Skip to Content
Technical Articles
Author's profile photo Mandy Krimmel

Cloud Integration – How to Connect to an On-Premise sftp server via Cloud Connector

You may use the SAP Cloud Connector to securely connect to On-Premise systems. SAP Cloud Integration supports this configuration via the connection proxy type ‘On-Premise’ currently in the following receiver adapters:

  • AS2 (enterprise license only)
  • OData
  • HTTP
  • IDOC
  • LDAP
  • SOAP | SAP RM
  • SOAP | SOAP 1.x
  • RFC
  • Mail
  • XI
  • SFTP (with November release)

This includes support for connections to multiple SAP Cloud Connectors. For this use case you specify in your SAP Cloud Connector configuration a Location ID which you refer to in your sender or receiver adapter configuration.

Connect to an On-Premise sftp server via Cloud Connector

With the November 2018 release of SAP Cloud Integration we release a new version of the sftp sender and receiver adapter that supports connecting to On-Premise sftp servers using the SAP Cloud Connector. This configuration utilizes the SOCKS5 proxy supported in SAP Cloud Connector version 2.10 and higher.

You may use it in your sftp sender and receiver adapters to connect via TCP to your On-Premise sftp server. This scenario required so far dedicated ports to be opened in your fire-wall which was often not supported by your security policy. Opening of ports is now obsolete.

I assume you have already installed the SAP Cloud Connector and connected it to your SAP Cloud Platform account in which your subscription to SAP Cloud Integration resides. If not download a SAP Cloud Connector from our tools page and follow it’s installation documentation.

All you need to do now is to

  1. configure a new Cloud to On-Premise system mapping in your Cloud Connector and
  2. configure your sftp sender or receiver adapter accordingly

Let’s go step by step.

Configure a Cloud to On-Premise system mapping in the Cloud Connector

Logon to your Cloud Connector and add a Cloud to On-Premise system mapping. Maintain the parameter in the wizard as follows.

Set the Backend Type to ‘Non-SAP System’.

Select the ‘TCP’ Protocol. The configuration options for TCP are not as specific as for e.g. HTTP, i.e. the SAP Cloud Connector may not restrict potential misuse from your SAP Cloud Platform account. This is referred as security risk.

Maintain your On-Premise sftp server & port you want to connect to.

Define the virtual sftp server & port you want to expose to your SAP Cloud Platform Account (it will be re-used later in the sftp receiver adapter configuration).

Maintain an optional description, tick the ‘Check Internal Host’ checkbox (to have enable the ping test from SAP Cloud Connector to your On-Premise sftp server) and finish.

You may check and maintain your system mapping in the Cloud To On-Premise overview.

Logon to your Cloud Platform account and check the corresponding Cloud Connector status.

If all is fine you may consume your just established TCP connection in the sftp sender or receiver adapter.

Configure the sftp Sender or Receiver Adapter

Log on to the Cloud Integration WebUI and maintain the connection parameter in the sftp adapter properties as follows.

Maintain the virtual sftp server name & port for the proxy type ‘On-Premise’. Maintain the Location ID of the Cloud Connector, if configured in the Cloud Connector. Define the Authentication configuration as required by your On-Premise sftp server.

Important is that the public key of the sftp server must be added to the known host file with the address set in the channel. This correlates to the virtual server name as used in the Cloud Connector, do not use the real server name as defined in the Cloud Connector. This is because only the virtual server name is known by Cloud Integration.

Done, save and deploy the integration flow. Start sending messages from SAP Cloud Integration via your own On-Premise sftp server or start polling files from your On-Premise sftp server.

Troubleshooting

If you run into errors executing your scenario you may find information for error analysis at the following places:

  • Integration Content Monitor in Cloud Integration
  • Message Processing Monitor in Cloud Integration
  • Cloud Connector Connectivity Test
  • SSH Connectivity Test
  • Log File in Cloud Connector

Let’s have a short look at the different tools.

Integration Content Monitor

After deploying the integration flow you should first check in the Integration Content monitor in SAP Cloud Integration if the integration flow is started successfully. As integration flows with sftp sender adapters start polling immediately after the integration flow is started, errors during the poll are shown here. No message processing log is created in this case.

Poll Status (available with the 16-Feb-2020 update)

In the Status Details area you may find the status and the details about the current poll status:

If there is an error when polling messages via the sftp sender adapter the error would be shown here for the respective integration flow. In the Polling Information the status of the consumption is shown as Failed.

In the below sample error, you see that an error is coming back from the SOCKS proxy of the cloud connector. In this case you would have to check the monitor and the log files in the Cloud Connector for more details. Check that the request reaches your Cloud Connector instance at all, maybe the Location ID in Cloud Connector configuration does not fit to the Location ID used in sftp channel?

Message Processing Monitor

The second important monitor to be checked if your scenario does not work is the Message Processing monitor in the Cloud Integration Monitoring. If there is an error sending messages to a specific sftp receiver the error would be shown here.

In the below sample error, you see that the hostkey is rejected. This means that the public key of the sftp server is not maintained in the known hosts file for the configured virtual sftp host. Maybe the public key is maintained with the real sftp server address? If so, this entry needs to be changed in the known hosts file. Details about known hosts file maintenance you find in the blog How to setup secure connection to sftp server. Note that the public key cannot yet be downloaded via the Connectivity Test  when connecting to the sftp server via Clod Connector. The Connectivity Test will be updated soon to support this, the blog will then be updated.

