Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP PI SFTP Adapter Authentication

dilipkkp2412
Contributor
‎11-03-2017 11:33 AM

Overview



  • In SAP PI, we can access SFTP server of client using SFTP Adapter.

  • SAP-PI can use SFTP Adapter in below two manners:

    1. SFTP Sender Adapter:     To pull files from SFTP server's folder

    2. SFTP Receiver Adapter:  To push files to SFTP server's folder



  • In this blog we conclude below aspects:

    • Authentication technique for SFTP Server

    • SFTP Sender Communication Channel Configuration

    • SFTP Receiver Communication Channel Configuration




Authentication technique for SFTP Server:


To access SFTP server from SAP-PI using SFTP adapter, below details are required:

  • SFTP Server IP

  • SFTP Server Port             (default port is 22)

  • SFTP Server Fingerprint

    • If SFTP Server Fingerprint details are not available then we can ignore it by providing input as * (star) in SFTP Communication channel

    • SFTP Server Fingerprint can be generated using any standard tool like 'FileZilla', where we need to provide SFTP server details (IP/Port/User-id/Password) and while connecting, tool will show SFTP's fingerprint


    • SFTP Fingerprint looks like as below:





 

Authentication methods supported by SFTP server can be of either following types:

  1. Key Based Authentication

    • In 'Key Based Authentication', SAP-PI's 'Public SSH Key' need to be imported in SFTP server.

    • While connecting SFTP- Server, SAP-PI uses following details for authentication in its SFTP-Adapter

      • SFTP Sever's IP / Port

      • Authentication method 'Private Key'

      • SFTP Server's user name

      • SAP -PI's 'Private KEY Store View' details



    • For reference, following screen of SAP-PI's SFTP-Adapter is been given




  2. Password based authentication

    • Here SFTP server is accessible via its user-id/password

    • For reference, following screen of SAP-PI's SFTP-Adapter is been given




  3. Password based authentication with case of 'keyboard-interactive authentication' [This info is been added on 13-Sept2018 into this blog.......]

    • Here SFTP server is accessible via its user-id/password but it requires keyboard interactions

    • "Keyboard Interactive authentication":

      • Sometimes, sFTP server has enabled one property called  "Keyboard Interactive authentication".

      • The standard keyboard-interactive authentication uses the 'password' as interactive question.

      • Here, rather than the SFTP server ask for "Password", it asks for "Enter Password" i.e. once SFTP server IP details provided to connect, SFTP server asks to enter password in 'Password' pop-up using keyboards.



    • Such sFTP servers can easily be accessed using any standard tool like 'FileZilla' or 'WinScp', here we always provide input from keyboard

    • But SAP-PI's SFTP adapter throws following type of error for such sFTP-server connections where 'keyboard-interactive authentication' is required

      • Exception received: java.lang.UnsupportedOperationException: received authentication request from server which could not be processed: destination=<sftp-UserId>@<sftp-IP>:<sftp-Port>; name=Password authentication; instruction=prompt=<sftp-UserId>'s password



    • Reason:

      • The current version of SAP-PI's SFTP adapter does not support Keyboard-interactive authentication .



    • Solution:

      • Install "SFTP SP02 Patch 6" in SAP-PI server

      • here, there is no need to re-import metadata of SFTP-Adapter in 'ESB/R' (Enterprise Service Repository)







SSH Key maintenance in SAP-PI for SFTP's "Key Based Authentication" :


Summarized steps to maintain SSH key in SAP-PI, are as follows:

  1. In SAP-PI: Create 'KeyStore View' and 'Keystore Entry' and export it with 'PKCS#12 Key Pair' file format having extension '.p12' (e.g. PItoSFTP_Key.p12 )

  2. In any 'Windows' system, create 'Private SSH key' from exported SAP-PI's '.p12' file

    • 2.1 Using tool 'OpenSSL', create '.pem' key from '.p12' file

    • 2.2 Create 'SSH Private Key' (e.g. PItoSFTP_Key.key ) from '.pem' key



  3. In SAP-PI: Upload ‘Private SSH key’ file (PItoSFTP_Key.key file) ‘ into directory path ‘ /home/<sid>/’

  4. In SAP-PI: Generate ‘Public SSH key’ (e.g. PItoSFTP_Key.pub) using ‘ssh-keygen’ from upload key itself


Now, let's see detailed steps....

