For connecting SAP CPI with third party softwares, more often, third parties voluntarily tell that they want to use SFTP right away. More particularly, the reason to go by with SFTP is: it's secure, it allows a lot of files to transfer through it, it is just a matter of Key Swaps, connections, may be some IP whitelisting. No configuration is required, one doesn't have to expect from anybody to program logic that would use an API.
For the configuration of SFTP into CPI, below are the points that need to be collected during deliberation with third parties software's stakeholders:
1) Type of Connection (SFTP)
2) SSH authentication
3) Get SFTP Host URLs/IPs
4) Get Username(s)
5) Get directories
6) Inform third party stakeholders of the need to whitelist IP range for Data centers
When it comes to Interface i.e. payment messages to be sent to SFTP, then signature verification is recommended. For SFTP, PGP is kind of default for signature verification purpose. The message can be encrypt/sign or sign only depending on the interest of third party stakeholders.
Below are the screenshots for above steps:
And, that is it. You are connected to SFTP mailboxes. 😊
For the configuration of SFTP into CPI, below are the points that need to be collected during deliberation with third parties software's stakeholders:
1) Type of Connection (SFTP)
2) SSH authentication
3) Get SFTP Host URLs/IPs
4) Get Username(s)
5) Get directories
6) Inform third party stakeholders of the need to whitelist IP range for Data centers
When it comes to Interface i.e. payment messages to be sent to SFTP, then signature verification is recommended. For SFTP, PGP is kind of default for signature verification purpose. The message can be encrypt/sign or sign only depending on the interest of third party stakeholders.
Configuration of SFTP Mailboxes over the SAP CPI Tenant
- To configure the SFTP Mailboxes, SAP CPI team needs to create an SSH Key pair on the CPI tenant connecting to the SFTP in the keystore.
Reason why: SAP CPI is going to act as a client to third party software. So, third party software would be needing SAP CPI's SSH public key. therefore, SAP CPI's tenant needs to have a Key pair on the tenant and of course, the key pair has to go into the KeyStore. This is why: when you ping to SFTP, they would recognize and authenticate you and let you send messages.
Before, this was a pain to generate the SSH Keypair manually outside the itspaces and then upload it to the tenant. But now, there is an ability to create SSH KeyPair now in Keystore itself which far much easier as we don't have to bother about the conversions to do, to get everything in place.
So, the process has become great!
How to:
Navigate to the Tenant Keystore, "Create" an "SSH Key" pair using the Settings seen below. Then "Download Public OpenSSH Key" locally and send to the third party technical stakeholder.
After deployment, id_rsa would be displayed in KeyStore.
It is important to follow these settings since it is default something that is entirely different. The exact entries are to be followed by default.
After deployment, id_rsa would be displayed in KeyStore.
As stated in above point, "Download Public OpenSSH Key" locally and send to the third party technical stakeholder.
- SAP CPI doesn't automatically download the host key. In general, if you ping SFTP from a mailbox, for example: from FileZilla, a window pops up and shows "you don't have the host key. Do you trust it?" You hit "OK" then it automatically adds the host key into a "known_hosts" file locally on your machine.
Reason Why: When you try to ping using Public Key Authentication or User Credentials and if SAP CPI doesn't have the host key of the SFTP in "known_hosts" file on the tenant then it's going fail. It won't recognize the SFTP.
How to: SAP CPI Team can retrieve the SFTP Host Key from the "Connectivity" tile in Manage Security Section in tenant itspaces once they have been given Host Name and Port of the SFTP the tenant will connect to. With no authentication, click "Send" . When the connection is successful (the CPI tenant IP Ranges should have already been whitelisted by this time), click on "Copy Host Key Link". This will copy the host key on clipboard.
Traverse back to "Security Material" tile. Select the "known_hosts" file and paste the contents of the clipboard to a new row. Save the "known_hosts" file (without any extension) and add it back to the Security Material list through the "Add" menu.
Below are the screenshots for above steps:
And, that is it. You are connected to SFTP mailboxes. 😊
