2/4/2020 Cloud Integration – How to Setup Secure Connection to sftp Server -

Cloud Integration – How to Setup Secure Connection to sftp Server

 SAP Cloud Platform Integration for process services

This blog describes how to setup secure connections to sftp servers in the cloud integration system. It

gives a step by step description what needs to be configured where. Furthermore, test options are

described for testing sftp connectivity.

Setup Secure Connection to sftp Server

A typical task in an integration project is to connect sftp servers to the SAP Cloud Integration Tenant,
either for sending messages to or for polling messages from the sftp server. Before going into detailed

configuration of the communication lets first have a short look at the basics.

Basics of Secure sftp Communication

The sftp server can either as a sender or a receiver of messages. The setup and the detailed configuration

procedure differ according to the communication direction that is being set up: whether the sftp server is
supposed to provide messages to the integration platform or the other way round.

For more detailed information about sftp communication in CPI refer to SAP Documentation chapter ‘How
sftp works’.

The polling sftp scenario and which security artifacts are involved is described in SAP Documentation
chapter ‘Inbound sftp with Public Key Authentication’.

For secure SSH communication a known hosts file has to be deployed in the cloud integration tenant

containing the public host key of the sftp server so that the sftp server will be trusted.

www.learntips.net/cloud-integration-how-to-setup-secure-connection-to-sftp-server/ 1/7
2/4/2020 Cloud Integration – How to Setup Secure Connection to sftp Server -

Furthermore, for public key authentication with the sftp server, a private key has to be maintained in
the cloud integration tenant keystore. Also User/Password can be used instead, in this case user

credentials have to be deployed in the cloud integration tenant. Recommended configuration option for
secure communication is public key authentication.

Configure Connection in sftp Server and Cloud Integration Tenant

Retrieve User and Public Host Key from sftp Server
For SSH based communication, the cloud integration tenant needs the host key of the sftp server, which

has to be added to the known hosts file and deployed on the cloud integration tenant in the next step.

The host key can either be downloaded from sftp server or has to be provided by the administrator of the
sftp server. Normally the public key of the sftp server is contained in the .ssh directory with the name

id_rsa.pub.

To communicate with the sftp server an user account needs to exist on the sftp server. The user name is

needed in CPI to connect to the sftp server and has to be provided by the administrator of the sftp server.

Configurations in Cloud Integration Tenant

For SSH based communication in the cloud integration tenant, the public host key of the sftp

server provided in previous step is needed in the cloud integration tenant. Furthermore, for using public

key authentication towards the sftp server, a private key pair with the alias id_rsa or id_dsa is required in
the cloud integration tenant’s keystore.

Maintain and Deploy Known Hosts File

You need to add the sftp host key you received in previous step to the known hosts file deployed in your
cloud integration tenant. For this download the file from Manage Security Material view available in the

Operations View in Web in section Manage Security. If no knwon_hosts file is deployed yet on the tenant
you have to create it as described below.

Open the file with notepad or some other text editor and add the host key of the sftp server. If
no known_hosts file was deployed create it.

The file needs to have the name known_hosts and shall contain the host keys for all connected sftp servers
in a list. Each line contains the hostname, the applicable public key algorithm -“ssh-rsa” (for RSA key pairs)

or “ssh-dss” (for DSA key pairs) and the public host key encoded using base64. See the following example:

ld2345.wdf.sap.corp ssh-rsa AAAAB3NzaC1yc2EAAAo………2pOx2ADnZ1WwtjW48=

Deploy the known_hosts file in the Manage Security Material view available in the Operations View in

Web via the Add -> Known Hosts (SSH) action. Browse the known_hosts file and deploy it.

Maintain id_dsa/id_rsa Alias in Keystore


www.learntips.net/cloud-integration-how-to-setup-secure-connection-to-sftp-server/ 2/7
2/4/2020 Cloud Integration – How to Setup Secure Connection to sftp Server -

As explained above, for public key authentication a private key pair needs to be maintained in the cloud

integration tenant keystore.

Check for id_rsa/id_dsa in Keystore

In Keystore Monitor available in the Operations View in Web in section Manage Security check, if there is

already an entry with the alias id_rsa or id_dsa available. If so, you may use it and skip the next two steps,

continue with download of the public key.

Maintain id_rsa/id_dsa in Keystore Explorer

As the first version of the Keystore Monitor is not able to import single keys or certificates, the private key

pair for sftp communication has to be maintained in an external keystore maintenance tool, for example

the Keystore Explorer.

You create the private key pair for sftp communication for the cloud integration tenant as described in

detail in SAP Cloud Platform Integration Documentation in chapter ‘Creating X.509 keys’. Use id_rsa or

id_dsa alias depending on the algorithm used:

Save the keystore with a password as .jks file. Remember the password as this will be needed during

import in Keystore Monitor.

Import Keystore in Keystore Monitor

To import the entries of the created keystore file open the Keystore Monitor available in the Operations

View in Web in section Manage Security. All certificates and private key pairs contained in the tenant

keystore are shown.