SSH Connection Test

The Connectivity Test is available in Operations View in Web UI, in section Manage Security Material. Selecting the Connectivity Test tile from Overview Page opens the test tool offering tests for different protocols. To test the communication to the SFTP server, the SSH option is to be selected.

With the update on 6th of January you can select the On-Premise Cloud Connector proxy and enter a Location ID also in the SSH test to test the connection to the SFTP server via the Cloud Connector:

More details about the SSH connection test can be found in the blog How to Setup Secure Connection to SFTP Server.

Cloud Connector Connectivity Test (available with 29-September-2019 release)

The Cloud Connector Connectivity Test can be used to test if the Cloud Connector connected to the Cloud Integration tenant can be reached via the Cloud Integration’s runtime with the defined Location ID.

Like the SSH Connection Test, the Cloud Connector Test can be found in the Connectivity Tests tile in the Operations View in Web UI in section Manage Security Material. In the test tool select Cloud Connector. The only input field for the Cloud Connector test is the Location ID. Enter the Location ID you have configured in the Cloud Connector and also use in the adapter channel in the integration flow.

The test pings the Cloud Connector with this Location ID. If no Cloud Connector is connected with this Location ID the test fails:

If the Cloud Connector can be reached with the given Location ID the test executes successfully:

Cloud Connector Log

If you receive errors coming from the SOCKS proxy, you have to check the Cloud Connector log file for more information. Maybe the mapping for the used virtual host does not exist?

Assigned Tags

      101 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Holger Himmelmann
      Holger Himmelmann

      Great, long awaited functionality!

      Author's profile photo Piotr Radzki
      Piotr Radzki

      Nice, looks like improvements in both CPI and Cloud Connectors are coming really fast! Extending patterns for cloud 2 on-prem integrations will be really useful.

      Author's profile photo Rashmi Joshi
      Rashmi Joshi

      Very well and step by step explained... Thank you for sharing it!!!

      Is there anyway to get access to CPI/HCI system?

       

      BR,

      Rashmi

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

       

      Hi Rashmi,

      to get access to a trial tenant you may contact the mail address mentioned in the blog: https://blogs.sap.com/2013/10/22/sap-hana-cloud-integration-test-and-learn-more-about-sap-s-cloud-based-integration-solution/

      Best regards,

      Mandy

      Author's profile photo SAP CPI 3
      SAP CPI 3

      if any document or pdf of sap cpi with success factors scenarios and study material can mailed me on ghadagealpesh@gmail.com

      Author's profile photo Anshul Walia
      Anshul Walia

      It was Indeed ..

      Author's profile photo Masoud AHANCHIAN
      Masoud AHANCHIAN

      Excellent post Mandy and great to see this feature is now enabled.

       

      For the incoming SFTP connection from SCP-I to Cloud Connector, is there a list of IPs that have to be whitelisted on firewall?

       

      Regards,

      Masoud

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

       

      Hello,

      the connection from Cloud Platform Integration to the Cloud Connector is done using a secure tunnel that is established from the Cloud Connector agent running in the On-Premise network.

      the Cloud Connector Setup including setup/configuration/network/security is described in the Cloud Connector Documentation: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e6c7616abb5710148cfcf3e75d96d596.html

      Regards,

      Mandy

       

      Author's profile photo Tom Xing
      Tom Xing

      Hi Mandy,

      Very nice feature, it's great to have it.

      Is "TLS Connectivity Test via SCC" on the roadmap?
      Intuitively it's a very similar feature - but probably less useful than SFTP connectivity though.

      Best regards,
      Tom

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

       

      TLS test is testing the SSL connection setup. In case of Cloud Connector, this is not possible as the connection to the Cloud Connector is done via HTTP and no SSL handshake is taken place. The SSL connection is only established between Cloud Connector and Backend. But yes, we are thinking about options how to offer a connectivity test for HTTP connectivity via Cloud Connector.

      Best regards,

      Mandy

      Author's profile photo Tom Xing
      Tom Xing

      Hi Mandy,

      Thanks for the answer, that's what I'm asking. Sorry for the confusion.

      Best regards,
      Tom

      Author's profile photo Freek den Teuling
      Freek den Teuling

       

      Hi Mandy,

       

      Thank you for the nice blog. I've a slightly different scenario that I can't seem to get working. Hopefully you might be able to provide some insight.

       

      I do want to develop a CPI flow that connects to an on-premise SFTP platform with Basic Authentication, however I want it deployed on SAP PO and not run from the cloud. Since my SAP PO and the SFTP platform are both on-premise I expected to be able to connect via regular SFTP configuration in CPI, but that doesn't seem te work (Cannot connect to sftp://<User>@<Host>:22).

       

      Any suggestions? Do I still need the Cloud Connector although my CPI flow runs on SAP PO?!

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

       

      Hello,

      I don't fully understand your scenario. The CPI flow should connect to the sftp server running on-premise or do you want to run the whole flow on PO via profile IGW in the Integration flow configuration? Meaning the integration flow shall be deployed to the on-premise system?

