-
Notifications
You must be signed in to change notification settings - Fork 1
SFTP adapter module parameters
B2B SFTP Adapter 1.0 Add-on
N.B. Данные параметры адаптера доступны и корректно работают в зависимости от версии, SP и PL компонент системы. Просьба не ругать авторов, если ваша версия компонент ниже требуемого
N.B. Минимальная версия SP указана ниже для каждой версии NetWeaver. Отражён минимальный SP, который содержит указанную функциональность. Функциональность может быть доступна только начиная с определённого PL в рамках указанной или последующих SP. Детали применимости -- см. релевантные ноты
Описанные ниже параметры ведутся через табличную настройку, скрытую за опцией Advanced Mode.
| Parameter | Default | Note | Direction | PIB2BSFTP 1.0 | NWA 7.50 |
|---|---|---|---|---|---|
| addDefaultFileExtension | false | 2666925 | Sender | SP000 | SP022 |
| add.default.file.extension | false | 2666925 | Sender | SP003 | SP022 |
| skipRemoteDirCheck | false | 1737547 | Receiver | SP000 | SP022 |
| receiveBufferSize | 65535 | 1738500 | Sender | SP000 | SP022 |
| oscomamnd.trace | false | ? | ? | ? | SP022 |
| duplicateCheckPersist | 20160 | 1744700 | Sender | SP000 | SP022 |
| usePathForLs | false | 1850220 | Sender | SP001 | SP022 |
| ignore.error.cd | false | 1859563 | Sender/Receiver | SP001 | SP022 |
| ignore.error.ls | false | 1859563 | Sender/Receiver | SP001 | SP022 |
| ignore.error.pwd | false | 1859563 | Sender/Receiver | SP001 | SP022 |
| file.encoding | UTF-8 | 1906648 | Sender/Receiver | SP001 | SP022 |
| retain.attachment.name | false | 2735578 | Sender | SP000 | SP022 |
| connection.mode.permanent | false | 2069078 | Receiver | SP003 | SP022 |
| auth.method.privatekey | false | 2028233 | Sender/Receiver | SP002 | SP022 |
| privatekey.view | (null) | 2028233 | Sender/Receiver | SP002 | SP022 |
| privatekey.entry | (null) | 2028233 | Sender/Receiver | SP002 | SP022 |
| temp.file.name | (null) | 2374607 | Receiver | SP003 | SP022 |
| temp.file.msgid | false | 2374607 | Receiver | SP003 | SP022 |
| temp.file.timestamp | false | 2374607 | Receiver | SP003 | SP022 |
| temp.asma | false | 2770607 | Receiver | SP005 | SP022 |
| skip.path.separator | false | 2130389 | Receiver | SP003 | SP022 |
| skip.directory.check | false | 2238416 | Sender | SP000 | SP022 |
| bulkrequest.count | 16 | 2228483 2251462 | Sender | SP000 | SP022 |
| check.resource.int | false | 2401292 | Receiver | SP004 | SP022 |
| [removeProcessedFiles] | false | 2424450 | Sender | SP004 | SP022 |
| targetFileValidationTimeout | 300000 | 2435101 | Receiver | SP004 | SP022 |
| enableXMLParserSecurity | true | 2473349 | Receiver | SP004 | SP022 |
| encodingFormat | UTF-8 | 2544233 | Sender | SP004 | SP022 |
| changeFileEncoding | false | --- | Sender | SP004 | SP022 |
| enableZlibCompression | false | 2638660 | Sender/Receiver | SP004 | SP022 |
| customPreferredAuthentication | gssapi-with-mic,publickey,keyboard-interactive,password | 2655648 | Sender/Receiver | SP005 | SP022 |
| enableFCCImprovised | false | 2663129 | Sender | SP005 | SP022 |
| encodingScheme | UTF-8 | 2719363 | Receiver | SP005 | SP022 |
| attachmentName.overwrite | false | 2735578 | Sender | SP004 | SP022 |
| retain.unzip.name | false | 2735578 | Sender | SP004 | SP022 |
| checkChunkInterrupted | false | 2742386 | Receiver | SP004 | SP022 |
| triggerFileOption | false | 2889362 | Sender | SP005 | SP022 |
| maxFilesPerPolling | -1 | 3091399 | Sender | ※ | SP023 |
| archiveXMLContent | false | 3199519 | Sender | SP005 | SP022 |
| preferredKeyType | ssh-rsa | 3397655 | Sender | ※ | SP028 |
| fingerprintHash | SHA256 | 3397655 | Sender | ※ | SP028 |
| resolveDirPath | true | --- | Sender/Receiver | ? | ? |
| enableMoveOnArchive | false | --- | Sender | ? | ? |
| performDirectoryCheck | false | --- | Sender | ? | ? |
- You are using B2B SFTP Adapter 1.0 Add-on
- You want to set the additional parameter add default file extension to control the extension of archived files
- You are not sure which one to use.
