SFTP Certificate Handling in BIS

SFTP Certificate Handling
- How To Guide -
SEEBURGER AG
Platform: PI
Release: 7.1x/7.3x
SEEBURGER AG

How To Guide
Inhalt
SFTP CERTIFICATE HANDLING
Creating Keystore Views
Creating a new private key and certificate
Importing a SFTP servers public key
Granting Keystore View access to the adapter user
CONFIGURATION ERRORS
12
Errors in the Runtime-Workbench

SFTP client was not able to connect
USER\SFTP\* repository locations seems to be not available
Unable to establish a connection to SSH server, the authentication has failed
Could not create a new certificate for host
Incoming packet length violates SSH protocol
APPENDIX
12
12
13
14
15
17
18
Further Information
18
Seite 2/18
26.02.2013
SEEBURGER AG

How To Guide
Icons
Symbol
Description
Caution
Warning
Note
Recommendation
Requirements
Information
Example
Code
Seite 3/18
26.02.2013
SEEBURGER AG

How To Guide

Note:
The following instructions do not replace the official SEEBURGER documentation. Please
follow the documents outlined in Further Information
Creating Keystore Views

All certificates and private keys for signed and encrypted communication have to be stored in the SAP
Key Storage. For this purpose the SFTP adapter requires at least two Keystore Views which needs
to be created.
Go to http://<servername>:<port>/nwa and open the SAP Netweaver Administrator. From the start
page switch to Configuration Management > Security > Certificates and Keys.
In the Keystorage Content tab click Add View.
Fill in View Name and Description for the new view. Click Create.
Seite 4/18
26.02.2013
SEEBURGER AG

How To Guide
The result should look like this.
Recommendation:
In addition to these two required Keystore Views it is recommended to create a third Keystore
View to store the certificates imported from the SSH (SFTP) servers. This keystore should be
used as the Know Hosts Store in your communication channel settings.
Creating a new private key and certificate

The SFTP adapter requires internal service keys in order to sign and store the SSH (SFTP) servers
public keys.
Select the Keystore View SSH_CA and click Create in the Key Storage View Details pane.
Seite 5/18
26.02.2013
SEEBURGER AG

How To Guide
Fill in the Entry Name rsa_ca and check Store Certificate to create a certificate (otherwise only a
private key will be created). Make sure you selected Algorithm RSA. Click Next.
Fill in the Subject Properties. If required, properties can be added or removed by clicking the Add or
Remove button. Click Next.
Seite 6/18
26.02.2013
SEEBURGER AG

How To Guide
Skip Step 3 and 4 by clicking the Finish button.

Repeat the above mentioned steps with Entry Name dsa_ca and Algorithm DSA.
Seite 7/18
26.02.2013
SEEBURGER AG

How To Guide
Importing a SFTP servers public key

To be able to connect to a SFTP server the servers public key must be available in the keystore
configured as the Known Hosts Store in the communication channel settings.
The SFTP adapter will download the servers public key automatically when the first connection
attempt is made. The certificate holding the public key will be imported to the SSH_hosts keystore.
From there you have to copy the certificate to your Known Hosts keystore.
Seite 8/18
26.02.2013
SEEBURGER AG

How To Guide
Caution:
Importing the SSH (SFTP) public key manually will not work as the SFTP adapter performs a
transformation on the key and wraps it into a certificate in order to use the PI keystorage
functionalities.
Granting Keystore View access to the adapter user

To be able to use the certificates and keys stored a Keystore View within the SEEBURGER
communications adapters, the adapter users need access to the view.
Go to Configuration Management > Security > Identity Management.
Search for see* to get a list of adapter users.

Note:
The adapter users must be created before.
Select the user seesftp and switch to the Assigned Roles tab in the Details of User pane. Click
Modify.
Seite 9/18
26.02.2013
SEEBURGER AG

How To Guide
Search for the Role view-creator*. Select the roles of the Keystore Views
view-creator.SSH_CA
view-creator.SSH_hosts
view-creator.<your Known Hosts store>
and Add it to the user. Save the changes.

Seite 10/18
26.02.2013
SEEBURGER AG

How To Guide
Seite 11/18
26.02.2013
SEEBURGER AG

How To Guide
Configuration Errors
Errors in the Runtime-Workbench
SFTP client was not able to connect
Error:
Solution:
Check the host name and port specified in your communication channel configuration. Also check your
firewall settings.
Error:
Solution:
Check if the SFTP adapter user (default: seesftp) has the permissions to access the required Keystore
Views. If not, add the necessary roles (see Granting Keystore View access to the adapter user).
Seite 12/18
26.02.2013
SEEBURGER AG

How To Guide
USER\SFTP\* repository locations seems to be not available

Error:
Solution:
1. Check if the Known Hosts Store configured in your communication channel settings exists in
the NWA Certificates and Keys: Key Storage and if the names are matching.
Seite 13/18
26.02.2013
SEEBURGER AG

How To Guide
2. Check if the keystore contains the SFTP servers public key certificate.
Note:
By default the SFTP adapter imports the SFTP servers public key into the SSH_hosts
keystore when the first connection attempt is made. You have to copy the certificate
containing the servers public key to the keystore configured as the Known Hosts Store in
your communication channel settings.
Unable to establish a connection to SSH server, the authentication has

failed
Error:
Solution:
Make sure you use the correct Authentication method to connect to the SFTP server.
1. When Password authentication is used check the user and password specified in your
communication channel configuration.
2. When Private Key Authentication is used check the private key specified in your
communication channel configuration.
a. Make sure the private key is present in the keystore configured in the Private key
field in the channel settings.
Seite 14/18
26.02.2013
SEEBURGER AG

How To Guide
b. Make sure the certificate with the public key is imported on the SFTP server.
Note:
If the SFTP server is hosted by an external party you have to provide your public key
certificate to this party.
Could not create a new certificate for host

Error:
Seite 15/18
26.02.2013
SEEBURGER AG

How To Guide
Solution:
The SFTP adapter is trying to import a new SFTP server public key into the SSH_hosts keystore but
fails to do so because of an already existing entry with the same name. Delete the existing entry and
wait for the adapter to connect again (or force a new connect by stopping and starting the
corresponding communication channel).
Check if the certificate was imported to the SSH_hosts keystore then switch to your Known Hosts
keystore and copy the newly imported certificate.
Seite 16/18
26.02.2013
SEEBURGER AG

How To Guide
Incoming packet length violates SSH protocol

Error:
Solution:
See SEEBURGER Self Help Document 13369 and follow the steps described.
open the affected Communication Channel through Intergration Builder
click on Show Extended Settings
configure in the Extended Settings

Preferred Cipher blowfish-cbc
Preferred MAC hmac-sha1
Preferred keyexchange diffie-hellman-group-exchange-sha1
Packet Length (bytes) 35000
save the changed Communication Channel
activate the changed Communication Channel
Seite 17/18
26.02.2013
SEEBURGER AG

How To Guide
Appendix
Further Information
Information:
For further information refer to the SEEBURGER Master Configuration Guide and the Adapter
manuals coming with the solution release.
Seite 18/18
26.02.2013

SFTP Certificate Handling in BIS

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SFTP Certificate Handling in BIS

Uploaded by

Copyright:

Available Formats

SFTP Certificate Handling