      If the flow is running in IGW runtime, there is no need to configure the Cloud Connector. This should run directly.

      Maybe you could open a ticket for the issue?

      Best regards,

      Mandy

       

      Author's profile photo Freek den Teuling
      Freek den Teuling

       

      Thank you for the quick reply. I indeed want to run the whole flow on PO via profile IGW in the Integration flow configuration. Thank you for confirming that, in that case, I don’t need the Cloud Connector.

      Now that I know my setup should be correct, I’ll open a ticket to ask further assistance with the issue I’m encountering.

       

      Best Regards,

       

      Freek

      Author's profile photo Baskar Singaram
      Baskar Singaram

      Dear Freek,

      Can you help me with the queries in this link regarding hybrid landscape setup.  Thanks for your kind support.

      Regards,

      Baskar

      Author's profile photo Alexis Schaffner
      Alexis Schaffner

      Hi Mandy,

      we are working with the 1811 SCPI release.

      we do not have the "proxy Type" option.

      therefore we cannot select the "on Premise" option as our SFTP is exposed by the cloud connector.

      where or what can we do to have this option?

      BR

      averygoodwalker

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hi,

      you not only need the newest stack version, but also use the latest version of the sftp adapter. Please delete the sftp channel and newly create it. Then the latest version of the adapter is taken, old versions of the sftp adapter will not have the CC option.

      Best regards,

      Mandy

      Author's profile photo Alexis Schaffner
      Alexis Schaffner

      Mandy,

      tks a lot, the option is now available.

      one different question, how to set the FM (into the SCPI) for a RFC call from a SCPI to a on-premise target?

      BR

      averygoodwalker

      averygoodwalker

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

       

      Hello,

      for RFC adapter I'm actually the wrong contact. Here I would refer to the blog: https://blogs.sap.com/2017/07/20/how-to-use-rfc-adapter-to-execute-remote-function-module-on-abap-system/

      Maybe ask your question there?

      Best regards,

      Mandy

      Author's profile photo Alexis Schaffner
      Alexis Schaffner

      Thank you for the support

      Author's profile photo Ramos de Oliveira Sergio Alberto Salomao
      Ramos de Oliveira Sergio Alberto Salomao

      Good morning, Mandt.

      How are you?

      We started the development of proof of concept for a client this week and a I have a doubt about the parameters that must be filled for the soap adapter receiver communication channel in SAP HCI:

      Following is the architecture that was defined for this POC:

      Legacy System Lecom (API) (On Premise) -> SAP Cloud Platform -> SAP API Management -> SAP HCI -> SAP Cloud Connector> Legacy System MXM (WebService XML/SOAP) (On Premise).

      How do I configure the adapter soap recevier to access WebSerivce of the Legacy MXM System via the SAP Cloud Connector?

      For this situation, I imported the WSDL from Legacy System MXM to SAP HCI according to the screen below, however I am in doubt about which value I should fill in the Address field.

      Should I fill the value of the Address field with the content of the Soap Address property contained in the WSDL file? Or with the content of the virtual host configured in the SAP Cloud Connector (screen also below)?

      The configuration made in the SAP Cloud Connector is with the TCP protocol and the address field on the soap adapter receiver (HCI) only accepts value with the nomenclature http: // <host>: <port>

      Could you help me?

      Regards,

      Sérgio Salomão

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

       

      Hello,

      this blog is about connecting to a sftp server via Cloud Connector, not how to connect via SOAP adapter to an on-prem backend.

      But let me give you some hints about the SOAP adapter:

      • the address field in the SOAP channel needs to contain the virtual host values defined in the Cloud Connector configuration
      • the cloud-to-on-premise configuration in the Cloud Connector configuration needs to have type HTTP or HTTPS depending how you want to connect to the backend. The virtual host attributes need to match the values set in the SOAP channel and the real endpoint address (as in the WSDL) has to be configured as internal host. This is the address that will be called from Cloud Connector.
      • The address in the SOAP adapter needs to start with http:// because the connection to the Cloud Connector is via a secure http tunnel, not via http. In the Cloud Connector you can use HTTPS to the on-premise backend.
      • Make sure you use the same Location ID in the SOAP channel and in the Cloud Connector configuration.

      I hope this helps you to set-up your communication.

      Best regards,

      Mandy

      Author's profile photo Ramos de Oliveira Sergio Alberto Salomao
      Ramos de Oliveira Sergio Alberto Salomao

      Thank you very much for the information

      Author's profile photo Vikas Singh Rajpurohit
      Vikas Singh Rajpurohit

      Thanks Mandy for the great blogs!!

      Author's profile photo Holmberg Liv
      Holmberg Liv

      Hi all,

      this sFTP adapter seems to be only for on-premise systems, is this correct?

      I need an sFTP receiver & sender adapter to a 3'rd party cloud system. Is this a go or no-go at this point or is it a similar configuration process? Any other things to consider for a cPI to Cloud connector?

      Thanks in advance for shedding light on this.

      LH

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      no, the sftp adapter can be used to any accessibly sftp server as well. If the adapter is used without proxy On-Premise than you can connect to any sftp server accessible from the internet.

