Requirement
Some time ago I had to build an Iflow to save E-Mails on an SFTP Server. In the development phase I had no access to a SFTP Server from the customer. I wanted to have a SFTP server for testing purpose on my work PC that I could reuse for several projects. I looked through the blogs section and found solution for a
Linux setup or
Google Cloud Services, but nothing with my windows PC. So I decided to build one myself. I hope that you can reuse this solution if you need to test IFlows with a SFTP connection and do not have access to a dedicated SFTP server.
In this blog I will describe the setup of an openSSH server on a Windows 10 PC and the configuration of a portable cloud connector instance. Furthermore I will connnect a Subaccount to the SFTP server over the cloud connector and test the connectivity from a SAP Integration Suite instance.
Setup openSSH server on local PC
To set up an SFTP server I followed the documentation on the microsoft help page to
Get started with OpenSSH for Windows.
First I open a PowerShell as an administrator:
Then I checked the prerequisites like described by microsoft:
winver.exe
$PSVersionTable.PSVersion
(New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
The next step is to check/ install the openSSH Server and configure a firewall rule to enable traffic on port 22:
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH.S*'
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
# Start the sshd service
Start-Service sshd
# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'
# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}
Create a local user. You can use your own local user, but I prefere a specific user for my tests:
New-LocalUser -Name 'cpisftp' -Description "Cloud Integration SFTP user" -PasswordNeverExpires
Test the connection with the user localy:
With this, we have successfully installed and configured our local SFTP server.
Setup a portable cloud connector instance
To setup the cloud connector instance I follow the descriptions from the
SAP documentation.
The Installation on Microsoft Windows OS describes the needed stepts.
Download the portable variant as ZIP archive for Windows from the SAP Development Tools for Eclipse page:
If you want to use the SAP JVM istead of a Oracle JDK download it also from this page. I use an already installed Oracle JDK on my mashine. Extract the ZIP archive to a folder of your choise.
Start the Cloud Connector from a command line or PowerShell as administrator:
Open a browser and navigate to the cloud connector instance:
The initial user credentials are Administrator/manage.
After the first login you have to change the current password for the administartor account.
With this setup I created an initial cloud connector instance for my tests.
Connect a SAP Integration Suite Subaccount to the local cloud connector instance
After the cloud connector setup and the password change the cloud connector needs to be connected to at least one subaccount as described in the
Initial Configuration. For this purpose I use a
Trial account.
You can use any other subaccount for your purpose. On this Subaccount I need one of the following roles to be able to connect to it via a cloud connector: Subaccount Administrator, Cloud Connector Administrator or Connectivity and Destination Administrator.
Enter the information of the Subaccount into the initial configuration:
Attention:For the credentials I use my email address and the corresponding S-User password. It did not work for me with my Universal account password.
After confirming the dialog the subaccount is connected:
Setup the connection between the Cloud Integration and the SFTP server
Now that the configuration of the components is ready I connect the SAP Integration Suite - Cloud Integration and our local SFTP Server
Add the SFTP server to the on-premise systems
On the local cloud connector I add the local SFTP server by adding a new Non-SAP System via TCP and enter localhost with port 22 as the internal host and local-sftp.com with port 22 as the virtual host that is used in the Cloud Integration to call the SFTP. At the end I check the reachability of the system:
After the dialogs the connection is established and reachable.
Check the SFTP Server from the Cloud Integration
After the configuration in the cloud connector the sftp server is visible in the subaccount connectivity/cloud connector view:
Now I also check the connectivity in the SAP Integration Suite via the Monitor/ Integration / Test Connectivity. After selecting the SSH page I enter the details of the sftp server. As host I use the virtual host I defined in the cloud connector.
Now I copy the host key in the clip board and create a file known.hosts. In this file I add the host key and save it. After that I upload the known.hosts file to the SAP Integration Suite in the Monitoring/ Integrations / Security Material view.
In the next step I add credentials for the sftp server that I defined for the user cpisftp.
With this credentials and the host file I redo the connection test to the server and check the file directory to see it the authentication and access to the server works.
With this setup I can now access my local SFTP Server via the portable cloud connector instance and use it in any IFlow to connect to my SFTP server and upload or download files.
(Enchancement) Change from basic authentication to key based authentication on the openSSH server
As we are using a SFTP server that can be potentialy accessible from the internet, depending on the configurations of the Windows PC, I strongly recommend to swith the authentication methode on the openSSH server from basic username/password to key based authentication and disable the basic authentication to mitigate possible brute force login attemps on the server.
Crete a SSH key on SAP Integration Suite
In the Monitoring/Integrations/ Keystore section I create a new SSH key that I use to authenticate on several SFTP servers. This reduces the amount of user credentials/ keys that I have to manage.
After creating the key, I download the public key.
To use this key for authentication I edit it to only have the algorithm and key part (for example: ssh-rsa AAAAB3NzaC1yc2EAAAADAQ...) in it and no comments at the end of the key(SAP adds a comment like "public key for alias cpisftp" at the end that does not work with openSSH).
This keyfile (filename authorized_keys) I save under the user directory of my sftp user (In my case C:\Users\cpisftp\.ssh).
After that I make sure, that the file is only accessible to the SYSTEM and the user cpisftp as otherwise openSSH can not access the file and the authentication will fail.
Next step is now to disable the login via password or interactive keybord by editing the sshd_cofig file and restarting the openSSH server via PowerShell "Restart-Service sshd".
To test the new configuration I test it via the SAP Integration Suite / Test Connectivity.
The first test is the failing of the username/ password authentication:
The second test is the key based authentication:
Summary
In this blog entry I showed how to configure openSSH / portable Cloud Connector on a Windows PC and use it for SFTP access from the SAP Integration Suite. I also showed you how to secure the openSSH server to only allow key based authentication.
If you have interest in this topic, give me a feedback and thoughts as a comment below.
If you are interested in the SAP Integration Suite environment. Have a look at the
SAP Integartion Suite Topic page, the
answer/ question section or read other posts on the
topic.
I you are interested in similar topics or want to exchange views you can follow me or write me.
Best Regards
Robert