Patch 6” in SAP-PI server
      • here, there is no need to re-import metadata of SFTP-Adapter in ‘ESB/R’ (Enterprise Service Repository)

SSH Key maintenance in SAP-PI for SFTP’s Key Based Authentication” :

Summarized steps to maintain SSH key in SAP-PI, are as follows:

  1. In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’ (e.g. PItoSFTP_Key.p12 )
  2. In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file
    • 2.1 Using tool ‘OpenSSL’, create ‘.pem’ key from ‘.p12’ file
    • 2.2 Create ‘SSH Private Key’ (e.g. PItoSFTP_Key.key ) from ‘.pem’ key
  3. In SAP-PI: Upload ‘Private SSH key’ file (PItoSFTP_Key.key file) ‘ into directory path ‘ /home/<sid>/’
  4. In SAP-PI: Generate ‘Public SSH key’ (e.g. PItoSFTP_Key.pub) using ‘ssh-keygen’ from upload key itself

Now, let’s see detailed steps….

[Step-1] In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’

  • Go to SAP-PI’s netweaver (nwa) page using below url
    • http://<host>:<port>/nwa
  • Create a new Keystore view, for same,
    • Go to nwa url page => ‘Configuration Management’ => ‘Security’ => ‘Certificates and Keys’ => ‘Key Storage’ => ‘Content’ => ‘Keystore Views’
    • To create a new keystore view, click on button ‘Add view’
    • Enter ‘View name’, ‘Description’ and click button ‘Create’
  • Create a  Keystore Entry in same ‘KeystoreVview’ which just has created above
    • Provide details as Entry Name, Algorithm as RSA and Key length 1024 or 2048, validity time
    • Entry Type ‘Private Key’
    • Follow the rest step to complete creation of Keystore Entry
  • Export ‘Keystore View’ and ‘Keystore Entry’ (with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’)
    • Select row of  ‘Keystore view’ and its respective ‘Keystore Entry’
    • Click on button ‘Export Entry’ -> export format ‘PKCS#12 Key Pair’ -> enter a password here and note it down
    • Click on link ‘Download’ to extract .p12 file for example file name is ‘PItoSFTP_Key.p12‘.

[Step-2] In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file

  • Now using tool ‘OpenSSL’ (in any windows local desktop) perform below activities:
    1. Extract ‘OpenSSL’ in to a directory  for e.g. ‘C:/OpenSSL/’
    2. Copy ‘PItoSFTP_Key.p12‘ into ‘C:/OpenSSL/bin/’
    3. Create ‘.pem’ key file from .p12 file using below command  in cmd prompt
      • cd \OpenSSL\bin
      • openssl pkcs12 -in PItoSFTP_Key.p12 -out PItoSFTP_Key.pem
      • Enter Import Password: pass1234
      • Enter PEM pass phrase: pass1234
    4. Create ‘Private SSH Key‘ from ‘.pem’ file
      • openssl rsa -in PItoSFTP_Key.pem -out PItoSFTP_Key.key
      • Enter pass phrase for PItoSFTP_Key.pem: pass1234

[Step-3] In SAP-PI: Upload ‘Private SSH key‘ file

  • Now upload ‘Private SSH key‘ file ‘PItoSFTP_Key.key‘ in to directory path ‘ /home/<sid>/’ of SAP-PI server

[Step-4] In SAP-PI: Generate ‘Public SSH key‘ 

  • Generate ‘Public SSH Key‘:
    • Using SSH Key Generator in PI-server, we can generate SSH public key from private key file, with below commands:
      • su <sappi-adm-id>
      • chmod 600 PItoSFTP_Key.key
      • ssh-keygen -y -f PItoSFTP_Key.key > PItoSFTP_Key.pub
    • Thus SAP-PI’s ‘Public SSH Key‘ file ‘PItoSFTP_Key.pub’ has been generated
  • Note: 
    • Share this SAP-PI’s ‘Public SSH Key‘ (PItoSFTP_Key.pub) to external sFTP-Server-Team,
    • which they need to import in their sFTP server,
    • so that, while connecting from SAP-PI using SFTP-Adapter, access can be granted i.e. ‘Key Based Authentication’

 

