Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP NetWeaver PI\PO SFTP Fingerprint Scenarios with Global Parameter

vamsikrishna_chintharlapa
Product and Topic Expert
Product and Topic Expert
‎02-13-2024 11:53 AM
0 Kudos

SFTP Adapter is being used in the business scenario for message processing. While message processing with finger print following error has been observed in the channel logs :

Exception received: java.lang.UnsupportedOperationException: promptYesNo(String str) is not implemented yet!

The issue occurs after upgrading the component SAP_XIAF to 7.50 SP028 patch level 0.

The issue has been resolved by code changes in Note : 3397655 - SFTP Adapter fails with java.lang.UnsupportedOperationException: promptYesNo(String str) i...

After implementation of above Note , Below steps will help to solve the issue and follow steps to setup SFTP Finger Print Scenarios with Global Parameter.

Note: Below steps explain creating scenarios from end to end, In your case If you already have a setup, you can directly follow steps from Setting Parameter.

Prerequisites:

  1. Create SFTP Sender channel
  2. Create SFTP Receiver Channel
  3. Create ICO
  4. SSH Keys for SFTP Adapters ( Ref:

Generating SSH Keys for SFTP Adapters - Type 1 | SAP Help Portal

Generating SSH Keys for SFTP Adapters - Type 2 | SAP Help Portal

With this fix, two new  parameters 'preferredKeyType' and 'fingerprintHash' are introduced and the default value for these parameters are as follows:

preferredKeyType = ssh-rsa
fingerprintHash = SHA256

Setting Parameter:

Options available to configure fingerprintHash and preferredKeyType:

  1. Channel level only via advanced mode parameters
  2. Application level only via global parameters
  3. Both Channel level and Application level (priority will be given to corresponding channel level value)

1)Channel level only via advanced mode parameters

In the SFTP Adapter channel configuration, the Server fingerprint has to be set to SHA-256 fingerprint hash value. MD5 hash value is disabled in SP28 by default as it is outdated and insecure for cryptographic purposes, while SHA-256 is a more secure and widely used cryptographic hash function with a longer hash length. MD5 generates a 128-bit (16-byte) hash value whereas SHA-256 generates a 256-bit (32-byte) hash value.

Fingerprint format before SP28 (MD5 hash value) : b0:67:bb:26:aa:65:0f:32:a1:0d:35:ae:26:85:a2:98
Fingerprint format SP28 onwards (SHA-256 hash value): 88:7a:ce:65:b4:a1:3f:c5:f6:38:ce:a5:70:32:ee:38:b6:9d:50:4f:ae:01:0d:ed:e7:26:52:b3:b6:81:10:1f

The channels with old fingerprint setting (MD5 hash value) will fail and the correct/sha-256 fingerprint value will be suggested in the channel logs.

NOTE: If needed, the old behaviour (i.e., old fingerprint -MD5 hash value) can be enabled again by setting advanced mode parameter fingerprintHash = MD5

The following points has to be followed:

The correct fingerprint can be verified/collected from the channel log.

The fingerprint can also be taken from the xpi inspector traces. For this, xpi traces can be collected for Example 100 by selecting the location: com.sap.aii.adapter.sftp. From the logs, the value for fingerprint can be copied by searching the text 'Server Fingerprint'.

The collected fingerprint should be set in the SFTP channel to resolve the issue.

To enable the old behaviour (i.e., old fingerprint -MD5 hash value), the following advanced mode channel parameter should be set in each channel: fingerprintHash = MD5

To prioritise ECDSA key usage over RSA key, the following advanced mode channel parameter should be set in each channel: preferredKeyType = sha2 or ecdsa or ecdsa-sha2 or ecdsa-sha2-nistp256

It is possible to retrieve in advance of the system update the new SHA256 server fingerprint for internal SFTP servers with the command below (for remote servers, request this to their administrators to ensure authenticity):

 

For ECDSA key type:

# ssh-keyscan -t ecdsa -p <myport> <myhost> 2>/dev/null | sed "s/^[^ ]* //" | awk '{print $2}' | base64 -d | sha256sum | awk '{print $1}' |  fold -w2 | paste -sd':' -

88:7a:ce:65:b4:a1:3f:c5:f6:38:ce:a5:70:32:ee:38:b6:9d:50:4f:ae:01:0d:ed:e7:26:52:b3:b6:81:10:1f

For SSH-RSA key type:

# ssh-keyscan -t rsa -p <myport> <myhost> 2>/dev/null | sed "s/^[^ ]* //" | awk '{print $2}' | base64 -d | sha256sum | awk '{print $1}' |  fold -w2 | paste -sd':' -

This command is only valid for Linux based systems. For other OS we have currently no similar command.

If multiple SFTP channels are connecting to same SFTP server, then the fingerprint for all those SFTP channels can be updated together using Migration Tool. To run the Integration Directory Migration Tool, please use the following link in target system:

Open a browser and go to http://[host]:[port]/pimon to access the Process Integration tools.

Then choose Start of the navigation path 'Configuration and Administration' and from there, open 'Migration Tool.

Set the correct fingerprint by replacing the value/*.

 Example:

Screenshot 2024-02-08 at 11.15.07 AM.png

 Screenshot 2024-02-08 at 11.14.41 AM.png

 

2) Introduction of global parameters for fingerprintHash and preferredKeyType:

It is now possible to configure the properties fingerprintHash and preferredKeyType at the application level. The values of these global parameters will then reflect in ALL sftp channels (other than those channels where this value is overridden by corresponding advanced mode parameter)

To do so please navigate to NWA -> Configuration ->Infrastructure> Application Resources. Search for com.sap.aii.adapter.sftp.ra under "Resource Name", from the search results click on the row where "Resource Type" is JCA Connection Factory and click on Configuration Properties below. Here you can see the rows fingerprintHash and preferredKeyType - to edit them click on the value column and edit the cell and click on "Save" once you are done editing. (Kindly refer the attachments in this note for a snippet of the same)

Please note that the default values and the set of values which can be configured for these parameters are the same as the respective channel level advanced parameters mentioned earlier in this note.

In the case that a channel has the same parameter configured in the advanced mode, this value will take precedence over the value configured for the parameter at the application level. For example, if fingerprintHash is set to SHA256 in application level, but configured as MD5 in a particular channel (via advanced mode params), then this particular channel will use MD5 as it's fingerprintHash.

Screenshot 2024-02-08 at 10.56.21 AM.png

3).Both Channel level and Application level (priority will be given to corresponding channel level value)

You can set Parameter according to your requirement in global\channel level as mentioned above.

 

 

With the above detailed steps you can setup SFTP Finger Print Scenarios with Global Parameter.

 

 

Labels:
Labels in this area
Popular Blog Posts