[Step-1] In SAP-PI: Create 'KeyStore View' and 'Keystore Entry' and export it with 'PKCS#12 Key Pair' file format having extension '.p12'

  • Go to SAP-PI's netweaver (nwa) page using below url


  • Create a new Keystore view, for same,

    • Go to nwa url page => 'Configuration Management' => 'Security' => 'Certificates and Keys' => 'Key Storage' => 'Content' => 'Keystore Views'


    • To create a new keystore view, click on button 'Add view'


    • Enter 'View name', 'Description' and click button 'Create'



  • Create a  Keystore Entry in same 'KeystoreVview' which just has created above

    • Provide details as Entry Name, Algorithm as RSA and Key length 1024 or 2048, validity time


    • Entry Type 'Private Key'

    • Follow the rest step to complete creation of Keystore Entry



  • Export 'Keystore View' and 'Keystore Entry' (with 'PKCS#12 Key Pair' file format having extension '.p12')

    • Select row of  'Keystore view' and its respective 'Keystore Entry'


    • Click on button 'Export Entry' -> export format 'PKCS#12 Key Pair' -> enter a password here and note it down


    • Click on link 'Download' to extract .p12 file for example file name is 'PItoSFTP_Key.p12'.




[Step-2] In any 'Windows' system, create 'Private SSH key' from exported SAP-PI's '.p12' file

  • Now using tool 'OpenSSL' (in any windows local desktop) perform below activities:

    1. Extract 'OpenSSL' in to a directory  for e.g. 'C:/OpenSSL/'

    2. Copy 'PItoSFTP_Key.p12' into 'C:/OpenSSL/bin/'

    3. Create '.pem' key file from .p12 file using below command  in cmd prompt

      • cd \OpenSSL\bin

      • openssl pkcs12 -in PItoSFTP_Key.p12 -out PItoSFTP_Key.pem

      • Enter Import Password: pass1234

      • Enter PEM pass phrase: pass1234




    4. Create 'Private SSH Key' from '.pem' file

      • openssl rsa -in PItoSFTP_Key.pem -out PItoSFTP_Key.key

      • Enter pass phrase for PItoSFTP_Key.pem: pass1234







[Step-3] In SAP-PI: Upload 'Private SSH key' file

  • Now upload 'Private SSH key' file 'PItoSFTP_Key.key' in to directory path ' /home/<sid>/' of SAP-PI server


[Step-4] In SAP-PI: Generate 'Public SSH key

  • Generate 'Public SSH Key':

    • Using SSH Key Generator in PI-server, we can generate SSH public key from private key file, with below commands:

      • su <sappi-adm-id>

      • chmod 600 PItoSFTP_Key.key

      • ssh-keygen -y -f PItoSFTP_Key.key > PItoSFTP_Key.pub



    • Thus SAP-PI's 'Public SSH Key' file 'PItoSFTP_Key.pub' has been generated



  • Note: 

    • Share this SAP-PI's 'Public SSH Key' (PItoSFTP_Key.pub) to external sFTP-Server-Team,

    • which they need to import in their sFTP server,

    • so that, while connecting from SAP-PI using SFTP-Adapter, access can be granted i.e. 'Key Based Authentication'




 

SFTP Adapter configuration for 'Key Based Authentication':


Example: Receiver communication channel configuration


  • Business requirement case: To push/write files into external SFTP-Server's specific folder

    • As shown in following screen, in SFTP Receiver Communication channel, provide sFTP-server details (like server-IP/Port/Username/FilePath) and for authentication provide 'Key View' details as created above



  • Fingerprint:

    • if specific sFTP-Server's 'Fingerprint' string is been given from 'sFTP-Server-Team' then provide same

    • else it can also be ignored 'Finger' by giving input as '*' (star)



  • In SFTP server folder, files will be dropped with same original name by enabling 'Adapter Specific Message-Attributes' and using %FileName% in 'FileName' input field




  • Note:

    • Same authentication inputs will be required in case of 'Sender Communication Channel Configuration' too (where "business requirement case" is 'to pull/read files from external SFTP-Server's specific folder')




 

SFTP Adapter configuration for 'Password based authentication':


Example: Sender communication channel configuration


  • Business requirement case: To pull/read files from external SFTP-Server's specific folder

  • In Sender Channel, provide input for SFTP server's IP/Port/Fingerprint/Authentication details as shown in below screen:






  • Fingerprint:

    • if specific sFTP-Server's 'Fingerprint' string is been given from 'sFTP-Server-Team' then provide same

    • else it can also be ignored 'Finger' by giving input as '*' (star)



  • Directory references starts from root directory of SFTP server

  • And we are reading all files of that direcrtoy using Filename input .*

  • To archive read files, we can use below parameters:

  • Given 'Archive name' will move same read file to mentioned Archive path with prefix 'ARC_' in original filename




39 Comments
Labels in this area
Popular Blog Posts