SFTP Adapter configuration for ‘Key Based Authentication‘:

Example: Receiver communication channel configuration
  • Business requirement case: To push/write files into external SFTP-Server’s specific folder
    • As shown in following screen, in SFTP Receiver Communication channel, provide sFTP-server details (like server-IP/Port/Username/FilePath) and for authentication provide ‘Key View’ details as created above
  • Fingerprint:
    • if specific sFTP-Server’s ‘Fingerprint’ string is been given from ‘sFTP-Server-Team‘ then provide same
    • else it can also be ignored ‘Finger’ by giving input as ‘*‘ (star)
  • In SFTP server folder, files will be dropped with same original name by enabling ‘Adapter Specific Message-Attributes‘ and using %FileName% in ‘FileName’ input field
  • Note:
    • Same authentication inputs will be required in case of ‘Sender Communication Channel Configuration’ too (where “business requirement case” is ‘to pull/read files from external SFTP-Server’s specific folder‘)

 

SFTP Adapter configuration for ‘Password based authentication‘:

Example: Sender communication channel configuration
  • Business requirement case: To pull/read files from external SFTP-Server’s specific folder
  • In Sender Channel, provide input for SFTP server’s IP/Port/Fingerprint/Authentication details as shown in below screen:
  • Fingerprint:
    • if specific sFTP-Server’s ‘Fingerprint’ string is been given from ‘sFTP-Server-Team‘ then provide same
    • else it can also be ignored ‘Finger’ by giving input as ‘*‘ (star)
  • Directory references starts from root directory of SFTP server
  • And we are reading all files of that direcrtoy using Filename input .*
  • To archive read files, we can use below parameters:
  • Given ‘Archive name’ will move same read file to mentioned Archive path with prefix ‘ARC_’ in original filename
28 Comments
You must be Logged on to comment or reply to a post.
  • Hi Dilip Kumar,

    you mentioned after point 4 to “Now upload Private SSH key file ‘PItoSFTP_Key.key’ in to SAP-PI server”.

    Why should we upload the private key into SAP-PI-Server? It’s already done by creating the keystore view in PI NWA (following your script).

    If we have to upload anyway, where should it be uploaded?

    For generating the public key, could we use puttygen instead of using the commands in the script (which I don’t know where to use)?

    Thank you very much for help!

    Regards

    Jürg

     

     

      • I don’t think this question has been addressed yet.  I think the confusion is that you are using the words “SAP-PI server” for both the viewstore server and the location where you upload the key.  Are these the same?  if you have already created the key in the viewstore, why would you import it back again?

        [Step-3] In SAP-PI: Upload ‘Private SSH key‘ file

        • Now upload ‘Private SSH key‘ file ‘PItoSFTP_Key.key‘ in to SAP-PI server
        • Hi Victor,

          Let me again summarize for you:

          1. In PI: Create a ‘KeyStore View’ and ‘Keystore Entry’ and export it in PKCS#12 ‘.p12’ format
          2. In any Windows system:
            • Using OPENSSL tool -> convert ‘.p12’ file in to ‘.PEM’ file
            • then convert ‘.PEM’ file in to ‘.key’ file (i.e. private SSH Key)
          3. In PI: upload ‘.key’ file in to directory /home/sid/
          4. In PI: Using SSH-key-Generator, create public SSH key (‘.pub’ file) from ‘.key’ file
          5. Share this ‘.pub’ file to SFTP-Server team

          I hope its clear now…

          Thanks & regards,

          Dilip

           

          • There is no need to maintain Private key /home/sid/, the key should be present in the NWA Keystore view that should be sufficient.

          • Dear Manoj,

            As in blog (i.e. in our case), we had managed creation of SSH keys from different system (windows OS system) using tool ‘OpenSSL’, then we had imported into SAP-PI/PO (AEX) server.

            Yes, its true, if we can manage creation of SSH keys in SAP-PI/PO itself, then there is no need for such import from external source into /home/sid/ of SAP-PI/PO.