The parameter addDefaultFileExtension was delivered in SAP note 1815655 "Default extension added while archiving files on SFTP server" for PIB2BSFTP 1.0 SP000 Patch Level 10, SP001 Patch Level 8 and onwards. When set to true, while archiving files on SFTP server, an additional check will be performed to check whether or not the file has .txt extension. If not, it will add the extension on the file name. If set to false, no check will be done. This feature was delivered to avoid that the file gets archived with an undesired extension.
The parameter add.default.file.extension was delivered in SAP note 2104739 "Skip Appending .txt to Archive Filename" for PIB2BSFTP 1.0 SP003 Patch Level 12, SP004 Patch Level 6 and onwards. It should be set as true. This feature was delivered for when the archive filename was appended with .txt at the end. This was done as a precaution against plausible security breach.
File Write Operation Always Fails in the SFTP Receiver Channel
Few SFTP Server implementations (example GXS), deviates from RFC and their responses for few operations will differ from the normal SFTP Servers. In few cases, when PI SFTP Adapter issues a request to check existance of a given file, it will reply with postive and the attributes will have a directory flag. PI SFTP Adapter will perform this check before writing the file and it fails due to the unexpected behaviour
Advanced moded table is added in both Sender and Receiver channels. If the directory check needs to be removed before writing the file, the parameter skipRemoteDirCheck can be configured with any non null value
SFTP Adapter is being used in the business scenario for message processing. During message processing,it is noticed that the file retrieve operation fails with the following error: "Inputstream is closed".
For few SFTP Server implementations, the response time for a file get request is slow. Since SAP PI SFTP Adapter uses a higher buffer size as default (i.e. 65535), the get request fails with an error.
This issue can solved by using a lesser custom buffer size. The buffer size can be configured by using the advanced mode parameter receiveBufferSize. This parameter can be configured by selecting the Advanced Mode option in the Advanced tab of the SFTP channel. A valid value for the above parameter should be entered in the advanced mode table. The legal range of values for the custom buffer size are between 1 to 65535.
In certain SFTP servers the following errors are observered: SSH Commands like pwd or cd or ls fail with error.
The error with the pwd/cd/ls commands occur due to incompatibility with certain servers.
It can be solved by using the following advanced parameters in the SFTP channel configuration in the integration directory.
ignore.error.ls = true
ignore.error.cd = true
ignore.error.pwd = true
SFTP Adapter is being used in the business scenario for message processing. The option "Use temporary file" is configured in the SFTP receiver channel to create temporary file on the server before writing the original file. During message processing, it has been noticed that the message fails with error com.sap.engine.interfaces.messaging.api.exception.MessagingException: javax.resource.ResourceException: 4: Moving /dir/filename.xml.tmp to /dir/filename.xml failed.
Program error.
In the SFTP receiver channel, "Use temporary file" option is being configured under ‘Write modus’ to create a temporary file in the specified target directory which has to be renamed to original target filename later . The temporary file is created by appending system’s date-time along with an extension ‘tmp’ to the filename scheme. For example, the filename scheme ‘filename.txt’ results in the file name <system date and time>filename.txt.tmp. In few scenarios, renaming from temporary file to target file fails with error Moving /<dir>/<filename>.tmp to /<dir>/<filename> failed.
This issue has been resolved by code changes.
