Embed Size (px)
Citation preview
Generated by Jive on 2016-05-04+02:001
BI Platform: Fingerprints for SFTPDestinations in SAP BusinessObjects BIPlatform 4.1
Posted by Ted Ueda Jul 23, 2015
SFTP Destination support is one of the more interesting new features introduced with the recently released
SAP BusinessObjects BI Platform 4.1 Support Pack 6.
Quite a lot of customer requests for this one, and it's finally here!
When you send or schedule a document to a SFTP destination, you will be asked to enter a fingerprint value.
• What is a fingerprint?• Why is it important?• How do you determine the fingerprint?
I'll answer these questions in this blog. Additionally, I'll describe how I set up a simple environment that I've
used for internal testing and teaching purposes for the SFTP feature.
SSH File Transfer Protocol (SFTP) Fingerprint
SFTP uses Secure Shell (SSH) to send files securely over the network. It's a full-fledged transfer and file
management system that uses public-private key cryptography to ensure any client may send a file to a server
securely.
Sometimes it's confused with FTP Secure (FTPS) or Simple FTP, but they're not compatible. FTPS is FTP over
SSL and Simple FTP has no security features built in.
Why the need for secure file transfer?
I'll give the most often sited analogy, to snail mail. Say your company needs to send letters to a bank. You put
it in an envelope, address the envelope, and drop it off at your company's mailroom. The clerk hands it over to
the postman for delivery to the bank.
But let's say the clerk happens to be not-above-board. He steams open the envelope and reads the contents,
and uses the information found within for private gain. Your letter is compromised. The clerk puts the letter
back in the envelope, seals it, and sends it on its way, no-one the wiser.
To prevent that, the bank mails you special envelopes. Anyone can put contents into the envelope, but only the
bank can open the envelope without destroying the contents. The shady clerk's now thwarted and would no
longer be able to read the contents and steal the information.
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:002
But say the clerk's pretty crafty. He knows that the bank envelopes are delivered through his mailroom. So
he waylays the package when it comes in. Instead, he has a set of those special envelopes made for himself,
that only he can open, and forwards those envelopes to you. You can't tell the difference between the clerk's
envelope and the bank's and so you put the letter in the clerk's envelope and drop it off at the mailroom. The
clerk opens the envelope, reads the letter, steals the information, then puts the letter in one of the bank's
envelope, and gives to the postman. Neither you nor the bank are aware that the letter has been compromised.
The clerk is called the man-in-the-middle, and the scheme he plays is called the man-in-the-middle attack.
To thwart a man-in-the-middle, what the bank will do is place a very unique symbol on its envelopes. This
symbol would be extremely difficult for others to duplicate. They then publicly publish what this symbol looks
like, allowing you to verify that the special envelopes you have is actually from the bank and not the man-int-
the-middle.
This symbol is a fingerprint.
Fingerprints are extremely difficult to duplicate, since they're computed by hashing the public key, the key used
for cryptography.
Discover the SFTP Fingerprint that BI Platform Expects
Now that you know the importance of a fingerprint, how do you discover the fingerprint needed, when sending/
scheduling a document to SFTP?
If you use a SFTP client tool such as WinSCP or PuTTY, you'll see that they present a fingerprint value for
every SFTP that you connect to. But those fingerprint value won't work with BI Platform. They won't work
because the hashing algorithm used is different.
Typical client tools use a MD5 hash. BI Platform uses the more secure SHA-1 hash. Because of that, you'll
need some other means to get the fingerprint.
One way is to let BI Platform tell you. When it connects to a SFTP server, it retrieves the public key and
computes the SHA-1 fingerprint from it. If that expected fingerprint does not match the fingerprint you've
entered for the SFTP destination parameters, then an error is entered in the trace files. That error line records
both the expected and entered fingerprint values. You can use this to get the expected fingerprint. The steps
are described in SAP Note 2183131, but I'll describe the steps here as well.
Log onto the Central Management Console and enable tracing for the Adaptive Job Server. Log onto BI launch
pad, navigate to the public "Web Intelligence Samples" folder, right-click on a WebI document and select from
the menu Send->SFTP Location:
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:003
Fill out the SFTP Server information, including hostname, port, user name and password. For the fingerprint,
just enter a keyword that'll be easy to remember and search for, say FINDTHEFINGERHERE:
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:004
Click Send. Nothing appears to happen (not even an error dialog box pops up), but the document would not
have been sent to the SFTP server.
Go to the machine where the BI Platform Adaptive Job Server is running, and navigate to the logging folder
for the BI Platform deployment. Find the trace file associated with the Adaptive Job Server Destination Service
child process. Open the glf file associated with that Service, and search for the fingerprint keyword you entered
above:
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:005
Here's the line:
destination_sftp: exception caught while connecting to sftp server [<hostname>]. Details:
[83:89:8c:dd:e8:00:a2:e3:26:63:83:24:47:71:ec:8c:1b:ce:de:25 is admin input.Mis match in fingerprint. i.e
hashing server fingerPrint obtained from serverFINDTHEFINGERHERE]
The long sequence of 20 two-digit hex numbers separated by colons is the SHA-1 hash of the public key as
received by BI Platform. Enter that value into the FingerPrint box of the Send dialog box:
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:006
and you'll see the document be sent successfully to the SFTP server.
