Here, I have how to establish secure SFTP connection using Public Key Authentication for CPI Interfaces which send files to SF SFTP or any third party SFTP.
I have provided the step by step description on what all configurations required from SAP Cloud Platform Integration (CPI)
For secure SSH communication a known host file must be deployed in the cloud integration tenant containing the public host key of the sftp server so that the sftp server will be trusted.
For SSH based communication, the cloud integration tenant needs the host key of the sftp server, which must be added to the known hosts file and deployed on the cloud integration tenant in the next step. To do so you can do the connectivity test available in Manage Security Section in Overview and use Copy Host Key option.
Copy the Host key for the SFTP from above screenshot should be deployed in the existing known_hosts file. Deploy the known_hosts file in the Manage Security Material Upload it by Browsing the known_hosts file and deploy it.
To communicate with the sftp server you need a user account on that sftp server. Cloud integration needs the username to connect to the sftp server and user must have sufficient authorization to create/move/delete files on the sftp server.
To create the SSH Key open the KeyStore available in the Operations View in Web in section Manage Security. Choose Create -> SSH Key to create a key pair for the sftp connectivity.
In the creation dialog select and define the key specific values and define a validity period.
Key Type RSA -> generated alias: id_test_rsa (Alias name can be given on your choice)
Provide CN and Country Region as well.
Create and deploy the SSH Key. Upon Deploy the key pair is generated and the artifact is added to the list of KeyStore artifacts.
For public key authentication at the sftp server the public key of the cloud integration tenants private key is needed in the sftp server. Download Public OpenSSH Key will create an <alias>.pub file in the download directory. The file contains the public key in openSSH format, which can be used to be put to the sftp server.
If everything is setup correctly you will get a success message with Check Host Key using Public Key Authentication. For Username give the username who has authorization for SFTP server. Here in example the username is given usrnme_sftp.
Provide the details in SFTP channel:
SFTP Server address, Username (Username with SFTP server Authorization) and Private key alias name as per the name created in step 3.
After the connectivity is setup, you can connect to sftp server using the sftp sender or receiver adapter. In address field provide the SFTP server address, for username provide the username with SFTP server access (e.g. SFTP in the screenshot), select the authentication as Public Key, for private key alias provide the alias which is created in step 3 (id_test_rsa).
After setting up the SFTP Channel in iflow deploy the iflow. Check the file in SFTP server.
Provide the details in SFTP channel for SFTP Server address, Username (Username with SFTP server Authorization) and Private key alias name as per the name created in step 3.
File in SFTP:
More Information:
Set up SFTP Connection
Summary:
This blog explains how to set up secure SFTP connection between SAP Cloud Platform Integration and SFTP without using user id & password (Basic Authentication), which is more secure to use.
I have provided the step by step description on what all configurations required from SAP Cloud Platform Integration (CPI)
Steps to Use Public Key Authentication:
For secure SSH communication a known host file must be deployed in the cloud integration tenant containing the public host key of the sftp server so that the sftp server will be trusted.
- Step 1: Retrieve User and Public Host Key from sftp Server
For SSH based communication, the cloud integration tenant needs the host key of the sftp server, which must be added to the known hosts file and deployed on the cloud integration tenant in the next step. To do so you can do the connectivity test available in Manage Security Section in Overview and use Copy Host Key option.
Copy the Host key for the SFTP from above screenshot should be deployed in the existing known_hosts file. Deploy the known_hosts file in the Manage Security Material Upload it by Browsing the known_hosts file and deploy it.
- Step 2: User
To communicate with the sftp server you need a user account on that sftp server. Cloud integration needs the username to connect to the sftp server and user must have sufficient authorization to create/move/delete files on the sftp server.
- Step 3: Create SSH in Manage KeyStore
To create the SSH Key open the KeyStore available in the Operations View in Web in section Manage Security. Choose Create -> SSH Key to create a key pair for the sftp connectivity.
In the creation dialog select and define the key specific values and define a validity period.
Key Type RSA -> generated alias: id_test_rsa (Alias name can be given on your choice)
Provide CN and Country Region as well.
Create and deploy the SSH Key. Upon Deploy the key pair is generated and the artifact is added to the list of KeyStore artifacts.
- Step 4: Download Public Key from Keystore Monitor
For public key authentication at the sftp server the public key of the cloud integration tenants private key is needed in the sftp server. Download Public OpenSSH Key will create an <alias>.pub file in the download directory. The file contains the public key in openSSH format, which can be used to be put to the sftp server.
- Step 5: SSH Connectivity Test
If everything is setup correctly you will get a success message with Check Host Key using Public Key Authentication. For Username give the username who has authorization for SFTP server. Here in example the username is given usrnme_sftp.
Provide the details in SFTP channel:
SFTP Server address, Username (Username with SFTP server Authorization) and Private key alias name as per the name created in step 3.
- Step 6: End to End Execution
After the connectivity is setup, you can connect to sftp server using the sftp sender or receiver adapter. In address field provide the SFTP server address, for username provide the username with SFTP server access (e.g. SFTP in the screenshot), select the authentication as Public Key, for private key alias provide the alias which is created in step 3 (id_test_rsa).
After setting up the SFTP Channel in iflow deploy the iflow. Check the file in SFTP server.
Provide the details in SFTP channel for SFTP Server address, Username (Username with SFTP server Authorization) and Private key alias name as per the name created in step 3.
File in SFTP:
More Information:
Set up SFTP Connection
Summary:
This blog explains how to set up secure SFTP connection between SAP Cloud Platform Integration and SFTP without using user id & password (Basic Authentication), which is more secure to use.
- SAP Managed Tags:
3 Comments