Now, if the option "Use temporary file" is selected in the SFTP receiver channel, the temp filename scheme can be configured as per user’s choice. The following advanced mode parameters has been introduced:
- temp.file.name
- temp.file.timestamp
- temp.file.msgid
temp.file.name : If the parameter temp.file.name is set to some value, then the temporary filename will be created according to the configured filename scheme. The default value for the parameter temp.file.name is tempfile.tmp which means, if this parameter is configured in the advanced mode table without any value, then the temporary filename will be tempfile.tmp.
temp.file.timestamp: If the parameter temp.file.timestamp is set with value true along with the parameter temp.file.name, then the tempfile will be created by appending the timestamp to configured filename scheme.
temp.file.msgid: If the parameter temp.file.msgid is set with value true along with the parameter temp.file.name, then the tempfile will be created by appending the message id to configured filename scheme.
The duplicate check option is valid for the files which are processed in past 14 days. There is no option to define the custom value
In order to provide the flexibility to define the duplicate check validity, configuration option needs to be provided
The duplicateCheckPersist parameter can be configured in advanced section of sender channel. The values should be in minutes. For example, 10 days should given as 14400 (10 * 24 * 60). Any incorrect value will fallback to 20160 (14 days).
Certain SFTP Server required the users to provide a two factor authentication. The two factor authentication was achieved in the server by sequential request of username/password and public key authenticaiton method or vice versa.
When executing OS commands using %f or %F, users noticed that the replaced values were incorrect.
The two factor authentication method was not supported by the SFTP Adapter. When the run OS commands are used and the variable substitution values like %f or %F are used, they are incorrectly updated in the runtime. Due to this an unexcepted result is provided in the output/audit logs.
Apply the patch provided in the note to solve the the OS commands variable substitution issue.
Two factor authentcation in the SFTP Adapter can be achieved by setting the authentication method to password and then provide the following values in the advanced mode:
- auth.method.privatekey - A boolean, which enables two factor authentication
- privatekey.view - The view name of the Private key
- privatekey.entry - The private key name
A new connection is made for every incoming file in SFTP Adapter.
The permanent connection mode was not previously implemented in SFTP adapter
Please deploy the latest SFTP adapter patch from service marketplace. Go to Advanced Tab of channel configuration click on Advanced Mode checkbox, in the Additional parameters table put parameter name in the column as connection.mode.permanent and put true in the corresponding value column.
When SFTP server uses zlib compression, SFTP adapter will not be able to connect to the server and it throws JSchException: Algorithm negotiation fail error.
SFTP adapter uses Jsch library which does not support zlib compression by default. So when SFTP adapter tries to connect to SFTP server which has compression enabled, it fails to connect.
A new additional parameter is introduced at both sender and receiver channels: enableZlibCompression. The default value of this parameter is false. When the parameter's value is false, compression will not be enabled. When the parameter value is set to true, ZLIB compression will be enabled from the adapter.
When there is a large number of files in the source directory, reading all the files in a single polling interval might cause high overhead on the server node.
In the existing design, it is not possible to restrict the maximum number of files to be read per polling cycle.
A new additional parameter is introduced at SFTP sender channel: maxFilesPerPolling. Default value of the parameter is -1. By default, all the files from the source directory are read in a single polling interval. To limit the maximum number of files that should be polled in a single polling interval, set the parameter to a desired positive integer value (1, 2 .. so on).
NOTE: If the value for this parameter is set to 0, all the files present in the existing directory will be picked up in single polling interval.
You are using SFTP sender channel with Message Protocol:File Content Conversion. You have enabled archive mode to archive the file. With some SFTP servers, you are getting error while fetching the original file content (CSV) like 2: cd to */ failed. Maybe the directory does not exist. With some SFTP servers, you can get error while parsing like: ParserException during File content conversioncom.sap.aii.adapter.sftp.ra.rar.conversion.exception.ParserException: Error while reading record: java.io.IOException: error
Providing option to archive XML or CSV content as per customer's requirement.
Code changes have been made to resolve the issue.
