Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
I'll answer these questions in this blog. Additionally, I'll describe how I set up a simple environment that I've
used for internal testing and teaching purposes for the SFTP feature.
SSH File Transfer Protocol (SFTP) Fingerprint
SFTP uses Secure Shell (SSH) to send files securely over the network. It's a full-fledged transfer and file
management system that uses public-private key cryptography to ensure any client may send a file to a server
securely.
Sometimes it's confused with FTP Secure (FTPS) or Simple FTP, but they're not compatible. FTPS is FTP over
SSL and Simple FTP has no security features built in.
Why the need for secure file transfer?
I'll give the most often sited analogy, to snail mail. Say your company needs to send letters to a bank. You put
it in an envelope, address the envelope, and drop it off at your company's mailroom. The clerk hands it over to
the postman for delivery to the bank.
But let's say the clerk happens to be not-above-board. He steams open the envelope and reads the contents,
and uses the information found within for private gain. Your letter is compromised. The clerk puts the letter
back in the envelope, seals it, and sends it on its way, no-one the wiser.
To prevent that, the bank mails you special envelopes. Anyone can put contents into the envelope, but only the
bank can open the envelope without destroying the contents. The shady clerk's now thwarted and would no
longer be able to read the contents and steal the information.
But say the clerk's pretty crafty. He knows that the bank envelopes are delivered through his mailroom. So
he waylays the package when it comes in. Instead, he has a set of those special envelopes made for himself,
that only he can open, and forwards those envelopes to you. You can't tell the difference between the clerk's
envelope and the bank's and so you put the letter in the clerk's envelope and drop it off at the mailroom. The
clerk opens the envelope, reads the letter, steals the information, then puts the letter in one of the bank's
envelope, and gives to the postman. Neither you nor the bank are aware that the letter has been compromised.
The clerk is called the man-in-the-middle, and the scheme he plays is called the man-in-the-middle attack.
To thwart a man-in-the-middle, what the bank will do is place a very unique symbol on its envelopes. This
symbol would be extremely difficult for others to duplicate. They then publicly publish what this symbol looks
like, allowing you to verify that the special envelopes you have is actually from the bank and not the man-intthe-middle.
This symbol is a fingerprint.
Fingerprints are extremely difficult to duplicate, since they're computed by hashing the public key, the key used
for cryptography.
Discover the SFTP Fingerprint that BI Platform Expects
Now that you know the importance of a fingerprint, how do you discover the fingerprint needed, when sending/
scheduling a document to SFTP?
If you use a SFTP client tool such as WinSCP or PuTTY, you'll see that they present a fingerprint value for
every SFTP that you connect to. But those fingerprint value won't work with BI Platform. They won't work
because the hashing algorithm used is different.
Typical client tools use a MD5 hash. BI Platform uses the more secure SHA-1 hash. Because of that, you'll
need some other means to get the fingerprint.
One way is to let BI Platform tell you. When it connects to a SFTP server, it retrieves the public key and
computes the SHA-1 fingerprint from it. If that expected fingerprint does not match the fingerprint you've
entered for the SFTP destination parameters, then an error is entered in the trace files. That error line records
both the expected and entered fingerprint values. You can use this to get the expected fingerprint. The steps
are described in SAP Note 2183131, but I'll describe the steps here as well.
Log onto the Central Management Console and enable tracing for the Adaptive Job Server. Log onto BI launch
pad, navigate to the public "Web Intelligence Samples" folder, right-click on a WebI document and select from
the menu Send->SFTP Location:
Fill out the SFTP Server information, including hostname, port, user name and password. For the fingerprint,
just enter a keyword that'll be easy to remember and search for, say FINDTHEFINGERHERE:
Click Send. Nothing appears to happen (not even an error dialog box pops up), but the document would not
have been sent to the SFTP server.
Go to the machine where the BI Platform Adaptive Job Server is running, and navigate to the logging folder
for the BI Platform deployment. Find the trace file associated with the Adaptive Job Server Destination Service
child process. Open the glf file associated with that Service, and search for the fingerprint keyword you entered
above:
and you'll see the document be sent successfully to the SFTP server.
Are we done?
What if I were to ask you whether the fingerprint above is the one for the SFTP server or a man-in-the-middle
between your BI Platform deployment and the SFTP server?
You can't tell by looking at the fingerprint value itself, you need some other independent way to validate it. A
good way is to contact the SFTP server maintainer, and ask them "Would you provide us, securely, the SHA-1
fingerprint for your SFTP server?" That's actually the best way.
But sometimes you encounter Administrators who don't know how to do that. What then?
Given the public key, a public key you've gotten from the SFTP server by secure means, you can compute the
fingerprint yourself. I'll give instructions to do that.
First, let's set up a trial, simple, SFTP server, so we can see things from the SFTP server side of things.
First, generate public and private keys that the SFTP server will use for cryptography. There's various ways to
do this, some SFTP server products have their own ways.