      Best regards,

      Mandy

      Author's profile photo Vaishali Rani
      Vaishali Rani

      Hi Mandy,

       

      Thanks for the blog. I have a question, how can I pick files from local directory(NFS). Do I use the same concept. But what will be the address then?

      Regards,

      Vaishali

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello

      this is not supported with the sftp adapter.

      Best regards,

      Mandy

      Author's profile photo Vaishali Rani
      Vaishali Rani

      Hi Mandy,

      Thanks for your reply. Would you know how we can pick files from on prem directory in CPI. In PO 7.5 it is using NFS.

      I assumed we could follow the same approch to connect to system on prem and fetch file using SFTP adapter.

      Regards,

      Vaishali

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      in PO this can be done using the file adapter, the sftp adapter cannot access NFS on-prem file shares. This is not possible with CPI, you need to use an sftp server.

      Best regards,

      Mandy

      Author's profile photo Harsha Gaonkar
      Harsha Gaonkar

      Hi Mandy

       

      SFTP is installed on S4 HANA and Cloud connector is installed on S4 HANA.

      I did Virtual host mapping on cloud connector then I use Virtual host in SFTP Receiver adapter.

      I used Virtual host name-ssh-rsa - <Public key> in KNOWN_HOST file

      My Proxy type is "ON PREMISE" and I am using Authentication as UserName/password ,

      Still I am getting Error

      HostKey has been changed

      Please help

      is issue that SFTP  on S4 HANA?

      Thanks

      Harsha

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      it’s hard to analyze with having only these details. In general the configuration you described should be sufficient. What does the Connectivity Test tell you? Maybe the known hosts file does not really contain the correct host key?

      The error means that there is an entry for this host in the known hosts file, but the host key does not fit to the one provided by the server.

      Please do the connectivity test with the virtual host name you also use in the cloud connector. And add the host key returned in the known host file with virtual host name.

      Maybe someone changed the configuration in the cloud connector and the real host now points to a different host? Or there is another Cloud Connector with another location ID using the same virtual host? The virtual host needs to be unique across location IDs.

      This should work.

      Best regards,

      Mandy

      Author's profile photo Harsha Gaonkar
      Harsha Gaonkar

      Hi

      Thanks a lot Mandy.

      You are incredible.

       

      S4 HANA SFTP team give me public key. I was using that in Known_Host file.

      after you suggestion, I use connectivity test and copy host key from Connectivity test.

      I used that In Known_host file.

      It is working now.

       

      Thanks

      Harsha

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Thank you for the info. I'm happy that it works now 🙂

      Author's profile photo Former Member
      Former Member

      Dear Mandy,

      It seems you're the best person to which to ask the following : is there a way to connect SMB/CIFS  shares, from C/4 Cloud to an on-premises Windows server. I've the feeling the answer will be no, but I keep my fingers crossed 😉 And if not, is such a function in the SCC development pipeline ?

      Thanks in advance for youur precious help

       

      Gilles

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hi,

      sorry, but I do not understand how this is related to CPI? Maybe you could give some more context on the part of CPI in such a scenario? In CPI there is no adapter to connect via SMB/CIFS to Windows servers.

      BR

      Mandy

      Author's profile photo Pavan G
      Pavan G

      Hi Mandy,

      Thanks for the detailed blog.

      I am trying to deploy the known_hosts file to my CPI tenant to establish the connection between SFTP and CPI.

      But I am getting the below error:

      “Deploy artifact failed with error: You are not authorized to perform this operation”

      I am having the admin roles.

      Please let me know if I am missing anything.

      Regards,

      Pavan

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      As the message indicates you have no authorization to deploy security artifacts. You need tenant administrator rights for deploying security artifacts.

      Best regards,

      Mandy

       

      Author's profile photo Pavan G
      Pavan G

      Thanks, Mandy

      I have assigned the roles to my S-User and I am able to deploy the known_hosts file now.

       

      Regards,

      Pavan

      Author's profile photo Pushkar Patel
      Pushkar Patel

      Hi Mandy,

      Thanks for sharing this.

      Is there any option to connect to NFS  from CPI via Cloud Connector ?

      Thanks,
      Pushkar

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      No, this is not possible with the sftp adapter.

      Author's profile photo Pushkar Patel
      Pushkar Patel

      Thanks Mandy for your reply, do you think it can be a possibility with future release ?

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      It's currently not on the roadmap. But if there are multiple customer requests into this direction we will for sure evaluate the request further.

      Best regards,

      Mandy

      Author's profile photo Siva Po
      Siva Po

      Hi Mandy,

      If I need to connect to SFTP Server through Internet (not cloud connector On-Premise), do I need to  Create a OSS note to SAP OPS team to whitelist the SFTP Server IP address ?

      Asking since I am getting "socket is not established" exception while testing the connectivity from CPI.  I have maintained known_host file correctly.

      Thanks.

       

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      you need to open the ports in your firewall to allow connection to your sftp server. The sftp server needs to be accessible from internet. See: https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/d722f7cea9ec408b85db4c3dcba07b52.html

      BR,

      Mandy

      Author's profile photo Ameer Khan
      Ameer Khan

      Hi Mandy,

       

      Thanks for the valuable blog.