A new additional parameter is also introduced at SFTP sender channel: archiveXMLContent. Default value of the parameter is false. By default, CSV file content will be archived to the mentioned archive directory. Set the value to true to archive XML content after content conversion.
SFTP Adapter Sender Channel does not support non UTF-8 and special characters like German umlauts, as a result of which the output text is corrupted. This is commonly observed in cases where content conversion is used upon special characters.
The default implementation uses UTF-8 encoding and there is no support for non UTF-8 or other special characters (for encodings like ISO-8859-1).
Source level fix to support non UTF-8 and special characters. To enable this feature, the additional parameter encodingFormat has to be set to a specific encoding in the Sender Channel. The default encoding used is UTF-8.
encodingFormat = ISO-8859-1
Дополнение ноты от автора
Если значение параметра changeFileEncoding стоит false (значение по-умолчанию), результат CSV->XML перекодировки передаётся в кодировке UTF-8. Если установить значение true, то результат передаётся в кодировке, указанной в параметре encodingFormat.
Files at the receiver/target side gets overwritten in a cluster node environment in SFTP Adapter. This happens when the file name schema is selected to be in the format <filename>_<timestamp>.<extension>.
Files get overwritten when the filename schema is in the format <filename>_<timestamp>.<extension>. This is because multiple application servers process these files independently and there is a chance that 2 server nodes create the file and appends the same timestamp, resulting in a name conflict.
Source code change to synchronize between file creation among the multiple server nodes. The SFTP adapter tries to create a new file in case a file with the same name was already created once at the target directory. In case the file creation fails even after the timeout duration, a duplicate file exists error message is thrown.
To override the default timeout value, the additional parameter targetFileValidationTimeout (in milliseconds) can be set at the receiver channel (under Advanced Tab).
Certain SFTP servers support only a particular type of authentication, while some servers support a few more. In case one of the preferred authentication is not supported from the list of possible authentication mechanism, the logs gets spammed with error messages which results in a false positive error scenario.
With the existing design, the preferred authentication value is set at the JCraft library level and doesn't allow users to configure other preferred authentications.
Source code change to allow customer "PreferredAuthentication". Users can make use of the Advanced parameter customPreferredAuthentication and set it to the preferred authentication. This parameter can be set at Sender and Receiver channels depending on the requirement.
In case the authentication is not supported, or if there are any type, an Exception received: com.jcraft.jsch.JSchException: Auth fail is observed.
customPreferredAuthentication = gssapi-with-mic,publickey,keyboard-interactive,password
The above value is the default value provided as part of JCraft library.
Note: Use extreme caution when configuring this parameter and it is alters the default Authentication mechanism.
If the Target accepts the data in encoding other than that supported by the platform's default encoding, the file received is either:
- corrupted or garbled
- not in encoding format as supported by the target
In the current implementation of the PI SFTP Receiver Adapter, platform's default encoding is used for converting the characters to the byte.
Example: For Double Byte Characters, if the platform doesn't support double byte characters, the file received is garbled/corrupted. However, If additional VM Parameter -Dfile.encoding is UTF-8, the received file is not garbled but is always UTF-8 encoded. Moreover, setting this additional VM Parameter will be applicable for all the file specific interfaces.
Code changes have been made in the receiver side processing to support encoding at the channel level for File Content Conversion.
Set the receiver channel advanced mode parameter encodingScheme to desired enconding format as supported by the Target SFTP Server and re-start the channel for the changes to reflect.
Default value is UTF-8.
Example: encodingScheme = MS932 for Japanese Encoding
Support of Umlaut characters with File names
If code pages of operating systems of PI System and SFTP Server points to different encoding, then SFTP adapter may not recognize the file names with Umlaut characters
A new parameter file.encoding could be added in the advanced mode table section of SFTP Adapter. The required encoding could be assigned to this parameter.
Eg: file.encoding = ISO-8859-1
Applicable for both Sender and Receiver Side of SFTP Channel Processing.
-
In certain SFTP servers the listing of files fails and no files are picked up. The channel always shows 'No new file' and 'Found 0 files' even though there are files in the directory of the SFTP server.
