Skip to end of metadata
Go to start of metadata

Applies to:

SAP Netweaver PI based SFTP Adapters

Summary

The following sections briefly describe the steps to create SSH key pairs which can be used as an alternative for password based authentication.  It also includes steps to verify key based authentication and import the keys in NWA key storage. It mainly foucses on creating PKCS12 Keys from OpenSSH Keys.

Author(s):  

Sivasubramaniam Arunachalam

Company:     SAP Labs
Created on:    30-Dec-2011
Author(s) Bio
Sivasubramaniam Arunachalam is a senior developer at SAP Labs (Technology Innovation Platform). He is currently occupied with PI 7.31 development/maintenace activities. Since Sivasubramaniam joined SAP Labs in July 2010, he has developed new features in several adapters/areas including File, JDBC, IDoc, SOAP/XI, HTTP, JPR, B2B(RNIF 1.1/2.0, CIDX & PIDX) Adapters, XML Validation and Mapping Runtime. Currently, he is the component responsible for File, JDBC, B2B Adapters and XML Validation and takes care of all new development, enhancement and maintenance activities.

Table of Contents

Tools Required

  • PuTTY Key Generator
  • PuTTY
  • Open SSL Utility
  • SSH Key Generator
  • Cygwin(for Windows Users) with the following packages
    • OpenSSL
    • SSH

Keys to be Generated

  • Public Key (OpenSSH Format)
  • Private Key (Putty Format)
  • Private Key (PEM)
  • Public Key (X.509 Certificate)
  • Private Key (PKCS 12)

Use PuTTY Key Generator to Create SSH Public/Private Keys 

  • Click on 'Generate' and move your mouse cursor in 'Key' section to generate the keys based on random mouse move co-ordinates.

  • After the required mouse movements, it will generate the random key

  • Click 'Save public key' and save it as 'public_key' name 

  • It will look like below
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20111227"
AAAAB3NzaC1yc2EAAAABJQAAAIEAuBmzrU+08qItniOmJ+5ZA6UGiONGeggapkqQ
tOUGTWoO6FwlV2Bryw40YbtyhwTTE9A7IN/AzMz9IcQEBW/r6O9U237YDZYCbxWd
EDVG6Lv3Iddn74rkROb8qjecriYTGX33aEtDFIc5rr3q7XC5b+W1kLkHJ1fS3hYZ
E3U4tqM=
---- END SSH2 PUBLIC KEY ----
  • Click 'Save private key' and save it as 'private_key.ppk' name

  • It will look like below
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: imported-openssh-key
Public-Lines: 4
AAAAB3NzaC1yc2EAAAABJQAAAIEAuBmzrU+08qItniOmJ+5ZA6UGiONGeggapkqQ
tOUGTWoO6FwlV2Bryw40YbtyhwTTE9A7IN/AzMz9IcQEBW/r6O9U237YDZYCbxWd
EDVG6Lv3Iddn74rkROb8qjecriYTGX33aEtDFIc5rr3q7XC5b+W1kLkHJ1fS3hYZ
E3U4tqM=
Private-Lines: 8
AAAAgQCzH+0XVHi0uXh+MIX9VpvMMdzYNxQjtNuot0CwAW3qdQeV+Mpi2lsKwbZs
7buKSeIhHaFQawDHQ/01nB+Wlmj8pxurPqVXz+6w979RgOY1QUixxZ7cJ2x1msCT
6pm29oZpxJJGv2+m6rk7Zfpg67JNZv4KBnSRxmLU1FEA9koX7QAAAEEA9PfVFGVo
lrkkMhzUB9wMDatCCdUDYj5rZ3JfmfSC7giQlB5G2FOnNnJEhaXmUjI7Zns9PHU4
J+hbg/vToc9kSQAAAEEAwGQkovNgFD6jOjR9vkVe1d2a3uiJ469ELrYkXlFLnjlG
39EDZxIBwxdCgTyVSLqd1V/loJogeVpERh9UK50riwAAAEEAoy71ZzwmaoonmqlO
sztLTZXDfUcs/X/TTlDvjOxceATat2PGLAhAOfITfx5UzyASv6+pss0U7J6dtKZ2
Dc1euA==
Private-MAC: a7178afea8c4fa570f393cb44d3530d5725fed6a
  • Leave Passphrase fields as blank and Select Conversions -> Export OpenSSH key

  • Ignore the warning by choosing 'Yes'