      I have a scenario where the requirement is to place a file in a local folder in S4 HANA via CPI.

      I understand we cannot do it by using ftp/nfs in CPI.

      Can you suggest if there is an option to place a file in S4 HANA folder by using CPI.

       

      Thanks in advance.

       

      Best Regards,
      Ameer

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      in CPI there is no file/nfs adapter. You need a sftp or after the T5 upgrade a ftp adapter that can put files to sftp or ftp servers. From there you may have some file move tool running that puts the file to the S/4 local folder.

      BR

      Mandy

      Author's profile photo Shoukat Ali
      Shoukat Ali

      Mandy Krimmel we get the following error when try to connect to on premise sftp from cloud connector:

      com.jcraft.jsch.JSchException: ProxySOCKS5: java.net.SocketTimeoutException.
      in the cloud connector, mapping virtual to internal host is present. is there any firewall or port to be opened?
      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      this error comes from the Cloud Connector. Please re-check the configuration in the sftp channel and the virtual host mapping in the Cloud Connector. And check that the known host entry for the key is maintained with the server configured in the sftp channel.

      Furthermore please check in the Cloud Connector logs.

      Best regards

      Mandy

      Author's profile photo Shoukat Ali
      Shoukat Ali

      in the cloud connector, at mapping level check it is not reachable. in the cloud connector log there is timeout exception.

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      then the sftp server seems not reachable from where the Cloud Connector is installed?

      BR

      mandy

      Author's profile photo Shoukat Ali
      Shoukat Ali

      Yes, it's not reachable from cloud connector. Is it firewall or white listing issue?

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      As this is all installed in the on-prem landscape you should know if there is a firewall between the CC and the sftp server and what to configure that the connection can be established. Maybe you consult with your network administrator?

      BR

      Mandy

      Author's profile photo Naresh Dasika
      Naresh Dasika

      Hello Mandy,

      AS-IS Interface on SAP PO is:

      Concur SFTP --> (SFTP Sender channel) --> SAP PO -> (File/NFS channel) SAP ECC directory (AL11)

      As part of SAP PO to SAP CPI migration, we have to move this Integration from SAP PO to CPI.

      Hence looking to establish a connection from SAP CPI to SAP SCC to SAP ECC (AL11).

      Since there is no NFS/File adapter available in CPI adapters list, how can we move forward here? Moving the file to SFTP and setting up another job to move the file from SFTP to ECC AL11 doesn't look good here as it has many hops. File/NFS adapter is pretty much required for the customers who migrate their interfaces from SAP PO to SAP CPI. It would be really helpful If SAP can get this adapter at the earliest.

       

      Regards,

      Naresh Dasika

       

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      in Cloud Integration there is no File Adapter planned at the moment. The adapters for file transfer are sftp and ftp, because the file adapter is nothing that works in the cloud.

      If you want to move such scenarios using file transfer you need to adjust the scenario.

      Best regards

      Mandy

      Author's profile photo Naresh Dasika
      Naresh Dasika

      Submitted an Improvement Idea for File adapter in SAP CPI.

      https://influence.sap.com/sap/ino/#/idea/262010/?section=sectionVotes

       

      Author's profile photo Toni Cunill
      Toni Cunill

      Very good link

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hi

      this error sounds like the hostname in your channel does not match the virtual host in the cloud connector configuration.

      Best regards

      Mandy

      Author's profile photo Yeswanth Posam
      Yeswanth Posam

      Hi Mandy,

      I am unable to add known host file in security material. I have copied the Host key for Host and port configured in cloud connector but unable to add key in known host file.

      Please find the screenshots below.

      Virtual Host and port as configured in CC

      Connectivity%20Test

      Copied the key and pasted it in Notepad and uploaded it in Security Material --> known hosts

      known_hosts

      known_hosts

      Error when uploaded in Security Material

      Connectivity Test

      Is it validating host used as Virtual Host in Cloud connector? If so, what should be configured in known_hosts file.

       

      Regards,

      Yeswanth

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Looks like the format of the known hosts file is wrong, please check that it really is having following format:

      ld2345.wdf.sap.corp ssh-rsa AAAAB3NzaC1yc2EAAAo………2pOx2ADnZ1WwtjW48=

      Whereas the server name needs to be the virtual host name entered in the sftp channel.

      BR

      Mandy

      Author's profile photo Yeswanth Posam
      Yeswanth Posam

      Hi Mandy,

      I have configured below details in SFTP sender channel.

      Address = Hostname:Port (virtual_sftp:450)

      SFTP%20channel%20Configuration

      SFTP channel Configuration

      I tried uploading known hosts files in below 2 formats.

      Hostname:Port as configured in Sender channel (copied and pasted the host key from Connectivity Test tab)

      Modified file with only Hostname(i.e. server name) as per host key file structure

      but I am getting same error as below for 2 files

      and I assume Iflow could not be deployed because of known hosts file issue as per below issue while deployment

      deployment%20issue

      deployment issue

      Regards,

      Yeswanth

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Could you please change your virtual host name to something without underscore. The underscore is the problematic character. See:

      https://en.wikipedia.org/wiki/Hostname#Syntax

      Note that you will then also have to change it in Cloud Connector and in sftp channel.