-
Inconsistent behavior of the SFTP Adapter when Additional file(s) option is selected and few files are set as optional
-
In the SFTP adapter the listing of file was performed by using the ls command on current directory i.e., ".". However the listing of file is successful if the complete path is provided. Logon to the SFTP server via a terminal client like ssh and then check if you can execute the command:
ls
If the above command fails then apply the patch.
- When you have additional files that needs to be processed, the channel reports error's on files that are set as optional.
This option is now configurable. Navigate to the Advanced tab of the sender channel and select the advanced mode option. Add the additional parameter called usePathForLs with value as true.
SFTP receiver can store the attachments in the target directory with "store attachments" option. To configure filename of the attachment, SFTP adapter provides several parameters.
Explaination of different parameters for storing an attachment in SFTP adapter.
-
retain.attachment.name : Default value of the parameter is false. When the value is false, attachment name will be <MainPayloadName>_<attachmentName>. Set the value to true if you want to retain the attachment name as original file name. (i.e. <attachmentName>)
-
attachmentName.overwrite : Default value of the paramter is false. If the parameter value is set to false and an attachment name is already present in the target directory, dynamic counter("_counter") is appended to the filename of the attachment. Set the parameter value is true to overwrite the attachment name in the target directory. This parameter is available from SP04PL55 and SP05PL23 onwards. Refer to note #2733705 - Overwrite the attachment name in SFTP adapter for more information.
-
retain.unzip.name : Default value of the parameter is false. When PayloadZipBean is used to unzip the file and "retain.attachment.name" is set to true, by default one of the attachment file names gets replaced by main file name and remaining attachments retain the filenames from zip file. This is the default behavior( i.e. when the parameter value is false). When PayloadZipBean is used to unzip the file, the first one in the zip file is set as main payload of the XI message and its filename is overwritten with receiver side configurations. To retain the filename of the main payload with the attachment name, set this parameter to true. This parameter is available from SP04PL55 and SP05PL23 onwards.
In order to evalute temporary name scheme from message header, choose write mode as "temporary mode" in the receiver channel. Define Temporary Name Scheme in the message header (technical name: TargetTempFileName). To set the temp file name from message header follow the resolution.
This is a missing functionality in SFTP adapter.
A new additional parameter is introduced at receiver channel: temp.asma. The default value of this parameter is false. When the parameter's value is false, temp file name will not be defined from the message header of the PI message. When the parameter is true, temp file name will be defined from the message header of the PI message and this schema name takes precedence over parameter temp.file.name.
SFTP Adapter failed to create directory while create directory option in the receiver channel is checked
The reason for the error as evident from testing was extra added path separator prefixed by the code.
Note: This problem is system specific and the fix would not solve the problem if the problem is that of permission denial.
Set parameter with name as skip.path.separator and corresponding value as true in the Advanced Mode table.
Polling directory not properly specified. Directory path name is case sensitive
There is a check which has been introduced to assure that the files polled/picked up by SFTP sender belong to only input directory specified in the channel. The check was introduced to restrict SFTP sender channel from polling files from directories other than the one specified in the channel. In some cases the remote path of the directories and the one specified in the channel might differ depending on the Server in which case user will have to skip the check Example of one such case is when server remote path returns relative path as </directory/> whereas the channel specific path returns </home/user/directory>.
Enter skip.directory.check parameter in the advanced parameter table with corresponding value as true
SFTP Adapter is being used in the business scenario for message processing. The advanced mode parameter connection.mode.permanent is set to true to establish a permanent connection with the SFTP server. During message processing, it has been noticed that the messages fail with "directory doesn't exist" error intermittently.
SFTP Adapter uses Jcraft library to check the existence of configured target directory. When the advanced mode parameter connection.mode.permanent is set to true and some problem occurs with the existing connection, the check for configured directory fails with error "directory doesn't exist" even if the directory exists.
This issue has been resolved by code changes.
An advanced mode parameter check.resource.int has been introduced. After setting the parameter check.resource.int with value true, an additional check will be performed to ensure the existence of directory. The default value for the parameter check.resource.int is false. The parameter check.resource.int should only be set in the receiver channel which is processing batch files or huge number of files. Also, before setting this parameter, it should be ensured that the target directory configured in the channel is correct and found during runtime.
