Create SSH KeyPair in CPI and retrieve SFTP Host Key

For connecting SAP CPI with third party softwares, more often, third parties voluntarily tell that they want to use SFTP right away. More particularly, the reason to go by with SFTP is: it's secure, it allows a lot of files to transfer through it, it is just a matter of Key Swaps, connections, may be some IP whitelisting. No configuration is required, one doesn't have to expect from anybody to program logic that would use an API.

For the configuration of SFTP into CPI, below are the points that need to be collected during deliberation with third parties software's stakeholders:

1) Type of Connection (SFTP)
2) SSH authentication
3) Get SFTP Host URLs/IPs
4) Get Username(s)
5) Get directories
6) Inform third party stakeholders of the need to whitelist IP range for Data centers

When it comes to  Interface i.e. payment messages to be sent to SFTP, then signature verification is recommended. For SFTP, PGP is kind of default for signature verification purpose. The message can be encrypt/sign or sign only depending on the interest of third party stakeholders.

Configuration of SFTP Mailboxes over the SAP CPI Tenant

• To configure the SFTP Mailboxes, SAP CPI team needs to create an SSH Key pair on the CPI tenant connecting to the SFTP in the keystore. 

Reason why: SAP CPI is going to act as a client to third party software. So, third party software would be needing SAP CPI's SSH public key. therefore, SAP CPI's tenant needs to have a Key pair on the tenant and of course, the key pair has to go into the KeyStore. This is why: when you ping to SFTP, they would recognize and authenticate you and let you send messages.

Before, this was a pain to generate the SSH Keypair manually outside the itspaces and then upload it to the tenant. But now, there is an ability to create SSH KeyPair now in Keystore itself which far much easier as we don't have to bother about the conversions to do, to get everything in place.

So, the process has become great!

How to: 

Navigate to the Tenant Keystore, "Create" an "SSH Key" pair using the Settings seen below. Then "Download Public OpenSSH Key" locally and send to the third party technical stakeholder.

It is important to follow these settings since it is default something that is entirely different. The exact entries are to be followed by default.

After deployment, id_rsa would be displayed in KeyStore.

As stated in above point, "Download Public OpenSSH Key" locally and send to the third party technical stakeholder.

• SAP CPI doesn't automatically download the host key. In general, if you ping SFTP from a mailbox, for example: from FileZilla, a window pops up and shows "you don't have the host key. Do you trust it?" You hit "OK" then it automatically adds the host key into a "known_hosts" file locally on your machine.

But CPI isn't that sophisticated yet. So, in order to bypass it, SAP CPI Team has to retrieve it.

Reason Why: When you try to ping using Public Key Authentication or User Credentials and if SAP CPI doesn't have the host key of the SFTP in "known_hosts" file on the tenant then it's going fail. It won't recognize the SFTP. 

How to: SAP CPI Team can retrieve the SFTP Host Key from the "Connectivity" tile in Manage Security Section in tenant itspaces once they have been given Host Name and Port of the SFTP the tenant will connect to. With no authentication, click "Send" . When the connection is successful (the CPI tenant IP Ranges should have already been whitelisted by this time), click on "Copy Host Key Link". This will copy the host key on clipboard. 

Traverse back to "Security Material" tile. Select the "known_hosts" file and paste the contents of the clipboard to a new row. Save the "known_hosts" file (without any extension) and add it back to the Security Material list through the "Add" menu.

Below are the screenshots for above steps:

And, that is it. You are connected to SFTP mailboxes. 😊

Generate SSH Key Pair for SFTP Adapters

We can setup a secure and reliable file transfer based on SSH File Tranfer Protocol (SFTP). SFTP is a protocol for secure remote login and an enhancement of SSH (Secure Shell).

We create SSH public key and give it to SFTP server team to configure that on it. It helps to connect the system to SFTP without entering its password.

So, here we will build these SSH keys to bridge the gap to enter into SFTP and setup a reliable and secure file transfer.