      Best regards

      Mandy

      Author's profile photo Shiveta Pandita
      Shiveta Pandita

      Hi Yeswanth,

       

      Your scenario seems pretty much like mine, I just have a query, I am getting the below error after creating the cloud-on premise system mapping and hence the connectivity test ping from CPI is also not successful.

      Any help would be appreciated.

       

      Regards,

      Shiveta

      Author's profile photo Yeswanth Posam
      Yeswanth Posam

      Hi Shiveta,

      I tried by removing "_" in Virtual host as Mandy stated above but at Cloud connector level "_" does not matter. Please check by removing "_" and also try deleting mapping and create again as status is "Not Reachable".

       

      Regards,

      Yeswanth

      Author's profile photo Yeswanth Posam
      Yeswanth Posam

      Thanks Mandy,

      I am able to pick file from on-premise sftp server now after removing "_".

       

      Regards,

      Yeswanth

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Thanks for confirming 🙂

      Author's profile photo Shiveta Pandita
      Shiveta Pandita

      Hi Mandy,

       

      I have the exact scenario(S4 on premise -> CPI -> cloud application) in my project, but we are struggling at the "Connectivity Test" step in CPI. I have done all the configurations in CPI & cloud connector but still not able to generate the "known_hosts" file in CPI, getting the below error.

      Any idea what might be the issue? also is there any other way to generate the known_hosts file?

       

      Thanks in advance.

       

      Shiveta

      Author's profile photo Yeswanth Posam
      Yeswanth Posam

      Hi Shiveta,

      I think Cloud connector is not required for S4 on-prem --> CPI(required only for CPI --> S4 on-prem) connectivity and known hosts file is only for integrating CPI with SFTP server.

      If SFTP adapter with on-prem server is on sender or receiver side is used, then Cloud connector is mandatory(as CPI needs to pick/drop file in SFTP server folder).

       

      Regards,

      Yeswanth

      Author's profile photo Shiveta Pandita
      Shiveta Pandita

      Hi Yaswanth,

       

      That's absolutely true, and we won't be using the cloud connector for any outbound SFTP interface from S4 to CPI. The issue we have is the generation of "known_hosts" file which we are not able to generate.

      We have tried pinging S4 SFTP host and as well as cloud connector (virtual host) from CPI's test connectivity tab  but neither of these connections have been yet successful.

      Regards,

      Shiveta

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      still struggling to understand the problem. you are trying to connect to a sftp server from CPI?

      What do you mean by generate known_hosts file? This file is not generated, this file is usually created by the admin and contains all connected sftp hosts with their public keys.

      Known Hosts File - SAP Help Portal

      Did you create the known hosts file and deploy it in the cloud integration tenant?

      BR

      Mandy

      Author's profile photo Barath Vivekanandan
      Barath Vivekanandan

      Hi Mandy,

      I'm trying to connect single On-Premise system as both sender and receiver to test the transmission of file using SFTP adapter.

      1. Cloud connector is reachable and deployed perfectly.
      2. Connectivity test has been done successfully.
      3. Directories test has been done successfully, that we can able to access the directories we need.

      I deployed the iFlow perfectly and the status is started. But the file didn't move to the target path which was configured in the receiver point.

      Is there anything that needs to be setup?

       

      Thanks,

      Barath V

       

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      what is the error you see in the message processing log?

      BR

      Mandy

      Author's profile photo Dinesh M
      Dinesh M

      Hi Mandy,

      I exposed one of my folder in system , The root directory is as below

      G:\SFTP\data

      Root Folder: data

      When I mention the root path exactly( as given above) in CPI, it throws error as invalid so I changed backward slash to forward slash. Now, flow is deployed but the data transfer is not happening

      Any idea what could be the issue?

      (I tried by giving only root folder path as well instead of full path but even in that case data transfer is not happening )

      Thanks,

      Dinesh

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hi Dinesh,

      please note that this is an SFTP Adapter, not a file adapter. It picks files from sftp servers, not from your local system. You need to offer the files on an sftp server that can be connected via SSH. Please use the SSH connectivity test to test this connectivity.

      Best regards

      Mandy

      Author's profile photo Dinesh M
      Dinesh M

      Hi Mandy,

      I used an external app to expose my folders. I fixed the issue

      Directory path I haven't provided properly.

      Thanks,

      Dinesh

      Author's profile photo Vijayraj Pediredla
      Vijayraj Pediredla

      Hi Mandy,

      Its absolutely a great article but still finding it difficult to connect the dots for various business use cases.

      We have a scenario, where S4HANA is the source and want the customer requisitions to be captured in a downstream application. We recently purchased HCI PI for different API solutions and also since CPI-DS was not able to give the results as the destination is only IBP. or SFTP or FTP

      We would like to pull the data either by using ODATA or IDOC or extractors and then convert it into CSV file and upload to SharePoint/SFTP/FTP anyone should be fine.

      Can you please let us know if there is any such use case built or details that can help us to build this solution. Definitely from the beginning.

      We do not have a cloud connector. We have our own proxies.

      Really Appreciate your help.

