Skip to Content
Technical Articles

Cloud Integration – How to Connect to an On-Premise sftp server via Cloud Connector

You may use the SAP Cloud Connector to securely connect to On-Premise systems. SAP Cloud Platform Integration supports this configuration via the connection proxy type ‘On-Premise’ currently in the following receiver adapters:

  • AS2 (enterprise license only)
  • OData
  • HTTP
  • IDOC
  • LDAP
  • SOAP | SAP RM
  • SOAP | SOAP 1.x
  • RFC
  • Mail
  • XI
  • SFTP (with November release)

This includes support for connections to multiple SAP Cloud Connectors. For this use case you specify in your SAP Cloud Connector configuration a Location ID which you refer to in your sender or receiver adapter configuration.

Connect to an On-Premise sftp server via Cloud Connector

With the November 2018 release of SAP Cloud Integration we release a new version of the sftp sender and receiver adapter that supports connecting to On-Premise sftp servers using the SAP Cloud Connector. This configuration utilizes the SOCKS5 proxy supported in SAP Cloud Connector version 2.10 and higher.

You may use it in your sftp sender and receiver adapters to connect via TCP to your On-Premise sftp server. This scenario required so far dedicated ports to be opened in your fire-wall which was often not supported by your security policy. Opening of ports is now obsolete.

I assume you have already installed the SAP Cloud Connector and connected it to your SAP Cloud Platform account in which your subscription to SAP Cloud Platform Integration resides. If not download a SAP Cloud Connector from our tools page and follow it’s installation documentation.

All you need to do now is to

  1. configure a new Cloud to On-Premise system mapping in your Cloud Connector and
  2. configure your sftp sender or receiver adapter accordingly

Let’s go step by step.

Configure a Cloud to On-Premise system mapping in the Cloud Connector

Logon to your Cloud Connector and add a Cloud to On-Premise system mapping. Maintain the parameter in the wizard as follows.

Set the Backend Type to ‘Non-SAP System’.

Select the ‘TCP’ Protocol. The configuration options for TCP are not as specific as for e.g. HTTP, i.e. the SAP Cloud Connector may not restrict potential misuse from your SAP Cloud Platform account. This is referred as security risk.

Maintain your On-Premise sftp server & port you want to connect to.

Define the virtual sftp server & port you want to expose to your SAP Cloud Platform Account (it will be re-used later in the sftp receiver adapter configuration).

Maintain an optional description, tick the ‘Check Internal Host’ checkbox (to have enable the ping test from SAP Cloud Connector to your On-Premise sftp server) and finish.

You may check and maintain your system mapping in the Cloud To On-Premise overview.

Logon to your Cloud Platform account and check the corresponding Cloud Connector status.

If all is fine you may consume your just established TCP connection in the sftp sender or receiver adapter.

Configure the sftp Sender or Receiver Adapter

Log on to the Cloud Integration WebUI and maintain the connection parameter in the sftp adapter properties as follows.

Maintain the virtual sftp server name & port for the proxy type ‘On-Premise’. Maintain the Location ID of the Cloud Connector, if configured in the Cloud Connector. Define the Authentication configuration as required by your On-Premise sftp server.

Important is that the public key of the sftp server must be added to the known host file with the address set in the channel. This correlates to the virtual server name as used in the Cloud Connector, do not use the real server name as defined in the Cloud Connector. This is because only the virtual server name is known by Cloud Integration.

Done, save and deploy the integration flow. Start sending messages from SAP Cloud Platform Integration via your own On-Premise sftp server or start polling files from your On-Premise sftp server.

Troubleshooting

If you run into errors executing your scenario you may find information for error analysis at the following places:

  • Integration Content Monitor in Cloud Integration
  • Message Processing Monitor in Cloud Integration
  • Log File in Cloud Connector

Let’s have a short look at the different tools.

Integration Content Monitor

After deploying the integration flow you should first check in the Integration Content monitor in SAP Cloud Platform Integration if the integration flow is started successfully. As integration flows with sftp sender adapters start polling immediately after the integration flow is started, errors during the poll are shown here. No message processing log is created in this case.

In the below sample error, you see that an error is coming back from the SOCKS proxy of the cloud connector. In this case you would have to check the monitor and the log files in the Cloud Connector for more details. Check that the request reaches your Cloud Connector instance at all, maybe the Location ID in Cloud Connector configuration does not fit to the Location ID used in sftp channel?

Message Processing Monitor

The second important monitor to be checked if your scenario does not work is the Message Processing monitor in the Cloud Integration Monitoring. If there is an error sending messages to a specific sftp receiver the error would be shown here.

In the below sample error, you see that the hostkey is rejected. This means that the public key of the sftp server is not maintained in the known hosts file for the configured virtual sftp host. Maybe the public key is maintained with the real sftp server address? If so, this entry needs to be changed in the known hosts file. Details about known hosts file maintenance you find in the blog How to setup secure connection to sftp server. Note that the public key cannot yet be downloaded via the Connectivity Test  when connecting to the sftp server via Clod Connector. The Connectivity Test will be updated soon to support this, the blog will then be updated.

SSH Connection Test

The Connectivity Test is available in Operations View in Web UI, in section Manage Security Material. Selecting the Connectivity Test tile from Overview Page opens the test tool offering tests for different protocols. To test the communication to the SFTP server, the SSH option is to be selected.