Upload the keystore via Add button on the top of the monitor. Browse the *.jks file and enter the

password you gave in previous step. The id_rsa/id_dsa key pair contained in the keystore file will be added

to the existing entries for owner Tenant Administrator with the alias used in Keystore Explorer. If there
is already an entry for the same alias you may get an error. If you want to overwrite it,select the Overwrite

option in the Add Keystore action. But be sure the already existing entry is not used in any productive

scenario.


www.learntips.net/cloud-integration-how-to-setup-secure-connection-to-sftp-server/ 3/7
2/4/2020 Cloud Integration – How to Setup Secure Connection to sftp Server -

More information about maintaining keys and certificates in Keystore Monitor, about migration of existing
keystores into the new monitor and about existing naming conventions can be found in blog ‘How to use

Keystore Monitor to maintain your keys and certificates’.

Authorization

To maintain keys and certificates in Keystore Monitor your user needs the Group Role AuthGroup.Admin
or Single Roles IntegrationOperationServer.read, NodeManager.read and

NodeManager.deploysecuritycontent.

Download Public Key from Keystore Monitor

For public key authentication at the sftp server the public key of the cloud integration tenants private key

(id_rsa or id_dsa) is needed in the sftp server. For this, export the public key of the private id_rsa/id_dsa

key pair in the Keystore Monitor. You can export either the X.509 certificate or the public key in OpenSSH

format; choose the format your sftp server supports.

This option is available as single line option, select Download Certificate or Download Public OpenSSH

Key from the actions Button in the line of the id_rsa/id_dsa private Key Pair.

Download Public OpenSSH Key will create an <alias>.pub file in the download directory. The file contains
the public key in openSSH format, which can be used to be put to the sftp server.

Download Certificate will create a file with the name <alias>.cer in the download directory. This X.509
certificate file can be imported to sftp server, if the sftp server supports the format.

If the sftp server needs SSH2 format according to RFC 4716 you need to download the OpenSSH key
and transform it to an SSH2 public key with the ssh-keygen tool, which can for example be installed using
cygwin on Windows machines. Use following command for the transformation:

$ ssh-keygen -e -f id_rsa.pub -m RFC4716 > id_rsa.pub_ssh2

Authorization

To download entries from Keystore Monitor your user needs the Group Role

AuthGroup.IntegrationDeveloper or Single Roles IntegrationOperationServer.read and

NodeManager.read.

Import Public Key to sftp Server


www.learntips.net/cloud-integration-how-to-setup-secure-connection-to-sftp-server/ 4/7
2/4/2020 Cloud Integration – How to Setup Secure Connection to sftp Server -

For public key authentication, in the sftp server the public key of the cloud integration tenant’s private
key needs to be imported. Provide the downloaded public key to the administrator of the sftp server, so

that he can add it there. On an OpenSSH server it’s done via adding it to the authorized_keys file in the
.ssh directory.

With this last step the configuration of the communication to the sftp server using public key
authentication is completed. You can now use public key authentication in sftp sender and receiver
channels.

To test the connectivity, continue as described below.

Connectivity Test
After setting up the connection toward the sftp server, the connectivity test feature can be used to test the
communication or even to download public keys.

SSH Connectivity Test

The Connectivity Test is available in Operations View in Web, in section Manage Security Material. Selecting

the Connectivity Test tile from Overview Page will open the test tool offering tests for different protocols.
To test the communication to the sftp server, the SSH option is to be selected.

To test the connection with host key and public key check, select Authentication option Public Key
and enter the address of your sftp server, and the user name available in the sftp server and execute the
test. The test will give a success message or an error with detailed error information.


www.learntips.net/cloud-integration-how-to-setup-secure-connection-to-sftp-server/ 5/7
2/4/2020 Cloud Integration – How to Setup Secure Connection to sftp Server -

If there is an error with the SSH connectivity (e.g. reject HostKey) it is possible to execute the test without

the option Check Host Key. In this case the sftp host key is not checked, but it can be copied via Copy Host
Key Button and added to the known hosts file as described in the above chapter. Make sure the fingerprint
of the downloaded host key is checked with the administrator of the sftp server.

The public key authentication is checked via the authentication option Public Key. The authentication is

done with the id_rsa/id_dsa key with the user entered in User Name. If there is an authentication error
you get an Auth fail error. In this case either the id_rsa/id_dsa alias is not available in keystore, the public
key was not added to the sftp server authorized keys correctly or the user is not valid.


www.learntips.net/cloud-integration-how-to-setup-secure-connection-to-sftp-server/ 6/7
2/4/2020 Cloud Integration – How to Setup Secure Connection to sftp Server -

If everything is setup correctly you will get a success message with Check Host Key using Public Key
Authentication.

Would you like to access Full Article?

If you are already a member in this website, Please Click here to login If you are not yet a member, Please
Click here to Sign up  

if you have any questions don't hesitate to contact us from the Button bellow

 Contact US

New NetWeaver Information at SAP.com

Very Helpfull

User Rating: Be the first one !


www.learntips.net/cloud-integration-how-to-setup-secure-connection-to-sftp-server/ 7/7