Skip to end of metadata
Go to start of metadata

Applies to:

SAP Netweaver PI based SFTP Adapters

Summary

The following sections briefly describe the steps to create SSH key pairs which can be used as an alternative for password based authention. It also includes steps to create keys from NWA key storage and verifying key based authentication. It mainly focuses on creating SSH keys from PKCS12 Key. It does not use PuTTY utilities.

Author(s):

Sivasubramaniam Arunachalam

Company: SAP Labs
Created on: 30-Dec-2011
Author(s) Bio
Sivasubramaniam Arunachalam is a senior developer at SAP Labs (Technology Innovation Platform). He is currently occupied with PI 7.31 development/maintenace activities. Since Sivasubramaniam joined SAP Labs in July 2010, he has developed new features in several adapters/areas including File, JDBC, IDoc, SOAP/XI, HTTP, JPR, B2B(RNIF 1.1/2.0, CIDX & PIDX) Adapters, XML Validation and Mapping Runtime. Currently, he is the component responsible for File, JDBC, B2B Adapters and XML Validation and takes care of all new development, enhancement and maintenance activities.

Table of Contents

Tools Required

  • Open SSL Utility
  • SSH Key Generator

Keys to be Generated

  • Private Key (PKCS 12)
  • Private Key (PEM)
  • Public Key (OpenSSH Format)

Use NWA Key Storage to Create PKCS12 Key

  • Open NWA Key Storage and Add a View "SFTP_TEST"

  • Click on 'Create' button under 'Key Storage View Details' Section -> 'Entries' Tab

  • Provide Entry Name as 'sftp_key'

  • Fill the 'Subject Properties' and click on 'Finish'

  • Verify the key properties and Click on 'Export Entry'

  • Select 'PKCS#12 Key Pair' as a export format and enter the password then click on 'Generate'

  • Save it as 'sftp_key.p12'

Use OpenSSL to generate PEM Key

  • Generate PEM Key using OpenSSL

  • Generate SSH Private Key using OpenSSL

Use SSH Key Generator to generate SSH Public Key

  • ssh-keygen can be used to generate SSH Public Key instead of PuTTY Key Generator

Verification

  • Copy the private key to client system's home directory

  • Transfer the public key to SSH server via SFTP

  • Login to SSH Server and Verify the permission of the transferred file

  • Change the permission to 400

  • Add the public key to authorized_keys and verify the access permissions

  • Login to SSH Server. It should connect without prompting for password

  1. The NWA supports the X509 format for private keys.

    The keys have to be converted into the Secure shell public key format  http://www.ietf.org/rfc/rfc4716.txt .

    The OPEN SSL tooling shows how this can be done.

    The converted keys can  then be updated in the ssh server for client authentication.

  2. We need to use the RSA keys for the authentication purpose to estabhish the SSH connection with Bank SFTP server from PI .

    This will be inbound interface --- >  Bank SFTP server --- > PI ---- > SAP - ECC

    Can PI Team  create the keys and share the public key with Bank SFTP server  or  is that something  Bank server has to create the keys and share it with PI team ?