Are we done?
What if I were to ask you whether the fingerprint above is the one for the SFTP server or a man-in-the-middle
between your BI Platform deployment and the SFTP server?
You can't tell by looking at the fingerprint value itself, you need some other independent way to validate it. A
good way is to contact the SFTP server maintainer, and ask them "Would you provide us, securely, the SHA-1
fingerprint for your SFTP server?" That's actually the best way.
But sometimes you encounter Administrators who don't know how to do that. What then?
Given the public key, a public key you've gotten from the SFTP server by secure means, you can compute the
fingerprint yourself. I'll give instructions to do that.
First, let's set up a trial, simple, SFTP server, so we can see things from the SFTP server side of things.
Generating the Cryptographic Public Key and Private Key
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:007
First, generate public and private keys that the SFTP server will use for cryptography. There's various ways to
do this, some SFTP server products have their own ways.
What I'll use is the popular and common PuTTY tools.
Download the PuTTYgen RSA key generation utility from here.
It's a fairly easy tool to use. In the "Parameters" section, specify the type and length of key, and click the
"Generate" button:
You'll see that the public key in "OpenSSH format" will be displayed in the text area titled "Public key for
pasting into OpenSSH authorized_keys file:" So copy and paste the key into a text file using a text editor, such
as Notepad or Notepad++. Save the contents to a file named public_key_openssh.pub. By the way, you see
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:008
the "Key fingerprint:" value in the above screenshot. Ignore it. That's a MD5 hash fingerprint, not the SHA-1
fingerprint we want.
Next go to the menu selection Conversions -> "Export OpenSSH key" to export the private key to a file, that I
name private_key.key
Why OpenSSH key? It's because I'm going to use a SFTP implementation that expects private keys to be in
OpenSSH format. There are other formats, and you'd need to refer to your SFTP server documentation to find
out which one, if you're going to be using something different from I.
Now that we have the keys, let's set up the SFTP server.
Setting up the freeFTPd SFTP Server
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:009
For simplicity, I'll use the open-source freeFTPd implementation of the SFTP server. There are others, but
freeFTPd is the one I find is easiest to set up and use.
Download and run. First go to the SFTP -> Hostkey page, and specify the private_key.key RSA key you
generated previously:
Then go to the Users page and create a test user. Call it testuser:
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:0010
Now go to the SFTP page and start up the SFTP server, making sure you first set where the SFTP is to store
the incoming file in "SFTP root directory" setting:
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:0011
And finally check the Status to ensure the SFTP us running:
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:0012
That's it!
Now connect to this SFTP server using instructions given above, and get the fingerprint value that BI
Platform expects. Now, what we want to do is compute the fingerprint directly from the public key file
public_key_openssh.pub and verify that the value is correct.
Use OpenSSL tools to Compute the SHA-1 Fingerprint
Let's have a look at the public key file contents (in OpenSSH format):
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAnx3a1iYFDX4HY8Ysf2hOE1UJwha
+rLD0iq82gn3+Lgla3ZzPOTuU4R39yQ5cgtzfvQrUq+NIEVEKrw1Vm3CuYVs/
UrCUEhDhYOc4AfzszDGaLPnIIJjrZt9i2TnZ+9OeLakno4bgNntVglr8GbL2tryg+FWTzPGcq9O6O5gnavE=
rsa-key-20150626
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:0013
Now the first line, 'ssh-rsa', specifies that the type of key is RSA, and the last line 'rsa-key-20150626' is merely
an optional comment line (I just had PuTTY denote the type and date when I generated it).
In between, the gibberish, is the Base64 encoded string value for the public key binary value. What we need to
do is extract this value from the file, Base64 decode it to get the binary value back, then generate the SHA-1
Digest for this value (in colon-separated hex 2-digit format).
Now, the last step you can do using OpenSSL command-line tools. But if you'd like to make life much easier,
you can use command-line tools to accomplish the other two pre-steps.
The easiest, if you're not on a Unix machine, is to download Unix tools, the Cygwin toolset. The Cygwin
command-line tools contain the textfile manipulation and base64 tools to automate the other steps. Go to
the Cygwin site, and install the tools (the default install won't include the OpenSSL toolset, so make sure you
manually select those as well during the installation of Cygwin packages).
Now, the way to compute the fingerprint is a single (albeit longish) command-line:
Breaking down the individual commands on the pipe, the command:
cut -d ' ' -f 2 < public_key_openssh.pub
reads the file public_key_openssh.pub, cuts the contents at whitespace, and streams out the second
component. Essentially, it's extracting the Base64 encoded public key from the public key file. The command:
base64 -d
merely reads the input pipe, base64 decode it, and streams out the binary value. And finally, the command:
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:0014
openssl dgst -c -sha1
uses the OpenSSL tool to compute the SHA-1 Digest from the binary value.