What I'll use is the popular and common PuTTY tools.
Download the PuTTYgen RSA key generation utility from here.
It's a fairly easy tool to use. In the "Parameters" section, specify the type and length of key, and click the
"Generate" button:
You'll see that the public key in "OpenSSH format" will be displayed in the text area titled "Public key for
pasting into OpenSSH authorized_keys file:" So copy and paste the key into a text file using a text editor, such
as Notepad or Notepad++. Save the contents to a file named public_key_openssh.pub. By the way, you see
the "Key fingerprint:" value in the above screenshot. Ignore it. That's a MD5 hash fingerprint, not the SHA-1
fingerprint we want.
Next go to the menu selection Conversions -> "Export OpenSSH key" to export the private key to a file, that I
name private_key.key
Why OpenSSH key? It's because I'm going to use a SFTP implementation that expects private keys to be in
OpenSSH format. There are other formats, and you'd need to refer to your SFTP server documentation to find
out which one, if you're going to be using something different from I.
Now that we have the keys, let's set up the SFTP server.
For simplicity, I'll use the open-source freeFTPd implementation of the SFTP server. There are others, but
freeFTPd is the one I find is easiest to set up and use.
Download and run. First go to the SFTP -> Hostkey page, and specify the private_key.key RSA key you
generated previously:
Then go to the Users page and create a test user. Call it testuser:
Now go to the SFTP page and start up the SFTP server, making sure you first set where the SFTP is to store
the incoming file in "SFTP root directory" setting:
That's it!
Now connect to this SFTP server using instructions given above, and get the fingerprint value that BI
Platform expects. Now, what we want to do is compute the fingerprint directly from the public key file
public_key_openssh.pub and verify that the value is correct.
Now the first line, 'ssh-rsa', specifies that the type of key is RSA, and the last line 'rsa-key-20150626' is merely
an optional comment line (I just had PuTTY denote the type and date when I generated it).
In between, the gibberish, is the Base64 encoded string value for the public key binary value. What we need to
do is extract this value from the file, Base64 decode it to get the binary value back, then generate the SHA-1
Digest for this value (in colon-separated hex 2-digit format).
Now, the last step you can do using OpenSSL command-line tools. But if you'd like to make life much easier,
you can use command-line tools to accomplish the other two pre-steps.
The easiest, if you're not on a Unix machine, is to download Unix tools, the Cygwin toolset. The Cygwin
command-line tools contain the textfile manipulation and base64 tools to automate the other steps. Go to
the Cygwin site, and install the tools (the default install won't include the OpenSSL toolset, so make sure you
manually select those as well during the installation of Cygwin packages).
Now, the way to compute the fingerprint is a single (albeit longish) command-line:
Ted Ueda has supported SAP BusinessObjects BI Platform and its predecessors for almost 10 years. He still
finds fun stuff to play with.
3961 Views Tags: bisupporttool
Is the fingerprint generation same when we have SHA256 enabled at the SFTP server? Does BO support
SHA256?
Regards,
Swetha
Ted Ueda in response to Rakesh Sudhakar on page 15
Mar 7, 2016 8:56 PM
That error is a different layer, the TCP/IP Corba layer. So the error message may not be related to your issue.
You do need to specify destination and path. It may be best top open a Support Ticket.
Regards,
Ted Ueda
Rakesh Sudhakar in response to Ted Ueda on page 15
Mar 7, 2016 8:42 PM
Hi Ted,
In the trace file I see errors like "false : Out of memory or unknown type to create!".
Is it possible to SFTP a file without a Directory or folder path in the destination ?
At present we just have the sftp login details but do not have a destination directory.
Could that be the cause ?
Thanks,
Rakesh
Ted Ueda in response to Rakesh Sudhakar on page 15
Mar 7, 2016 7:47 PM
There should be more details in the traces on connection error. No limits and if a fingerprint error the logs
should state that.
Regards,
Ted Ueda
Rakesh Sudhakar
Mar 7, 2016 5:56 PM
Hi Ted,
Am trying to add a new SFTP user but am getting the below error
Am I missing anything ?
Please let me know your thoughts.
Thanks,
Rakesh
Kari Soniat
Sep 4, 2015 7:26 PM
This article was perfect! Well written and exactly what I needed!! Thank you.
Ted Ueda in response to Maheshwar Singh on page 17
Aug 6, 2015 10:34 PM
Thanks!
Customers are indeed starting to use this feature.
Maheshwar Singh
Jul 26, 2015 3:21 PM
Great job Ted. Very detailed
Andy Yu
Jul 25, 2015 3:24 AM
Thanks, Ted! Learned some tech insight of this new feature.
Shiva Vishnubatla
Jul 24, 2015 9:06 PM
I learned a few things from this. Thanks for sharing with crisp explanation.
Denis Konovalov
Jul 23, 2015 10:42 PM
Ted, as usual - perfect.