       

      With Regards

      Vj

       

       

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello Vj,

      cloud integration is providing a wide range of adapters, not only sftp and ftp. It is also providing OData and SOAP and IDoc adapters for connectivity towards different backends. It provides a CSV converter to convert data to csv format.

      Best is to first check in the API business hub (SAP API Business Hub) if integration examples for your kind of scenario already exist. This would be the easiest solution. Else you can still build your custom integration with cloud integration.

      Please refer to this getting started documentation:

      Learn the Basics - SAP Help Portal

      Integration Flow Design Guidelines - SAP Help Portal

      Best regards

      Mandy

       

      Author's profile photo Vijay Pediredla
      Vijay Pediredla

      Hi Mandy,

       

      These links are quiet helpful to start with.

      Appreciate your help for supporting us.

       

      With Regards

      Vj

       

       

      Author's profile photo Sanjeeb Sarkar
      Sanjeeb Sarkar

      Hi Mandy,

      Thank you so much for this blog, and also thank you for keep coming here to solve each and everyone's query.

       

      That being said, I have an ftp to sftp scenario. I know it is not the same as yours but I am a little  stuck here, so it wud be great if you can help me out.

      I have setup the cloud connector and added an entry in the ACL for the FTP server, and the server is reachable.

      connectivity%20test

      connectivity test

       

      Now in the above image, If perform the test without the "Check Directory Access" option, the test is coming successfull.

       

      Can you please tell me what mistake I am making ? If i browse the ftp url in the local system browser with the folder path, I am able to see the files getting listed.

       

      Any help will be appreciated.

      Thank you.

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello

      this error comes from the Cloud connector, probably you have only maintained port 21 for the control connection but not the other ports for the data connections.

      For the setup of the connection to ftp server please refer to this blog: Cloud Integration – Connecting to FTP(S)-servers using the FTP Adapter | SAP Blogs

      Check especially the chapter about Cloud Connector configuration.

      Bes regards

      Mandy

      Author's profile photo Sanjeeb Sarkar
      Sanjeeb Sarkar

      Hi Mandy,

      Thank you so much for coming to the rescue. Yes you are correct, we have only made a single entry of port 21 in the Cloud Connector.

      ftp%3A21%20entry%20in%20SAP%20CC

      ftp:21 entry in SAP CC

      So the way I see it, these are the following additional steps I need to have :

      1. Enable passive mode in FTP server,
      2. Get the list of data ports from the Ftp server admin,
      3. create a json structure according to ur blog and add all the ports there in each json object and import it in the CC .

      list will be like :

      <virtualhost:dataport1>,

      <virtualhost:dataport2>,

      <virtualhost:dataport3>,

      etc.. 

      These sound correct right ?

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Please follow the description from the ftp blog and the linked Cloud Connector documentation.

      Best regards,

      Mandy

      Author's profile photo Sanjeeb Sarkar
      Sanjeeb Sarkar

      Hi Mandy,

      Yeah, I am doing it right now.

      Thank you so much for the inputs, it put me on the right path.

       

      Author's profile photo Saurabh Kumar
      Saurabh Kumar

      Hi Mandy,

       

      Thanks for the blog.

      SFTP server set up at Cloud connector is reachable ,But it is not getting reflected in CPI BTP Cloud connector in any instance.
      Due to which while doing connectivity test I am getting Error : ProxySOCKS5 server returns2.

      Please suggest .

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      This sounds like a misconfiguration of the settings in the cloud connector. Maybe the location ID does not fit or the settings in the configuration of the instance are not correct? It is hard to analyze without details and logs. I would propose you open a ticket on LOD-HCI-PI-CON-SOAP so that the colleagues can have a look.

      Best regards

      Mandy

      Author's profile photo Deepika B
      Deepika B

      Hi Mandy,

       

      Recently I had a requirement to connect on premise system to IAS cloud. For that I have defined the destinations in SAP BTP and given a technical user( communications type) to connect to backend.

      Suddenlly it removed the roles from J2ee_admin * SAPJSF user and all other roles related to java are deleted from the ABAP side. Is there any specific reason it would have happened. Kindly let me know what per cautions do we need to take while setting the destinations in SAP BTP.

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      I can not imagine that the roles were deleted because there was a BTP destination pointing to the PO system. I would suggest you open a ticket on PO for this to find the root cause.

      Best regards

      Mandy

      Author's profile photo Christian Sperlich
      Christian Sperlich

      Hi Mandy,

       

      awesome blogs and information on your blog posts. Thanks a lot for sharing those with us.

      We are on our way from SAP PO --> Integration Suite and have successfully installed the Cloud Connector and also configured it to our tenant. In the Subaccount I see the CloudConnector successful connected as well as the exposed backend systems as available.

       

      Anyhow, when I try the mentioned Connectivity Test within the Integration Suite I'm getting a "Could not connect to Cloud Connector"

      Any help will be appreciated.

      Christian

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello Christian,

      its hard to analyze this from remote. I would first suggest to test the Cloud Connector connectivity test, afterwards try SSH connectivity test with Cloud connector option. Select authentication None for the beginning to check the basic connectivity.

      Please make sure you fill the correct location ID as used in the cloud connector, check for correct typing, also for capital and small letters.