            Thanks & Regards,

            Dilip Pandey

          • Dilip ,

            Keys can be generated in PI/PO or any external tool, but the query is where do we need to maintain those keys in PI/PO for connection? As you have mentioned (step-3) it should be maintained in PO level folder which is really not required, as SFTP check Keystore view for the keys during connection and not at any OS-level folder. ( Irrespective of how the keys have generated the keys just needs to be present in Keystore view and not any folders)

            Thanks,

            Manoj

          • Dear Manoj,

            If you see the steps followed by us, it is like:
            [1] In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’ (e.g. PItoSFTP_Key.p12 )
            [2] In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file
            [2.1] Using tool ‘OpenSSL’, create ‘.pem’ key from ‘.p12’ file
            [2.2] Create ‘SSH Private Key’ (e.g. PItoSFTP_Key.key ) from ‘.pem’ key
            [3] In SAP-PI: Upload ‘Private SSH key’ file (PItoSFTP_Key.key file) ‘ into directory path ‘ /home/<sid>/’ 
            [4] In SAP-PI: Generate ‘Public SSH key’ (e.g. PItoSFTP_Key.pub) using ‘ssh-keygen’ from upload key itself

            And, w.r.t. your query, for connection (with SFTP), in NWA, in ‘Certificates and Keys: Key Storage‘, we have private key entry (1st step only). This is a working scenario in our premises, so I do not have any reason to doubt.

            Please highlight if any query/part need to be enlighten that may help everyone who refer this blog.

            The reason behind, download and upload of the keys was like, we wanted public SSH key from the created Key (in NWA of step 1), and we found that, it can be done using OpenSSL and SSH-KeyGen command lines. OpenSSL requries .p12 format key, so we exported same from NWA and created private key with PItoSFTP_Key.key format which was required by SSH-KeyGen of SAP-PI/PO to generate .pub key (Public SSH Key). Hope this para clarifies the things.

             

            Thanks & Regards,

            Dilip

  • Hi Dilip,

    First and Foremost – Excellent Blog! Nice way to illustrate with pictures.

     

    One question – Does the new SFTP adapter (SP05 Version) has listener services. Like any other middlewares out there which can get activated only when the third party pushes the data to it ?

    • Hi Nitin,

      Thanks for the nice comments about blog!

      @Listener Services in SFTP Adapater: Please find below comments if it helps to throw some light in same regard:

      • To place files in a SFTP-Folder, the Receiver SFTP-Adapter channel gets activated when Sender side pushes data on it.
      • And to read files from a SFTP-folder, the Sender SFTP-Adapter channels works on fix Poll-Intervals to watch any SFTP-folder.

       

      Thanks & Regards,

      Dilip

  • Hi Dilip, thanks for your Blog,

     

    I’ve set up the interface like you have described, but my SFTp adapter (sender CCV) gives the error message “Nullpointerexception” when I try to read the target file with content conversion mode. When I change the adapter and do a SFTP file download and open it in lokal FTP server with same CCV settings than I can process it.

    I’ve made also some analysis with xpi_inspector and get the warnings like “The string “…” could not localized” or “Could not locate resource bundle entry” and “for resource bundle ‘com.sap.aii.af.service.administration.impl.i18n.rb_AAM’ and locale de”

    and at the the result is the mentioned error message.

    Do you know what the problem is?

     

    Regards,

    Ahmet

     

    • Dear Fressnapf GmbH,

      Sorry for late reply..please find below input, hope it may help you if issue at your side still persists.

      First you try to identify whether this error is related connectivity issue or due to CCV settings, make use of SFTP sender to just pick up files, once its ok, then go for CCV settings. Try to use XPI_Inspector every time to get detail errors.

      Please let me know, if this issue is already resolved by you.

       

      Thanks & regards,

      Dilip

    • Dear Shawn,

      In Blogs (i.e. in our case), we had managed creation of SSH keys in different system (windows OS system) using tool ‘OpenSSL’, then we had imported into SAP-PI/PO (AEX) server.

      If you (either basis team) can manage creation of SSH keys in SAP-PI/PO (AEX) system itself, then there is no need for upload from external source into directory path ‘/home/<sid>/’.