Pre-requisites

1. Install WinSCP tool (you may use other tools but it simple and easy to use).
2. Putty (FAMOUS) - This and WinSCP can be combined.

The above requisites are enough to generate the keys and have it ready for the development. Now, let's start the configuration:

• Start WinSCP -> Click on Tools -> Run PuTTYgen

• Select Parameters - RSA  and Enter the number of bits as 2048. Click Generate.

• After clicking generate button, the seeking bar begin to increase when you begin to create some randomness in the blank area. The key will generate in 2-3 minutes.

• Now, finally after generating, we can save the Public and Private (ppk) key and Public Key to be saved in SFTP.

Note: 

1. The public key starts with ssh-rsa has to be pasted in SFTP server. 
2. The public key saved as Save public key is different from the public key to be pasted in SFTP server.
3. We also need to make sure, there should not be any new line character in our key.

Now, we will have 3 files generated. 1. PPK Private Key 2. SSH Public Key 3. SSH Public Key to be pasted on SFTP Server.

We will have three files as named above.

They will look like:

Test them with WinSCP if the private key is able to connect it to the SFTP server.

1. For this, first request the administrator of SFTP to save the SSH Public Key on SFTP in authorized key file or raise an incident to SAP Support Launchpad to paste the public key on SFTP.
2. After this, open WinSCP and fill the following details as shown:

In Advanced > Click Authentication under SSH >Select ppk Private Key

When we login for the first time, a warning appears with server's fingerprint. This is a good sign. It shows that it is able to reach SFTP server. Just click Yes.

If we have chosen PassPhrase while generating the key it will ask for passphrase else it will connect.

And, that is it. You are connected to SFTP server. 😊

Note:

Just make sure, we have placed the privateKey_SFTP.ppk in the correct folder from which we have uploaded the key for authentication. Else it will show the below message.

Request for SuccessFactors SFTP access

The purpose of SuccessFactors SFTP access: This ensures the secure data tranfer using private and safe data stream. Here, SFTP stands for Secure File Transport Protocol. The main purpose to get the access of SFTP access is to transfer data securely, but it is also used to obtain the general access to the FTP server's file system. The usages of SFTP: 

1. In third party integration - outbound or inbound data transfer i.e. data flow towards SFTP from a system particularly Employee Central, Onboarding, Learning and WorkForce Analytics is outbound and data flow out of the SFTP to Employee Central, Onboarding, Learning and WorkForce Analytics is inbound.
2. Automating data import/export into the system via Schedular.
3. Receiving backup copy of instance refresh/clone.

SuccesFactors provide a Graphical SFTP client by GlobalScape, Inc which can be accessed by the below URLs or depending on one's hosting.

https://sftp10.successfactors.com/EFTClient/Account/Login.htm

https://sftp4.successfactors.com/EFTClient/Account/Login.htm

https://prodftp2.successfactors.eu/EFTClient/Account/Login.htm

The customer can request the access of SFTP by raising an incident for it on SAP Support Launchpad with client's S-User ID for the instance of SuccessFactors system.

The link for SAP Support Launchpad is:

https://launchpad.support.sap.com

Authorized cient adminitrator need to create an incident on SAP Support Launchpad with Medium priority with the following information:

1. Preview/test instance Company ID
2. Production instance Company ID
3. Customer # (installation)
4. Platform: Bzx/ LMS/ ONB/ WFA

Consequences

• Time to get the access of SFTP may take 1-3 days.
• Authorized recipient via email from SFTP Provisoning Support Team will receive a separate mail subjected to SFTP Account for "XXXXX, Inc for:

1. SFTP Username
2. SFTP Password
3. SFTP URL

Points to be noted:

• Customers will get only one production and one test insatnce of SFTP irrespective of the number of instance they have.
• Customer can request third SFTP insatnce, however but with valid justification. The access to the third instance granted on the approval from SAP Platform Team.