Skip to Content
Technical Articles

Cloud Integration – How to Connect to an On-Premise sftp server via Cloud Connector

You may use the SAP Cloud Connector to securely connect to On-Premise systems. SAP Cloud Platform Integration supports this configuration via the connection proxy type ‘On-Premise’ currently in the following receiver adapters:

  • AS2 (enterprise license only)
  • OData
  • HTTP
  • IDOC
  • LDAP
  • SOAP | SOAP 1.x
  • RFC
  • Mail
  • XI
  • SFTP (with November release)

This includes support for connections to multiple SAP Cloud Connectors. For this use case you specify in your SAP Cloud Connector configuration a Location ID which you refer to in your sender or receiver adapter configuration.

Connect to an On-Premise sftp server via Cloud Connector

With the November 2018 release of SAP Cloud Integration we release a new version of the sftp sender and receiver adapter that supports connecting to On-Premise sftp servers using the SAP Cloud Connector. This configuration utilizes the SOCKS5 proxy supported in SAP Cloud Connector version 2.10 and higher.

You may use it in your sftp sender and receiver adapters to connect via TCP to your On-Premise sftp server. This scenario required so far dedicated ports to be opened in your fire-wall which was often not supported by your security policy. Opening of ports is now obsolete.

I assume you have already installed the SAP Cloud Connector and connected it to your SAP Cloud Platform account in which your subscription to SAP Cloud Platform Integration resides. If not download a SAP Cloud Connector from our tools page and follow it’s installation documentation.

All you need to do now is to

  1. configure a new Cloud to On-Premise system mapping in your Cloud Connector and
  2. configure your sftp sender or receiver adapter accordingly

Let’s go step by step.

Configure a Cloud to On-Premise system mapping in the Cloud Connector

Logon to your Cloud Connector and add a Cloud to On-Premise system mapping. Maintain the parameter in the wizard as follows.

Set the Backend Type to ‘Non-SAP System’.

Select the ‘TCP’ Protocol. The configuration options for TCP are not as specific as for e.g. HTTP, i.e. the SAP Cloud Connector may not restrict potential misuse from your SAP Cloud Platform account. This is referred as security risk.

Maintain your On-Premise sftp server & port you want to connect to.

Define the virtual sftp server & port you want to expose to your SAP Cloud Platform Account (it will be re-used later in the sftp receiver adapter configuration).

Maintain an optional description, tick the ‘Check Internal Host’ checkbox (to have enable the ping test from SAP Cloud Connector to your On-Premise sftp server) and finish.

You may check and maintain your system mapping in the Cloud To On-Premise overview.

Logon to your Cloud Platform account and check the corresponding Cloud Connector status.

If all is fine you may consume your just established TCP connection in the sftp sender or receiver adapter.

Configure the sftp Sender or Receiver Adapter

Log on to the Cloud Integration WebUI and maintain the connection parameter in the sftp adapter properties as follows.

Maintain the virtual sftp server name & port for the proxy type ‘On-Premise’. Maintain the Location ID of the Cloud Connector, if configured in the Cloud Connector. Define the Authentication configuration as required by your On-Premise sftp server.

Important is that the public key of the sftp server must be added to the known host file with the address set in the channel. This correlates to the virtual server name as used in the Cloud Connector, do not use the real server name as defined in the Cloud Connector. This is because only the virtual server name is known by Cloud Integration.

Done, save and deploy the integration flow. Start sending messages from SAP Cloud Platform Integration via your own On-Premise sftp server or start polling files from your On-Premise sftp server.


If you run into errors executing your scenario you may find information for error analysis at the following places:

  • Integration Content Monitor in Cloud Integration
  • Message Processing Monitor in Cloud Integration
  • Cloud Connector Connectivity Test
  • SSH Connectivity Test
  • Log File in Cloud Connector

Let’s have a short look at the different tools.