In SFTP Adapter, the same file at the Sender channel is processed multiple times. This can be due to the following reasons.
- The fact that the source file was not deleted after processing the first time due to some run time issues (like file locks, network faults, etc).
- In cluster node environment where multiple server nodes try to process the same file simultaneously.
As a result, the same transaction gets executed twice, which is erroneous.
The issue occurs as there is no check at start of processing to validate if a file has already been processed once. In case the file is already processed once, it has to be skipped and should not be processed a second time.
The solution involves a source code fix. At the start of processing, we validate if the file has already been processed (i.e file has been sent from the Sender Channel to the Module processor successfully). If the file has already been processed once, we skip the processing of the current file and move it to a secondary folder named DuplicateMessageContent which is located within the Source Directory mentioned in the Sender Channel Configuration.
To enable this new feature, the additional parameter removeProcessedFiles has to be set to true.
Note: Ensure that necessary write permission is provided for the PI SFTP Adapter to create a new Directory named DuplicateMessageContent within the Source Directory. If sufficient permissions are not provided, it will result in a run time exception.
At present, the XML parser in SFTP adapter only allows up to 2 levels for content conversion at the receiver end. If there are more than 2 levels, the following error message is encountered. Message processing failed. Cause: javax.resource.ResourceException: org.xml.sax.SAXException: XML upto 2 level is accepted for conversion.
Eg:
<doc>
<Header>
<Record>
<col1>L1</col1>
<col2>L2</col2>
<col3>L3</col3>
</Record>
</Header>
</doc>
In the above example,
Level1 - <doc>
Level2 - <Header>
Level3 - <Record>
The error is occurs due to a limitation with the current XML parser library used in the XML.
Source level changes to support improved XML parsing. In addition to improving the parsing, the patch also provides additional XML parsing security, which is enabled by default. In case the user wants to disable security while parsing the XML (due to some business requirement), they can set the additional parameter enableXMLParserSecurity to false in the receiver channel configuration.
During conversion of CSV to XML in SFTP sender channel (FCC mode) processing of large files causes OutOfMemoryException even if "Recordsets per Message" is set (Recordsets per Message specifies the number of recordsets to be grouped together in a message).
During FCC mode complete payload is read from the source even if "Recordsets per Message" parameter is set after which conversion to xml is carried out. This increases the memory consumption during file processing which will eventually lead to OutOfMemoryException.
A new additional parameter is introduced at sender channel: enableFCCImprovised. The default value of this parameter is false. When the parameter's value is false, SFTP adapter will have existing behavior i.e. file is read completely from the source directory and then the conversion is carried out. When the parameter value is set to true, input file is read partially based on the "Recordsets per Message" parameter resulting in less load to the memory.
You have configured Chunk Mode in sender channel. In SFTP receiver channel, if there is some network issue while writing the chunk to target directory, you observe file is getting corrupted.
As per the current design, if transfer of chunk to the target directory is interrupted, it will transfer the complete chunk again and as a result file is getting corrupted.
A new additional parameter is introduced at receiver channel: checkChunkInterrupted. The default value of this parameter is false. When the parameter value is set to true and transfer of chunk to the target directory is interrupted, it will try to resume the chunk transfer instead of transferring the complete chunk again.
When an application writes a batch of files to the source directory, the SFTP Adapter should not process the files until the entire batch is written.
As per the current design, as soon as the connection is established between the SFTP Server and the SFTP Adapter, the file(s) are picked up from the source directory and the processing starts. The completion of the batch is indicated by writing a file with an extension .trigger in the source directory.
Code changes have been made to provide the new functionality. Kindly set the advance mode parameter triggerFileOption to true in the SFTP Sender Channel.
In the source directory, the files will not be processed by the SFTP Adapter until the trigger file (a file with .trigger extension) is written. The file name and the content of the trigger file does not matter. Once the trigger file is written, all the source files written before the trigger file, are processed. If there are multiple trigger files in the source directory, source files written before the latest trigger file are processed. Once the source files are processed, the trigger file(s) is (or are) deleted.