  • Save it under 'private_key.pem' name

  • It will look like below
    -----BEGIN RSA PRIVATE KEY-----
    MIICXAIBAAKBgQC4GbOtT7Tyoi2eI6Yn7lkDpQaI40Z6CBqmSpC05QZNag7oXCVX
    YGvLDjRhu3KHBNMT0Dsg38DMzP0hxAQFb+vo71TbftgNlgJvFZ0QNUbou/ch12fv
    iuRE5vyqN5yuJhMZffdoS0MUhzmuvertcLlv5bWQuQcnV9LeFhkTdTi2owIBJQKB
    gQCzH+0XVHi0uXh+MIX9VpvMMdzYNxQjtNuot0CwAW3qdQeV+Mpi2lsKwbZs7buK
    SeIhHaFQawDHQ/01nB+Wlmj8pxurPqVXz+6w979RgOY1QUixxZ7cJ2x1msCT6pm2
    9oZpxJJGv2+m6rk7Zfpg67JNZv4KBnSRxmLU1FEA9koX7QJBAPT31RRlaJa5JDIc
    1AfcDA2rQgnVA2I+a2dyX5n0gu4IkJQeRthTpzZyRIWl5lIyO2Z7PTx1OCfoW4P7
    06HPZEkCQQDAZCSi82AUPqM6NH2+RV7V3Zre6Injr0QutiReUUueOUbf0QNnEgHD
    F0KBPJVIup3VX+WgmiB5WkRGH1QrnSuLAkEAwACEae6eFUUAsafkdNzm2kf1fVPt
    5TfXpBtfsATVUshxUX+DoqJuTUTN7DXr348no1msiVT0qahHunlFAkiatQJAd5gy
    cyGqbXMLhQvfdkbMP8EbFPFqeMblMcsrXTl0MexA0FF+p9rC0zf46I1xjhMj16pQ
    eJco8X1NCP63yBWXmwJBAKMu9Wc8JmqKJ5qpTrM7S02Vw31HLP1/005Q74zsXHgE
    2rdjxiwIQDnyE38eVM8gEr+vqbLNFOyenbSmdg3NXrg=
    -----END RSA PRIVATE KEY-----
    
  • The following keys are created

 

Use Open SSL to Create X.509 and P12 Certificates

  • If you are in windows, use Cygwin
  • Navigate to the location where the keys generated above are stored
  • Create the X509 certificate from the private key
openssl req -new -x509 -days 3650 -key private_key.pem -out  x509_certificate.pem

  • It will look like below
-----BEGIN CERTIFICATE-----
MIICrjCCAhegAwIBAgIJAMs8ZaGSCqDPMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjI3MDgxNzAzWhcNMjExMjI0MDgxNzAzWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKB
gQC4GbOtT7Tyoi2eI6Yn7lkDpQaI40Z6CBqmSpC05QZNag7oXCVXYGvLDjRhu3KH
BNMT0Dsg38DMzP0hxAQFb+vo71TbftgNlgJvFZ0QNUbou/ch12fviuRE5vyqN5yu
JhMZffdoS0MUhzmuvertcLlv5bWQuQcnV9LeFhkTdTi2owIBJaOBpzCBpDAdBgNV
HQ4EFgQUIbB7Wy/uUSc0Jb5shGJ+GP9V4mMwdQYDVR0jBG4wbIAUIbB7Wy/uUSc0
Jb5shGJ+GP9V4mOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0
YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDLPGWhkgqg
zzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALKK3ilW27Jyz06y2eOk
FNjfFfQCvzPCB3CISjIQ29BTV0kutFRxAX0Km0epKFETRNc/dfSBNDxMJJb7VGGs
yS68qWoOTfQ6++IiCvlCVzNGm+/ppN1XSGRZxQP2Y+XvOxukgb4xIu6hHqyO8CbS
lg9yRANOfrh/tJ/G2/A1hzji
-----END CERTIFICATE-----
  • Create the PKCS type 12 Keystore
openssl pkcs12 -export -in x509_certificate.pem -inkey private_key.pem -out sftp_keystore.p12
  • Provide the password (which will be used in channel configuration)

  • The created key would be in encrypted (binary) form

Import the Private Key into NWA Key Store

  • Open the nwa key store and create a new view called SFTP_TEST

  • Click on 'Import Entry' and select the generated p12 file

  • After import, verify the entries.

Configure the Public Key in SSH Server

  • Copy the public key in to SSH Server via SFTP

  • Login to SSH server verify the copied public key

  • Since the public key does not have any permissions, change it to 400 (for read)

  • Use ssh-keygen tool to create openSSH format public key

  • Add the created openSSH public key to authorized_keys filles

  • Check the permissions of .ssh folder and authorized_keys file for access permissions

Verify the Key Pairs with PuTTY

  • Now, the key based authentication can be verified with PuTTY.
  • Enter the host name and port

  • Select the private key (.ppk)

  • Confirm the Security alert

  • If the configuration is correct, the connection will be established successfully

1 Comment

  1. Former Member

    I would like to add a typical implementation scenario using this wiki.

    Recently, we did a migration of SFTP interfaces from Aedaptive Adapter to SAP PO's very own SFTP Adapter.

    The Aedaptive SFTP Adapter uses the key in .ppk format directly in the sender communication channel. But PO SFTP Adapter can use keys only in formats like .p12 that can be loaded to NWA. Initially, it seemed like we had to create new keys from scratch and share with the partner (which is quite a cumbersome process), but later a simple trick enabled to use the existing .ppk key with PO Adapter as well.

    The trick is to follow the all steps as per the wiki. In section "Use PuTTY Key Generator to Create SSH Public/Private Keys" - Instead of generating the new key using PutyGen, load the existing .ppk file and continue with rest of the steps. This helped us to use the existing keys that have been shared with the partner and avoided generation of new key from scratch and exchanging them with partners.

    Regards,

    Sudharshan N A