Integration Content Monitor

After deploying the integration flow you should first check in the Integration Content monitor in SAP Cloud Platform Integration if the integration flow is started successfully. As integration flows with sftp sender adapters start polling immediately after the integration flow is started, errors during the poll are shown here. No message processing log is created in this case.

Poll Status (available with the 16-Feb-2020 update)

In the Status Details area you may find the status and the details about the current poll status:

If there is an error when polling messages via the sftp sender adapter the error would be shown here for the respective integration flow. In the Polling Information the status of the consumption is shown as Failed.

In the below sample error, you see that an error is coming back from the SOCKS proxy of the cloud connector. In this case you would have to check the monitor and the log files in the Cloud Connector for more details. Check that the request reaches your Cloud Connector instance at all, maybe the Location ID in Cloud Connector configuration does not fit to the Location ID used in sftp channel?

Message Processing Monitor

The second important monitor to be checked if your scenario does not work is the Message Processing monitor in the Cloud Integration Monitoring. If there is an error sending messages to a specific sftp receiver the error would be shown here.

In the below sample error, you see that the hostkey is rejected. This means that the public key of the sftp server is not maintained in the known hosts file for the configured virtual sftp host. Maybe the public key is maintained with the real sftp server address? If so, this entry needs to be changed in the known hosts file. Details about known hosts file maintenance you find in the blog How to setup secure connection to sftp server. Note that the public key cannot yet be downloaded via the Connectivity Test  when connecting to the sftp server via Clod Connector. The Connectivity Test will be updated soon to support this, the blog will then be updated.

SSH Connection Test

The Connectivity Test is available in Operations View in Web UI, in section Manage Security Material. Selecting the Connectivity Test tile from Overview Page opens the test tool offering tests for different protocols. To test the communication to the SFTP server, the SSH option is to be selected.

With the update on 6th of January you can select the On-Premise Cloud Connector proxy and enter a Location ID also in the SSH test to test the connection to the SFTP server via the Cloud Connector:

More details about the SSH connection test can be found in the blog How to Setup Secure Connection to SFTP Server.

Cloud Connector Connectivity Test (available with 29-September-2019 release)

The Cloud Connector Connectivity Test can be used to test if the Cloud Connector connected to the Cloud Integration tenant can be reached via the Cloud Integration’s runtime with the defined Location ID.

Like the SSH Connection Test, the Cloud Connector Test can be found in the Connectivity Tests tile in the Operations View in Web UI in section Manage Security Material. In the test tool select Cloud Connector. The only input field for the Cloud Connector test is the Location ID. Enter the Location ID you have configured in the Cloud Connector and also use in the adapter channel in the integration flow.

The test pings the Cloud Connector with this Location ID. If no Cloud Connector is connected with this Location ID the test fails:

If the Cloud Connector can be reached with the given Location ID the test executes successfully:

Cloud Connector Log

If you receive errors coming from the SOCKS proxy, you have to check the Cloud Connector log file for more information. Maybe the mapping for the used virtual host does not exist?

You must be Logged on to comment or reply to a post.
  • Nice, looks like improvements in both CPI and Cloud Connectors are coming really fast! Extending patterns for cloud 2 on-prem integrations will be really useful.

  • Excellent post Mandy and great to see this feature is now enabled.


    For the incoming SFTP connection from SCP-I to Cloud Connector, is there a list of IPs that have to be whitelisted on firewall?




  • Hi Mandy,

    Very nice feature, it’s great to have it.

    Is “TLS Connectivity Test via SCC” on the roadmap?
    Intuitively it’s a very similar feature – but probably less useful than SFTP connectivity though.

    Best regards,


      TLS test is testing the SSL connection setup. In case of Cloud Connector, this is not possible as the connection to the Cloud Connector is done via HTTP and no SSL handshake is taken place. The SSL connection is only established between Cloud Connector and Backend. But yes, we are thinking about options how to offer a connectivity test for HTTP connectivity via Cloud Connector.

      Best regards,



    Hi Mandy,


    Thank you for the nice blog. I’ve a slightly different scenario that I can’t seem to get working. Hopefully you might be able to provide some insight.