If the user does not have the permissions to delete the trigger file, an error saying "deleting of file <<.*.trigger>> failed..." is displayed in the channel monitoring page. However, source files with the timestamp less than that of trigger file will be processed.
SFTP Adapter is being used in the business scenario for message processing. While message processing, the following error has been observed in the channel logs : Exception received: java.lang.UnsupportedOperationException: promptYesNo(String str) is not implemented yet!
The issue occurs after upgrading the component SAP_XIAF to 7.50 SP028 patch level 0.
In SP28, the jcraft library has been replaced with an upgraded Jsch library as the older one was not supporting a few important algorithms/ciphers needed by the SFTP Adapter/SFTP Servers. In the new Jsch library, MD5 fingerprint option is not supported which caused the UnsupportedOperationException when fingerprint option is used.
The issue has been resolved by code changes.
With this fix, two new advanced mode parameters preferredKeyType and fingerprintHash are introduced and the default value for these parameters are as follows:
preferredKeyType = ssh-rsa
fingerprintHash = SHA256
In the SFTP Adapter channel configuration, the Server fingerprint has to be set to SHA-256 fingerprint hash value. MD5 hash value is disabled in SP28 by default as it is outdated and insecure for cryptographic purposes, while SHA-256 is a more secure and widely used cryptographic hash function with a longer hash length. MD5 generates a 128-bit (16-byte) hash value whereas SHA-256 generates a 256-bit (32-byte) hash value.
Fingerprint format before SP28 (MD5 hash value) : b0:67:bb:26:aa:65:0f:32:a1:0d:35:ae:26:85:a2:98
Fingerprint format SP28 onwards (SHA-256 hash value): 88:7a:ce:65:b4:a1:3f:c5:f6:38:ce:a5:70:32:ee:38:b6:9d:50:4f:ae:01:0d:ed:e7:26:52:b3:b6:81:10:1f
The channels with old fingerprint setting (MD5 hash value) will fail and the correct/sha-256 fingerprint value will be suggested in the channel logs.
NOTE: If needed, the old behavior (i.e., old fingerprint -MD5 hash value) can be enabled again by setting advanced mode parameter fingerprintHash = MD5
The following points has to be followed:
- The correct fingerprint can be verified/collected from the channel log.
- The fingerprint can also be taken from the xpi inspector traces. For this, xpi traces can be collected for Example 100 by selecting the location: com.sap.aii.adapter.sftp. From the logs, the value for fingerprint can be copied by searching the text Server Fingerprint.
- The collected fingerprint should be set in the SFTP channel to resolve the issue.
- To enable the old behavior (i.e., old fingerprint -MD5 hash value), the following advanced mode channel parameter should be set in each channel: fingerprintHash = MD5
- To prioritise ECDSA key usage over RSA key, the following advanced mode channel parameter should be set in each channel: preferredKeyType = sha2 or ecdsa or ecdsa-sha2 or ecdsa-sha2-nistp256
- It is possible to retrieve in advance of the system update the new SHA256 server fingerprint for internal SFTP servers with the command below:
For remote servers, request this to their administrators to ensure authenticity:
ssh-keyscan -t ecdsa -p <myport> <myhost> 2>/dev/null | sed "s/^[^ ]* //" | awk '{print $2}' | base64 -d | sha256sum | awk '{print $1}' | fold -w2 | paste -sd':' -
88:7a:ce:65:b4:a1:3f:c5:f6:38:ce:a5:70:32:ee:38:b6:9d:50:4f:ae:01:0d:ed:e7:26:52:b3:b6:81:10:1f
This command is only valid for Linux based systems. For other OS we have currently no similar command.
If multiple SFTP channels are connecting to same SFTP server, then the fingerprint for all those SFTP channels can be updated together using Migration Tool. To run the Integration Directory Migration Tool, please use the following link in target system:
- Open a browser and go to http://[host]:[port]/pimon to access the Process Integration tools.
- Then choose Start of the navigation path 'Configuration and Administration' and from there, open 'Migration Tool.
- Set the correct fingerprint by replacing the value *.