      Thanks & Regards,

      Dilip Pandey

      • Hi Dilip,

        Me and several other comment writers regarding step 3 basically wonder why we need to save the created private SSH Key in a folder on PO. I assume the converted private SSH key is only required to create the public SSH key (both using the command line tools) in order to provide/store the public key to the SFTP server. But the private key eventually used by the SFTP adapter is the one created in the key store of PO (step 1), that’s why it’s configured in the communication channel under “private key view” and “private key entry”. (It wouldn’t make sense if the configured private key in the keystore would not be used and instead it used one that was uploaded to the /home/<sid> folder…)

        That’s where the confusion comes from. Maybe you have a possibility to test it and let us know if step 3 is really needed. I will try it out too as soon as I have a chance on a system. Besides that, you’re blog is very detailed and very helpful!

        Thanks,

        Philippe

        • Dear Philippe,

          Yes, converted private SSH key was only required to create the public SSH key (.pub file) using command lines, which we had shared with SFTP-Server.

          In summary, below files were created to find publicSSHKey:

          1. PItoSFTP_Key.p12 (Downloaded from ‘Keystore-View/Entry’ of SAPPI/PO)
          2. PItoSFTP_Key.pem (In Windows using openssl from above file-1)
          3. PItoSFTP_Key.key (In Windows using openssl from above file-2)
          4. PItoSFTP_Key.pub (In SAP-PO using ssh-keygen from above file-3)

          If you see the steps followed by us, it is like:
          [1] In SAP-PI: Create ‘KeyStore View’ and ‘Keystore Entry’ and export it with ‘PKCS#12 Key Pair’ file format having extension ‘.p12’ (e.g. PItoSFTP_Key.p12 )
          [2] In any ‘Windows’ system, create ‘Private SSH key’ from exported SAP-PI’s ‘.p12’ file
          [2.1] Using tool ‘OpenSSL’, create ‘.pem’ key from ‘.p12’ file
          [2.2] Create ‘SSH Private Key’ (e.g. PItoSFTP_Key.key ) from ‘.pem’ key
          [3] In SAP-PI: Upload ‘Private SSH key’ file (PItoSFTP_Key.key file) ‘ into directory path ‘ /home/<sid>/’ 
          [4] In SAP-PI: Generate ‘Public SSH key’ (e.g. PItoSFTP_Key.pub) using ‘ssh-keygen’ from upload key itself

          Thanks & Regards,

          Dilip

          • Hi Dilip,

            Thanks for the feedback. Now I see where the confusion comes from! You write in step 3: “Upload ‘Private SSH key’ file (PItoSFTP_Key.key file) ‘ into directory path ‘ /home/<sid>/’”. I, and other readers probably too, assume that you upload the file to this directory so that PO can use it for the adapter, but that’s not the reason! You upload it there just to use the Linux command line tool “ssh-keygen” to convert that key into the public SSH key. So it’s temporary and has no further usage. That is not so clear in the blog, maybe you could clarify it.

            Furthermore, it’s not always necessary to upload it to the PO server, because basically every Linux , and by the way also Windows 10, system can be used to convert the key (I have “ssh-keygen” available on my Windows 10 PC and did it there). (It’s also possible that PO runs on a Windows server, then it might not have ssh-keygen. ) 

            Thanks again for the otherwise helpful blog,

            Philippe

          • Dear Philippe,

            Yes, the purpose to upload the key was to create public-key using SSH-Key gen tool in SAP-PO.

            If it can be done using windows10, thats ok, we need publicSSH key finally. I will surly check utility of Windows10, as its a new and interesting information for me.

            Thanks & Regards,

            Dilip

    • Hi, the confusion is clarified now I think.  See my other comments. Upload of the private key to PO folder is not necessary except to use the tool ssh-keygen there, if not present anywhere else on an available system.

  • One more hint for readers: step 4 can also be done by the freeware tool puttygen (PuTTY Key Generator). Just load the .key file (private SSH key) from step 2 into the tool by choosing “Conversions – import key”. The private SSH string required to put into the SFTP server (into the file “authorized_keys”) is then displayed in the text box at the top of the tool (copy it from there, don’t use “Save public key” as this generates another format).

  • Hi Dilip,

    As I am running into a SFTP session being timed out. Is there a setting in adapter that can enable detail log behind the FTP session?

     

    Currently we are tweaking with increasing the timeout and poll interval parameters to see if this timeout error goes away.

     

    Regards,

    Ajay