    I do want to develop a CPI flow that connects to an on-premise SFTP platform with Basic Authentication, however I want it deployed on SAP PO and not run from the cloud. Since my SAP PO and the SFTP platform are both on-premise I expected to be able to connect via regular SFTP configuration in CPI, but that doesn’t seem te work (Cannot connect to sftp://<User>@<Host>:22).


    Any suggestions? Do I still need the Cloud Connector although my CPI flow runs on SAP PO?!



      I don’t fully understand your scenario. The CPI flow should connect to the sftp server running on-premise or do you want to run the whole flow on PO via profile IGW in the Integration flow configuration? Meaning the integration flow shall be deployed to the on-premise system?

      If the flow is running in IGW runtime, there is no need to configure the Cloud Connector. This should run directly.

      Maybe you could open a ticket for the issue?

      Best regards,




        Thank you for the quick reply. I indeed want to run the whole flow on PO via profile IGW in the Integration flow configuration. Thank you for confirming that, in that case, I don’t need the Cloud Connector.

        Now that I know my setup should be correct, I’ll open a ticket to ask further assistance with the issue I’m encountering.


        Best Regards,



  • Hi Mandy,

    we are working with the 1811 SCPI release.

    we do not have the “proxy Type” option.

    therefore we cannot select the “on Premise” option as our SFTP is exposed by the cloud connector.

    where or what can we do to have this option?



  • Good morning, Mandt.

    How are you?

    We started the development of proof of concept for a client this week and a I have a doubt about the parameters that must be filled for the soap adapter receiver communication channel in SAP HCI:

    Following is the architecture that was defined for this POC:

    Legacy System Lecom (API) (On Premise) -> SAP Cloud Platform -> SAP API Management -> SAP HCI -> SAP Cloud Connector> Legacy System MXM (WebService XML/SOAP) (On Premise).

    How do I configure the adapter soap recevier to access WebSerivce of the Legacy MXM System via the SAP Cloud Connector?

    For this situation, I imported the WSDL from Legacy System MXM to SAP HCI according to the screen below, however I am in doubt about which value I should fill in the Address field.

    Should I fill the value of the Address field with the content of the Soap Address property contained in the WSDL file? Or with the content of the virtual host configured in the SAP Cloud Connector (screen also below)?

    The configuration made in the SAP Cloud Connector is with the TCP protocol and the address field on the soap adapter receiver (HCI) only accepts value with the nomenclature http: // <host>: <port>

    Could you help me?


    Sérgio Salomão



      this blog is about connecting to a sftp server via Cloud Connector, not how to connect via SOAP adapter to an on-prem backend.

      But let me give you some hints about the SOAP adapter:

      • the address field in the SOAP channel needs to contain the virtual host values defined in the Cloud Connector configuration
      • the cloud-to-on-premise configuration in the Cloud Connector configuration needs to have type HTTP or HTTPS depending how you want to connect to the backend. The virtual host attributes need to match the values set in the SOAP channel and the real endpoint address (as in the WSDL) has to be configured as internal host. This is the address that will be called from Cloud Connector.
      • The address in the SOAP adapter needs to start with http:// because the connection to the Cloud Connector is via a secure http tunnel, not via http. In the Cloud Connector you can use HTTPS to the on-premise backend.
      • Make sure you use the same Location ID in the SOAP channel and in the Cloud Connector configuration.

      I hope this helps you to set-up your communication.

      Best regards,


  • Hi all,

    this sFTP adapter seems to be only for on-premise systems, is this correct?

    I need an sFTP receiver & sender adapter to a 3’rd party cloud system. Is this a go or no-go at this point or is it a similar configuration process? Any other things to consider for a cPI to Cloud connector?

    Thanks in advance for shedding light on this.


    • Hello,

      no, the sftp adapter can be used to any accessibly sftp server as well. If the adapter is used without proxy On-Premise than you can connect to any sftp server accessible from the internet.