With the update on 6th of January you can select the On-Premise Cloud Connector proxy and enter a Location ID also in the SSH test to test the connection to the SFTP server via the Cloud Connector:

More details about the SSH connection test can be found in the blog How to Setup Secure Connection to SFTP Server.

Cloud Connector Log

If you receive errors coming from the SOCKS proxy, you have to check the Cloud Connector log file for more information. Maybe the mapping for the used virtual host does not exist?

21 Comments
You must be Logged on to comment or reply to a post.
  • Nice, looks like improvements in both CPI and Cloud Connectors are coming really fast! Extending patterns for cloud 2 on-prem integrations will be really useful.

  • Excellent post Mandy and great to see this feature is now enabled.

     

    For the incoming SFTP connection from SCP-I to Cloud Connector, is there a list of IPs that have to be whitelisted on firewall?

     

    Regards,

    Masoud

  • Hi Mandy,

    Very nice feature, it’s great to have it.

    Is “TLS Connectivity Test via SCC” on the roadmap?
    Intuitively it’s a very similar feature – but probably less useful than SFTP connectivity though.

    Best regards,
    Tom

    •  

      TLS test is testing the SSL connection setup. In case of Cloud Connector, this is not possible as the connection to the Cloud Connector is done via HTTP and no SSL handshake is taken place. The SSL connection is only established between Cloud Connector and Backend. But yes, we are thinking about options how to offer a connectivity test for HTTP connectivity via Cloud Connector.

      Best regards,

      Mandy

  •  

    Hi Mandy,

     

    Thank you for the nice blog. I’ve a slightly different scenario that I can’t seem to get working. Hopefully you might be able to provide some insight.

     

    I do want to develop a CPI flow that connects to an on-premise SFTP platform with Basic Authentication, however I want it deployed on SAP PO and not run from the cloud. Since my SAP PO and the SFTP platform are both on-premise I expected to be able to connect via regular SFTP configuration in CPI, but that doesn’t seem te work (Cannot connect to sftp://<User>@<Host>:22).

     

    Any suggestions? Do I still need the Cloud Connector although my CPI flow runs on SAP PO?!

    •  

      Hello,

      I don’t fully understand your scenario. The CPI flow should connect to the sftp server running on-premise or do you want to run the whole flow on PO via profile IGW in the Integration flow configuration? Meaning the integration flow shall be deployed to the on-premise system?

      If the flow is running in IGW runtime, there is no need to configure the Cloud Connector. This should run directly.

      Maybe you could open a ticket for the issue?

      Best regards,

      Mandy

       

      •  

        Thank you for the quick reply. I indeed want to run the whole flow on PO via profile IGW in the Integration flow configuration. Thank you for confirming that, in that case, I don’t need the Cloud Connector.

        Now that I know my setup should be correct, I’ll open a ticket to ask further assistance with the issue I’m encountering.

         

        Best Regards,

         

        Freek

  • Hi Mandy,

    we are working with the 1811 SCPI release.

    we do not have the “proxy Type” option.

    therefore we cannot select the “on Premise” option as our SFTP is exposed by the cloud connector.

    where or what can we do to have this option?

    BR

    averygoodwalker

  • Good morning, Mandt.

    How are you?

    We started the development of proof of concept for a client this week and a I have a doubt about the parameters that must be filled for the soap adapter receiver communication channel in SAP HCI:

    Following is the architecture that was defined for this POC:

    Legacy System Lecom (API) (On Premise) -> SAP Cloud Platform -> SAP API Management -> SAP HCI -> SAP Cloud Connector> Legacy System MXM (WebService XML/SOAP) (On Premise).

    How do I configure the adapter soap recevier to access WebSerivce of the Legacy MXM System via the SAP Cloud Connector?

    For this situation, I imported the WSDL from Legacy System MXM to SAP HCI according to the screen below, however I am in doubt about which value I should fill in the Address field.

    Should I fill the value of the Address field with the content of the Soap Address property contained in the WSDL file? Or with the content of the virtual host configured in the SAP Cloud Connector (screen also below)?

    The configuration made in the SAP Cloud Connector is with the TCP protocol and the address field on the soap adapter receiver (HCI) only accepts value with the nomenclature http: // <host>: <port>

    Could you help me?

    Regards,

    Sérgio Salomão

    •  

      Hello,

      this blog is about connecting to a sftp server via Cloud Connector, not how to connect via SOAP adapter to an on-prem backend.

      But let me give you some hints about the SOAP adapter:

      • the address field in the SOAP channel needs to contain the virtual host values defined in the Cloud Connector configuration
      • the cloud-to-on-premise configuration in the Cloud Connector configuration needs to have type HTTP or HTTPS depending how you want to connect to the backend. The virtual host attributes need to match the values set in the SOAP channel and the real endpoint address (as in the WSDL) has to be configured as internal host. This is the address that will be called from Cloud Connector.
      • The address in the SOAP adapter needs to start with http:// because the connection to the Cloud Connector is via a secure http tunnel, not via http. In the Cloud Connector you can use HTTPS to the on-premise backend.
      • Make sure you use the same Location ID in the SOAP channel and in the Cloud Connector configuration.

      I hope this helps you to set-up your communication.

      Best regards,

      Mandy