As you can see, the fingerprint we compute directly from the public key corresponds to the one BI Platform
says it got from the SFTP server. The public key the BI Platform is using is the one from the SFTP server, and
not from the man-in-the-middle.
Summary
If you require ways to send or schedule BI Platform documents across the network securely, the recommended
solution is to upgrade your deployment to BI 4.1 SP6 or higher, and use the new SFTP destination
functionality.
One quirk is the fingerprint value. This blog describes how to determine the fingerprint value to use, and how to
validate the fingerprint for correctness.
Hope you find this information useful, and you're able to integrate this new functionality into your BI
architecture!
Ted Ueda has supported SAP BusinessObjects BI Platform and its predecessors for almost 10 years. He still
finds fun stuff to play with.3961 Views Tags: bisupporttool
Ted Ueda in response to Swetha Bandaru on page 14May 4, 2016 4:43 PM
Hello Swetha,
One thing to emphasize is that the fingerprint is not the encryption being used between the SFTP server and
SAP BI Platform.
It's there to compare the public key being sent by the SFTP server to one that's already known and assured on
the BI Platform side.
For the encryption itself, the SFTP client library on SAP BI Platform uses libssh2.
Regards,
Ted Ueda
Swetha BandaruMay 4, 2016 4:39 PM
HI Ted,
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:0015
Is the fingerprint generation same when we have SHA256 enabled at the SFTP server? Does BO support
SHA256?
Regards,
Swetha
Ted Ueda in response to Rakesh Sudhakar on page 15Mar 7, 2016 8:56 PM
That error is a different layer, the TCP/IP Corba layer. So the error message may not be related to your issue.
You do need to specify destination and path. It may be best top open a Support Ticket.
Regards,
Ted Ueda
Rakesh Sudhakar in response to Ted Ueda on page 15Mar 7, 2016 8:42 PM
Hi Ted,
In the trace file I see errors like "false : Out of memory or unknown type to create!".
Is it possible to SFTP a file without a Directory or folder path in the destination ?
At present we just have the sftp login details but do not have a destination directory.
Could that be the cause ?
Thanks,
Rakesh
Ted Ueda in response to Rakesh Sudhakar on page 15Mar 7, 2016 7:47 PM
There should be more details in the traces on connection error. No limits and if a fingerprint error the logs
should state that.
Regards,
Ted Ueda
Rakesh SudhakarMar 7, 2016 5:56 PM
Hi Ted,
Am trying to add a new SFTP user but am getting the below error
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:0016
connection error. []: [CrystalEnterprise.Sftp]
1. Is there any limit on the number of SFTP connections
2. Do we have different finger print for different SFTP connections
Thanks,
Rakesh
Rakesh Sudhakar in response to Ted Ueda on page 16Sep 24, 2015 5:59 PM
Thanks for the quick response Ted.
Got the fingerprint value .The fix was weird though , I sent a report by sftp without specifying the port
number and when I looked at the trace file the actual fingerprint was there ..
Regards,
Rakesh
Ted Ueda in response to Rakesh Sudhakar on page 16Sep 23, 2015 9:01 PM
It's not connecting to the SFTP server. You can try deploying a SFTP client on the macine where the Adaptive
Job Server is running to see if you can connect to the SFTP server.
It may be blocked ports or network.
Regards,
Ted Ueda
Rakesh SudhakarSep 23, 2015 5:10 PM
Hi Ted thanks a ton for sharing BI SFTP procedure in detail :-)
We recently upgraded from BI SP5 to BI SP6 and see the SFTP option.
I tried to do an SFTP using the BI platform fingerprint option but am not getting the 20digit finger print key.
This is what I did1. After upgrading to SP6 configured the SFTP in the Adaptive Job server with the host , username ,
password & port details2. The SFTp option got enabled in BO launchpad3. Tried to get the fingerprint by sending a web intelligence report by SFTP using a dummy fingerprint
value (specified all the host,user details)4. When I looked at the trace I get the following error
destination_sftp: exception caught while connecting to sftp server [ourhostname]. Details: [unknown
error!].
BI Platform: Fingerprints for SFTP Destinations in SAP BusinessObjects BI Platform 4.1
Generated by Jive on 2016-05-04+02:0017
Am I missing anything ?
Please let me know your thoughts.
Thanks,
Rakesh
Kari SoniatSep 4, 2015 7:26 PM
This article was perfect! Well written and exactly what I needed!! Thank you.
Ted Ueda in response to Maheshwar Singh on page 17Aug 6, 2015 10:34 PM
Thanks!
Customers are indeed starting to use this feature.
Maheshwar SinghJul 26, 2015 3:21 PM
Great job Ted. Very detailed
Andy YuJul 25, 2015 3:24 AM
Thanks, Ted! Learned some tech insight of this new feature.
Shiva VishnubatlaJul 24, 2015 9:06 PM
I learned a few things from this. Thanks for sharing with crisp explanation.
Denis KonovalovJul 23, 2015 10:42 PM
Ted, as usual - perfect.
