Tips to setup key authentication for SFTP (based on SSH protocol). SSH can use key based authentication, which consists of a private key and a public key. The private key needs is known to the client and a public key is installed on the server. Each time the ssh or sftp client connects to the server, it sends a public key to the server. The server can verify that the received public key is signed with the same private key as is the one already installed on the server. 

The key pair to be used for SSH/SFTP is actually a PKCS#1 type of key. It can easy be generated using tools like putty of ssh-keygen. For example:

ssh-keygen -t rsa -b 4096 -C "This email address is being protected from spambots. You need JavaScript enabled to view it."

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /tmp/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/id_rsa.
Your public key has been saved in /tmp/id_rsa.pub.
The key fingerprint is:
4e:56:d5:b9:4c:2c:0d:a9:74:91:78:c2:2f:3e:3d:09 This email address is being protected from spambots. You need JavaScript enabled to view it.
The key's randomart image is:
+--[ RSA 4096]----+
|         . .+O . |
|          =.* *  |
|         ..* + . |
|         .E . o  |
|        S. + .   |
|       +  o +    |
|        .  . .   |
|                 |
|                 |
+-----------------+
ls id*
id_rsa  id_rsa.pub

It simply creates a public key (id_rsa.pub) and a private key (id_rsa). However, the keystore from PO does not allow storage of this private key. It only supports the import import of a PKCS#8 key plus certificate, a PKCS#12 key pair or a X509 certificate. Converting a PKCS#1 key into a PKCS#8 is possible by using the openssl command from the openSSH toolkit. Be aware though that on some platforms (e.g. AIX) not all crypto algorithms are included in the compilation of openSSH and therefore this particular conversion fails. Conversion of PKCS#1 into PKCS#12 is not possible. The other way around is possible. Starting with a PKCS#12 key pair allows for generating a PKCS#1 private and public key.

Notice that a certificate:

  • contains a public key.
  • in addition to the public key, contains additional information, such as issuer, what it's supposed to be used for, and any other type of metadata.
  • may be signed with a private key, that verifies its authenticity.

Hence, when working with SAP PO the easiest route is to generate a key from the keystore and exporting this as PKCS#12. Next step is to generate a  public key but this requires the PKCS#12 key pair to be in a readable format for openssl (PEM). So, the PKCS#12 is first converted into a PEM certificate and then ssh-keygen is used to generate a public key from the PEM certificate containing the private key. When this PKCS#1 public key is installed in the SSH/SFTP server, the SFTP adapter using the PKCS#12 key from the keystore can authenticate itself to the SSH/SFTP server.

openssl pkcs12 -in ssh_keystore.p12 -out ssh_keystore.priv.key.pem -nocerts -nodes

openssl rsa -in ssh_keystore.priv.key.pem -out ssh_keystore.key

ssh-keygen -y -f ssh_keystore.priv.key.pem > ssh_keystore.pub.key

The second route is to use ssh-keygen and converting PKCS#1 to PKCS#8 plus certificate for import into the PO keystore. The public key generated can directly be installed on the SSH/SFTP server.

A third route is to use openssl command to generate a private and public certificate and converting this into a PKCS#12 key pair for import into the PO keystore as well as using it to generate a PKCS#1 public key for installation on the SSH/SFTP server

ssh-keygen -y -f priv.key.pem > pub.key