Cloud Integration – How to Connect to an On-Premise sftp server via Cloud Connector
You may use the SAP Cloud Connector to securely connect to On-Premise systems. SAP Cloud Integration supports this configuration via the connection proxy type ‘On-Premise’ currently in the following receiver adapters:
- AS2 (enterprise license only)
- SOAP | SAP RM
- SOAP | SOAP 1.x
- SFTP (with November release)
This includes support for connections to multiple SAP Cloud Connectors. For this use case you specify in your SAP Cloud Connector configuration a Location ID which you refer to in your sender or receiver adapter configuration.
Connect to an On-Premise sftp server via Cloud Connector
With the November 2018 release of SAP Cloud Integration we release a new version of the sftp sender and receiver adapter that supports connecting to On-Premise sftp servers using the SAP Cloud Connector. This configuration utilizes the SOCKS5 proxy supported in SAP Cloud Connector version 2.10 and higher.
You may use it in your sftp sender and receiver adapters to connect via TCP to your On-Premise sftp server. This scenario required so far dedicated ports to be opened in your fire-wall which was often not supported by your security policy. Opening of ports is now obsolete.
I assume you have already installed the SAP Cloud Connector and connected it to your SAP Cloud Platform account in which your subscription to SAP Cloud Integration resides. If not download a SAP Cloud Connector from our tools page and follow it’s installation documentation.
All you need to do now is to
- configure a new Cloud to On-Premise system mapping in your Cloud Connector and
- configure your sftp sender or receiver adapter accordingly
Let’s go step by step.
Configure a Cloud to On-Premise system mapping in the Cloud Connector
Logon to your Cloud Connector and add a Cloud to On-Premise system mapping. Maintain the parameter in the wizard as follows.
Set the Backend Type to ‘Non-SAP System’.
Select the ‘TCP’ Protocol. The configuration options for TCP are not as specific as for e.g. HTTP, i.e. the SAP Cloud Connector may not restrict potential misuse from your SAP Cloud Platform account. This is referred as security risk.
Maintain your On-Premise sftp server & port you want to connect to.
Define the virtual sftp server & port you want to expose to your SAP Cloud Platform Account (it will be re-used later in the sftp receiver adapter configuration).
Maintain an optional description, tick the ‘Check Internal Host’ checkbox (to have enable the ping test from SAP Cloud Connector to your On-Premise sftp server) and finish.
You may check and maintain your system mapping in the Cloud To On-Premise overview.
Logon to your Cloud Platform account and check the corresponding Cloud Connector status.
If all is fine you may consume your just established TCP connection in the sftp sender or receiver adapter.
Configure the sftp Sender or Receiver Adapter
Log on to the Cloud Integration WebUI and maintain the connection parameter in the sftp adapter properties as follows.
Maintain the virtual sftp server name & port for the proxy type ‘On-Premise’. Maintain the Location ID of the Cloud Connector, if configured in the Cloud Connector. Define the Authentication configuration as required by your On-Premise sftp server.
Important is that the public key of the sftp server must be added to the known host file with the address set in the channel. This correlates to the virtual server name as used in the Cloud Connector, do not use the real server name as defined in the Cloud Connector. This is because only the virtual server name is known by Cloud Integration.
Done, save and deploy the integration flow. Start sending messages from SAP Cloud Integration via your own On-Premise sftp server or start polling files from your On-Premise sftp server.
If you run into errors executing your scenario you may find information for error analysis at the following places:
- Integration Content Monitor in Cloud Integration
- Message Processing Monitor in Cloud Integration
- Cloud Connector Connectivity Test
- SSH Connectivity Test
- Log File in Cloud Connector
Let’s have a short look at the different tools.
Integration Content Monitor
After deploying the integration flow you should first check in the Integration Content monitor in SAP Cloud Integration if the integration flow is started successfully. As integration flows with sftp sender adapters start polling immediately after the integration flow is started, errors during the poll are shown here. No message processing log is created in this case.
Poll Status (available with the 16-Feb-2020 update)
In the Status Details area you may find the status and the details about the current poll status:
If there is an error when polling messages via the sftp sender adapter the error would be shown here for the respective integration flow. In the Polling Information the status of the consumption is shown as Failed.
In the below sample error, you see that an error is coming back from the SOCKS proxy of the cloud connector. In this case you would have to check the monitor and the log files in the Cloud Connector for more details. Check that the request reaches your Cloud Connector instance at all, maybe the Location ID in Cloud Connector configuration does not fit to the Location ID used in sftp channel?
Message Processing Monitor
The second important monitor to be checked if your scenario does not work is the Message Processing monitor in the Cloud Integration Monitoring. If there is an error sending messages to a specific sftp receiver the error would be shown here.
In the below sample error, you see that the hostkey is rejected. This means that the public key of the sftp server is not maintained in the known hosts file for the configured virtual sftp host. Maybe the public key is maintained with the real sftp server address? If so, this entry needs to be changed in the known hosts file. Details about known hosts file maintenance you find in the blog How to setup secure connection to sftp server. Note that the public key cannot yet be downloaded via the Connectivity Test when connecting to the sftp server via Clod Connector. The Connectivity Test will be updated soon to support this, the blog will then be updated.
SSH Connection Test
The Connectivity Test is available in Operations View in Web UI, in section Manage Security Material. Selecting the Connectivity Test tile from Overview Page opens the test tool offering tests for different protocols. To test the communication to the SFTP server, the SSH option is to be selected.
With the update on 6th of January you can select the On-Premise Cloud Connector proxy and enter a Location ID also in the SSH test to test the connection to the SFTP server via the Cloud Connector:
More details about the SSH connection test can be found in the blog How to Setup Secure Connection to SFTP Server.
Cloud Connector Connectivity Test (available with 29-September-2019 release)
The Cloud Connector Connectivity Test can be used to test if the Cloud Connector connected to the Cloud Integration tenant can be reached via the Cloud Integration’s runtime with the defined Location ID.
Like the SSH Connection Test, the Cloud Connector Test can be found in the Connectivity Tests tile in the Operations View in Web UI in section Manage Security Material. In the test tool select Cloud Connector. The only input field for the Cloud Connector test is the Location ID. Enter the Location ID you have configured in the Cloud Connector and also use in the adapter channel in the integration flow.
The test pings the Cloud Connector with this Location ID. If no Cloud Connector is connected with this Location ID the test fails:
If the Cloud Connector can be reached with the given Location ID the test executes successfully:
Cloud Connector Log
If you receive errors coming from the SOCKS proxy, you have to check the Cloud Connector log file for more information. Maybe the mapping for the used virtual host does not exist?