      Best regards,


  • Hi Mandy,


    Thanks for the blog. I have a question, how can I pick files from local directory(NFS). Do I use the same concept. But what will be the address then?



  • Hi Mandy,

    Thanks for your reply. Would you know how we can pick files from on prem directory in CPI. In PO 7.5 it is using NFS.

    I assumed we could follow the same approch to connect to system on prem and fetch file using SFTP adapter.



    • Hello,

      in PO this can be done using the file adapter, the sftp adapter cannot access NFS on-prem file shares. This is not possible with CPI, you need to use an sftp server.

      Best regards,


  • Hi Mandy


    SFTP is installed on S4 HANA and Cloud connector is installed on S4 HANA.

    I did Virtual host mapping on cloud connector then I use Virtual host in SFTP Receiver adapter.

    I used Virtual host name-ssh-rsa – <Public key> in KNOWN_HOST file

    My Proxy type is “ON PREMISE” and I am using Authentication as UserName/password ,

    Still I am getting Error

    HostKey has been changed

    Please help

    is issue that SFTP  on S4 HANA?



    • Hello,

      it’s hard to analyze with having only these details. In general the configuration you described should be sufficient. What does the Connectivity Test tell you? Maybe the known hosts file does not really contain the correct host key?

      The error means that there is an entry for this host in the known hosts file, but the host key does not fit to the one provided by the server.

      Please do the connectivity test with the virtual host name you also use in the cloud connector. And add the host key returned in the known host file with virtual host name.

      Maybe someone changed the configuration in the cloud connector and the real host now points to a different host? Or there is another Cloud Connector with another location ID using the same virtual host? The virtual host needs to be unique across location IDs.

      This should work.

      Best regards,


      • Hi

        Thanks a lot Mandy.

        You are incredible.


        S4 HANA SFTP team give me public key. I was using that in Known_Host file.

        after you suggestion, I use connectivity test and copy host key from Connectivity test.

        I used that In Known_host file.

        It is working now.




  • Dear Mandy,

    It seems you’re the best person to which to ask the following : is there a way to connect SMB/CIFS  shares, from C/4 Cloud to an on-premises Windows server. I’ve the feeling the answer will be no, but I keep my fingers crossed 😉 And if not, is such a function in the SCC development pipeline ?

    Thanks in advance for youur precious help



    • Hi,

      sorry, but I do not understand how this is related to CPI? Maybe you could give some more context on the part of CPI in such a scenario? In CPI there is no adapter to connect via SMB/CIFS to Windows servers.



  • Hi Mandy,

    Thanks for the detailed blog.

    I am trying to deploy the known_hosts file to my CPI tenant to establish the connection between SFTP and CPI.

    But I am getting the below error:

    “Deploy artifact failed with error: You are not authorized to perform this operation”

    I am having the admin roles.

    Please let me know if I am missing anything.



    • As the message indicates you have no authorization to deploy security artifacts. You need tenant administrator rights for deploying security artifacts.

      Best regards,



      • Thanks, Mandy

        I have assigned the roles to my S-User and I am able to deploy the known_hosts file now.




  • Hi Mandy,

    If I need to connect to SFTP Server through Internet (not cloud connector On-Premise), do I need to  Create a OSS note to SAP OPS team to whitelist the SFTP Server IP address ?

    Asking since I am getting “socket is not established” exception while testing the connectivity from CPI.  I have maintained known_host file correctly.



  • Hi Mandy,


    Thanks for the valuable blog.

    I have a scenario where the requirement is to place a file in a local folder in S4 HANA via CPI.

    I understand we cannot do it by using ftp/nfs in CPI.

    Can you suggest if there is an option to place a file in S4 HANA folder by using CPI.


    Thanks in advance.


    Best Regards,

    • Hello,

      in CPI there is no file/nfs adapter. You need a sftp or after the T5 upgrade a ftp adapter that can put files to sftp or ftp servers. From there you may have some file move tool running that puts the file to the S/4 local folder.