There are few blogs on how to setup SAP PO SFTP communication channels from .ppk file. On the other hand, there are few blogs on how SAP CPI SFTP adapter has been configured. However I cannot find a blog consolidating steps all the way from .ppk file to the SFTP adapter final configuration. Here I am trying to include all the steps below for the convenience of beginners.
To let anyone has little key-pair, finger print etc concept understand the whole process, the whole procoss can be descripted in these main steps:
|1. Generate Open SSH Key file from Convert .ppk file||WinSCP|
|2. Generate X.509 Certificate file from Open SSH Key file||Cygwin64|
|3. Genereate PKCS 12(.p12) file from Convert X.509 Certificate file||Cygwin64|
|4. Generate known_host file and import to CPI||CPI|
|5. Import PKCS 12(.p12) file to CPI||CPI|
|6. Configure SFTP Adapter||CPI|
Install with openSSH and openSSL packages
Test SFTP Connection in WinSCP
As a SAP CPI developer, you might be aware of how private key has been configured for accessing a SFTP server via any FTP tools. You can choose skip this part if you already know how to do it.
When a .ppk has been provided, we need to check it in WinSCP together with the SFTP Host, path, authority etc.
let’s list all of the information you will have normally
- A .ppk file from the SFTP Server admin
- A username to the SFTP server, might be with password
- The SFTP server ip address or hostname. its default port is 22
- The folder or path
Open the WinSCP
→ click New Session
→ fill in the Host name, port and credential if necessary
→ click the Advanced dropdown menu and choose option Advanced
The Advanced Site Settings diaglog will popup as blow. click SSH–>Authentication,
and choose the .ppk file into the field Private key file on the right side. and click the OK button at last to close the dialog.
you will go to the main view. just click button login. If the connection and authentication are working, you should be able to access the SFTP folder. on the other hand, if you encountered any issue at this step, please contact the network team or the SFTP server team at first rather than go down to the bellowing steps. If the connection isnot working via tools like WinSCP, for large possibility it will not work via SAP CPI.
If the SFTP server is within the corperate network, it has not be exposed via the cloud connector. Please check this blog for the cloud connector configuration.
Once the connection has been confirmed, we can start our process to make key pairs.
Note: Please be noticed that we are going to generate few files. It is better to create an empty folder and first and put all these files into this newly created folder , which makes everything easy to locate.
Convert .PPK file to Open SSH Key file in WINSCP
Open WinSCP → New Session → Tools → Run PuTTYgen. Pay attechtion, it doesn’t need any connection for this step.
choose button load to load the .PPK file
once the .ppk file has been loaded, in the same window, choose from menu Conversions → Export OpenSSH key
save the file as a name making sense. This is my format: SFTP_PrivateKey_<initiative>.pem . Please replace the <initiative> by using any of your projects. say SFTP_PrivateKey_MemberCard.pem
check the file created in the folder.
Convert Open SSH Key file to X.509 certificate file
Open Cygwin64 as Administrator from Windows start menu
Inside the console, access to your folder.
Note: all drivers are under the folder cygdrive.
Tips: The command is very similar to MS DOS. Here are few commands for using the console.
|cd||go to folder. eg. cd / is to access root folder. Please be aware that the folder name is case sensitive.|
|dir or ls||List all of the files and folders of current folder|
Auto-complete. This is very handy. Say you want to access a folder called 97 Test Cloud Service, whose name is a bit long and with space in the middle.
Just type cd 97 in the console, then click Tab key. The console will complete the rest of the folder name automatically as below
|clear||clear the previous commands in the console|
Please access to the folder where the open SSH key file has placed.
Execute the following command to create the X.509 certificate file
openssl req -new -x509 -days 3650 -key SFTP_PrivateKey_MemberCard.pem -out SFTP_x509cert_MemberCard.pem
Please replace the initiative surfix accordingly.
Tips: The console supports directly paste. Copy the string and click the console by using mouse and right click mouse. Choose paste in the context menu. The command will be pasted to the console.
By entering the command line( as in bellowing step 1), the console will ask a few questions (as in bellowing step 2). Actually you do not need to fill all of them.
Afterthe questions have been filled, the file will be generated as in bellowing step 3.
Convert X.509 certificate file to PKCS 12 key(.p12) file
Still in the same place, execute the following command
openssl pkcs12 -export -in SFTP_x509cert_MemberCard.pem -inkey SFTP_PrivateKey_MemberCard.pem -out sftp_keystore_membercard.p12
Note: modify the file name accordingly
When the command has been entered, console will ask for the Export Password,as step 1 below. Please input one and keep it. we will use it later.
After the the password has been input twice, the file will be generate as in step 2 below.
Generate known_hosts file for SAP CPI
Before creating the file, we need to get the Host Key of the SFTP server. here are the steps
Go to CPI → Test Connectivity → SSH
Fill in the hostname and port configured in the cloud connector if it is on premise. then click Send button
if the connection works, it will get a response. now click the text ‘Copy Host Key’
Create a blank file with name known_hosts as below in the same folder
Open the file in notepad and paste the text from momery into the file and save the file
Now the size of the file is not zero.
Import PKCS 12 key(.p12) file into SCPI key store
In SAP CPI, Go to Manage Keystore → Add → Key Pair
In the popup screen, input an Alias which make sense to you. Choose the .p12 file generated in the last step and input the password you keep.
CPI will popup a confirm dialog in which contains the information you input just as shown in the red rectangle. Just click the button Confirm below
Now the newly imported key pair can be viewed in the list
Import known_hosts file to CPI
In CPI → manage Security Material → upload → Know Hosts(SSH)
choose the known_hosts file created in the previous step
Deploy the file to CPI
This is the view after the deployment.
Test Connection to SFPT with key pair
Since the known_host file and key pair have been imported into SAP CPI, we will conduct a second connectivity test with key pair to the SFPT server to check both the connection and the authentication.
Go to CPI → Connection Test Tool → SSH
Fill in the info as below with the newly imported Private key Alias and check the connection
if the connection is working here, it should be working in the adapter as well.
Configure SFTP Adatpers in the iflow
In order to elaborate the sender and receiver SFTP adapter at the same time, I put both of them into one iflow.
The Sender Adapter will retrieve a data file from folder test/Export. Once read it, the file will be moved into archive folder test/Export/archive
This is the configuration of Sender SFTP Adapter
Scheduler uses the defualt configuration.
Once the file has been picked by the iFlow, the receiver SFTP adapter will drop off the file to the folder test/Import, with a new name target, with timestamp suffix.
This is the configuration of Receiver SFTP Adapter
Place file in the source folder test/Export, with name data.
After few seconds, according the default scheduler configruation, the file will be read by the sender SFTP adapter.
The file has been moved into the archive folder as bleow
On the other hand, check the import folder: test/Import. The target file with timestamp suffix has been created.
This is the iflow instance captured in the trace mode
For SFTP adapter configruation, the main part is not the adapter configuration, but the key pair preparation. Follow the steps introduced above to generate relevant files and import it into CPI, you will easily make SFTP adapter working.