      Best regards

      Mandy

      Author's profile photo Christian Sperlich
      Christian Sperlich

      Hi Mandy,

      thanks for your answer - of course it is VERY(!) difficult via remote 😉

      Here is a screenshot from the Subaccount

      As you can see the Instance with the destination ID CC1 is connected

       

      When I now try the connectivity test in the integration suite it didn't work:

       

      I also has changed the Location ID to nothing (default) also to small letters also to only characters without numbers.

      The same behavior is true for my trail account also.

      Thanks again for your help

      Christian

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello Christian,

      that looks indeed strange. Is the subaccount were the cloud connector configuration screenshot is taken from really the same one you execute the connectivity test?

      Did you check the logs in the cloud connector and the logs in Cloud Integration? Can you see some error there?

      Best regards

      Mandy

      Author's profile photo Christian Sperlich
      Christian Sperlich

      Hi Mandy,

      we only have one subaccount, so this should be ok 😉

      I see SSL-Handshake Errors in the logs of the CC

      An exceptioni was thrown by com.sap.core.connectivity.spi.ssl.SSLHandshakeValidator.operationComplete()

      handshake timed out after 10000ms

      Did I miss a configuration step? But why is everything green? I'm also able to disconnect from Cloud Cockpit and reconnect via CloudConnector  - all this works as expected.

      Thanks for your reply

       

      Christian

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello Christian,

      valid points, which I cannot answer. I would suggest to open a ticket on Cloud Connector component: BC-MID-SCC. Please add the configuration details and the error details from the log.

      Would be great if you could update here after the error is resolved.

      Thank you,

      Mandy

      Author's profile photo Christian Sperlich
      Christian Sperlich

      Hi Mandy,

      we've circumscribed the error regarding to the firewall. Despite we have all configured as mentioned at https://help.sap.com/docs/CP_CONNECTIVITY/cca91383641e40ffbe03bdc78f00f681/e23f776e4d594fdbaeeb1196d47bbcc0.html?locale=en-US something is very dynamicly handled from AWS when upgrading to websocket communication (this can be found in the logs of the CloudConnector).

      Our security team told me that handling this behavior is very hardware/firewall specific and depends also on the security guidelines of the company.

      For others, facing this error, it may be helpfull to look on the ssl logs in CloudConnector and find entries like "upgrading to Websocket" / "Will use connection upgrade protocol websocket". In the next lines you'll find some proxy-URLs from AWS and also IPs that are not mentioned in the SAP Doku.

      Best regards

      Christian

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      thank you for sharing those details.

      Author's profile photo Archana Vijay
      Archana Vijay

      Hi Mandy,

       

      Thank you for the detailed steps. the exact configuration is working when we give one of the application servers (its working with ci hostname or additional application server hostname but with the web dispatcher - we are trying with web dispatcher to dispatch requests to the backend servers).

       

      SAP CPI ->Cloud Connector -> Backend systems (works)

      SAP CPI ->Cloud Connector -> Web Dispatcher -> Backend systems (Not working)

      Can the web dispatcher dispatch request from CPI to backend requests? is this scenario supported with CPI? Could you please confirm?

       

      Thanks in advance.

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello,

      I dont fully understand your question. Are you trying to connect to an sftp server via web dispatcher? This does not work, web dispatcher is used for HTTP requests, sftp is using SSH protocol (SOCKS proxy in the cloud connector/TCP connection).

      Or are your trying to connect to ABAP, which has nothing to do with the description in this blog as this is for sftp using the SOCKS proxy in the cloud connector.

      If connecting via HTTP the configuration is different and should be via the HTTP connection in the cloud connector. Please refer to Cloud Connector | SAP Help Portal. If something is not working in this configuration I would suggest you open a ticket on BC-MID-SCC.

      Best regards

      Mandy

      Author's profile photo Anand Gopinath
      Anand Gopinath

      Hi Mandy,

      Are the steps listed, also applicable for connecting to sFTP servers that are outside the intranet in which the SAP BTP Integration platform resides?

      As an example, connecting to on-premise sFTP servers of external partners(logistic partners, banks etc.) that reside outside the organization intranet.

       

      Thanks,

      Anand

      Author's profile photo Mandy Krimmel
      Mandy Krimmel
      Blog Post Author

      Hello Anand,

      in general there are three different configurations:

      1. The sftp server can be reached from internet. In this case you can directly connect from Cloud Integration to the sftp server. In this case the sftp server provider needs to allow-list the IP Addresses from Cloud Integration.
      2. The sftp server cannot be reached from internet, but can be reached from customer intranet, e.g. via VPN. In this case the connection via cloud connector could work, but you need to discuss this setup with the network experts and the contacts from the sftp server provider as this may be rated as a backdoor in a secure network.
      3. The sftp server cannot be reached from internet and only via a specific proxy. Such setups may be supported in future when SAP offers the Edge Integration Cell which can be installed in on-prem/private cloud networks.

      Best regards

      Mandy

      Author's profile photo Anand Gopinath
      Anand Gopinath

      Thank you, Mandy for the detailed response. It has made things a lot clearer now.

      Thanks,

      Anand

      Author's profile photo maxx currey
      maxx currey

      Remember no such thing as "On-premise" in real English.  The term should be "on premises".  A "premise" is not a location, but a proposition.