Introdocution

There are few blogs on how to setup SAP PO SFTP communication channels from .ppk file. On the other hand, there are few blogs on how SAP CPI SFTP adapter has been configured. However I cannot find a blog consolidating steps all the way from .ppk file to the SFTP adapter final configuration. Here I am trying to include all the steps below for the convenience of beginners.

Main Steps

To let anyone has little key-pair, finger print etc concept understand the whole process, the whole procoss can be descripted in these main steps:

Software needed

Test SFTP Connection in WinSCP

As a SAP CPI developer, you might be aware of how private key has been configured for accessing a SFTP server via any FTP tools. You can choose skip this part if you already know how to do it.

When a .ppk has been provided, we need to check it in WinSCP together with the SFTP Host, path, authority etc.

let’s list all of the information you will have normally

• A .ppk file from the SFTP Server admin
• A username to the SFTP server, might be with password
• The SFTP server ip address or hostname. its default port is 22
• The folder or path

Open the WinSCP

→ click New Session

→ fill in the Host name, port and credential if necessary

→ click the Advanced dropdown menu and choose option Advanced

The Advanced Site Settings diaglog will popup as blow. click SSH–>Authentication,

and choose the .ppk file into the field Private key file on the right side. and click the OK button at last to close the dialog.

you will go to the main view. just click button login. If the connection and authentication are working, you should be able to access the SFTP folder. on the other hand, if you encountered any issue at this step, please contact the network team or the SFTP server team at first rather than go down to the bellowing steps. If the connection isnot working via tools like WinSCP, for large possibility it will not work via SAP CPI.

If the SFTP server is within the corperate network, it has not be exposed via the cloud connector. Please check this blog for the cloud connector configuration.

Once the connection has been confirmed, we can start our process to make key pairs.

Note: Please be noticed that we are going to generate few files. It is better to create an empty folder and first and put all these files into this newly created folder , which makes everything easy to locate. 

Convert .PPK file to Open SSH Key file in WINSCP

Open WinSCP → New Session → Tools → Run PuTTYgen. Pay attechtion, it doesn’t need any connection for this step.

choose button load to load the .PPK file

once the .ppk file has been loaded, in the same window, choose from menu Conversions → Export OpenSSH key

save the file as a name making sense. This is my format: SFTP_PrivateKey_<initiative>.pem . Please replace the <initiative> by using any of your projects. say SFTP_PrivateKey_MemberCard.pem

check the file created in the folder.

Convert Open SSH Key file to X.509 certificate file

Open Cygwin64 as Administrator from Windows start menu

Inside the console, access to your folder.

Note: all drivers are under the folder cygdrive.

Tips: The command is very similar to MS DOS. Here are few commands for using the console.

Please access to the folder where the open SSH key file has placed.

Execute the following command to create the X.509 certificate file

openssl req -new -x509 -days 3650 -key SFTP_PrivateKey_MemberCard.pem -out  SFTP_x509cert_MemberCard.pem

Please replace the initiative surfix accordingly.

Tips: The console supports directly paste. Copy the string and click the console by using mouse and right click mouse. Choose paste in the context menu. The command will be pasted to the console. 

By entering the command line( as in bellowing step 1), the console will ask a few questions (as in bellowing step 2). Actually you do not need to fill all of them.

Afterthe questions have been filled, the file will be generated as in bellowing step 3.

Convert X.509 certificate file to PKCS 12 key(.p12) file

Still in the same place, execute the following command

openssl pkcs12 -export -in SFTP_x509cert_MemberCard.pem -inkey SFTP_PrivateKey_MemberCard.pem -out sftp_keystore_membercard.p12

Note: modify the file name accordingly

When the command has been entered, console will ask for the Export Password,as step 1 below. Please input one and keep it. we will use it later.

After the the password has been input twice, the file will be generate as in step 2 below.

Generate known_hosts file for SAP CPI

Before creating the file, we need to get the Host Key of the SFTP server. here are the steps

Go to CPI → Test Connectivity → SSH

Fill in the hostname and port configured in the cloud connector if it is on premise. then click Send button

if the connection works, it will get a response. now click the text ‘Copy Host Key’

Create a blank file with name known_hosts as below in the same folder

Open the file in notepad and paste the text from momery into the file and save the file

Now the size of the file is not zero.

Import PKCS 12 key(.p12) file into SCPI key store

In SAP CPI, Go to Manage Keystore → Add → Key Pair

In the popup screen, input an Alias which make sense to you. Choose the .p12 file generated in the last step and input the password you keep.

CPI will popup a confirm dialog in which contains the information you input just as shown in the red rectangle. Just click the button Confirm below

Now the newly imported key pair can be viewed in the list

Import known_hosts file to CPI

In CPI → manage Security Material → upload → Know Hosts(SSH)

choose the known_hosts file created in the previous step

Deploy the file to CPI

This is the view after the deployment.

Test Connection to SFPT with key pair

Since the known_host file and key pair have been imported into SAP CPI, we will conduct a second connectivity test with key pair to the SFPT server to check both the connection and the authentication.

Go to CPI → Connection Test Tool → SSH

Fill in the info as below with the newly imported Private key Alias and check the connection

if the connection is working here, it should be working in the adapter as well.

Configure SFTP Adatpers in the iflow

In order to elaborate the sender and receiver SFTP adapter at the same time, I put both of them into one iflow.

The Sender Adapter will retrieve a data file from folder test/Export. Once read it, the file will be moved into archive folder test/Export/archive

This is the configuration of Sender SFTP Adapter

Scheduler uses the defualt configuration.

Once the file has been picked by the iFlow, the receiver SFTP adapter will drop off the file to the folder test/Import, with a new name target, with timestamp suffix.

This is the configuration of Receiver SFTP Adapter

Unit Test

Place file in the source folder test/Export, with name data.

After few seconds, according the default scheduler configruation, the file will be read by the sender SFTP adapter.

The file has been moved into the archive folder as bleow

On the other hand, check the import folder: test/Import. The target file with timestamp suffix has been created.

This is the iflow instance captured in the trace mode

Conclusion

For SFTP adapter configruation, the main part is not the adapter configuration, but the key pair preparation. Follow the steps introduced above to generate relevant files and import it into CPI, you will easily make SFTP adapter working.