AWS Transfer for SFTP for SAP file transfer workloads – part 2

Part 1 of this series demonstrated how to integrate SAP PI/PO systems with AWS Transfer for SFTP (AWS SFTP) and how to use the data that AWS SFTP stores in Amazon S3 for post-processing analytics. This post shows you how to integrate SAP Cloud Platform Integration (SAP CPI) with AWS SFTP and use the AWS analytics solutions shown in part 1 for post-processing analytics.

Architecture overview

SAP CPI is a pay-as-you-go subscription model offered by SAP. With capabilities similar to SAP PI/PO, SAP CPI offers pay-as-you-go exchange infrastructure to integrate processes and data. This includes SAP file workloads between cloud apps, third-party applications, and on-premises solutions with this open, flexible, on-demand integration system running as a core service on the SAP Cloud Platform.

The following diagram shows the high-level architecture of SAP CPI system integration with AWS SFTP. SAP systems are hosted on premises or in the AWS Cloud environment with SAP CPI connection.You can use AWS SFTP to store the SAP file workloads in S3 by enabling integration flow connection and perform post-processing functions using AWS Glue, Amazon Athena, and Amazon QuickSight.

SAP CPI system integration with AWS SFTP: High-level architecture of SAP CPI system integration with AWS SFTP
Authentication options

To establish a connection with AWS SFTP, you must have the following SAP CPI authentication options:

  • SAP CPI key-based authentication – Use key-based authentication in SAP to configure and integrate SAP CPI AWS SFTP.
  • SAP CPI password-based authentication – Use AWS Secrets Manager to enable username- and password-based authentication. This integrates SAP CPI communication channels with AWS SFTP.

SAP CPI key-based authentication

Configure the SAP CPI tenant known host key file to store the SFTP key, hostname, key algorithm, and SSH key parameters. As shown in the following workflow diagram, the known host file will store the SFTP public key, hostname, and public key algorithm. SSH key pair is stored in the SAP CPI key store configuration to establish connection from SAP CPI tenant to SFTP server:

SAP CPI key-based authentication Workflow diagram for SAP CPI key-based authentication.







Known host file

To establish an SSH-based communication, the SAP CPI tenant needs the host key of the SFTP server.

  1. To extract the host key of the SFTP server, run the ssh-keyscan command on the AWS SFTP endpoint you created.
  2. Update the host key in the SAP CPI known hosts file. See the following code example where ssh-keyscan command is executed on AWS SFTP server domain to retrieve the host key value:

Use ssh-keyscan command on AWS SFTP server endpoint to extract host key.

Update the server host key in the known_hosts CPI tenant file form

  1. In the CPI tool, select monitoring (operations view), security material option.
  2. Select the known_hosts entry, and download to your local machine
  3. Add the AWS SFTP server host key retrieved in the previous step in the known host file.

Download known host file from CPI security material.

To avoid any corruption or deletion of existing host keys that could hamper other SAP CPI integration, add the host key at the end of the SAP CPI known host file.

Add SFTP host key in the known_host file

As shown in below, upload the known host file from your local drive to SAP CPI Tenant.

  1. Choose Add feature, Known Hosts (SSH).
  2. Choose Deploy

Deploy the known_host file

For key-based authentication, you can generate a key pair using SAP CPI tools.

  1. From the SAP CPI monitoring page, in the tenant keystore, choose Create SSH key.
  2. For Key type, choose RSA.
  3. Define the key-specific values.
  4. Choose Deploy

Create SSH key in SAP CPI tenant. Generate a key pair using SAP CPI tools and update the keypair in AWS SFTP










When the deployment is complete, download the id_rsa public key from the keystore. Upload the id_rsa public key pair downloaded earlier to the AWS SFTP server SSH public key page.

For information about adding or rotating public keys for your AWS SFTP server, see rotating SSH keys documentation.

Testing connectivity

You can now test the connectivity between SAP CPI and the AWS SFTP server.

  1. In SAP CPI monitoring view, select Connectivity tests function.
  2. Choose SSH option, and enter the following details:
    • For Host, enter (AWS SFTP endpoint). For more information, see Create an SFTP Server.
    • For Port, enter 22.
    • For Proxy Type, select None.
    • For Timeout, enter your desired timeout value.
    • For Authentication, choose public-key based.
    • For User Name, enter kenny (AWS SFTP server user name created earlier).
    • Select the check boxes for Check Host Key and Check Directory access.
    • For Directory, select the S3 directory associated with AWS SFTP server.
    • Choose Send.

This establishes the connection between SAP CPI and AWS SFTP and lists the current objects stored in the AWS SFTP server S3 directory. In the following diagram, SAP CPI lists the SAP material master files stored in S3 directory using STFP connection.

SAP CPI and AWS SFTP connectivity test. Listing the SAP material master files stored in S3 directory using SAP CPI connectivity testing.

You can now use this SSH key pair based SAP CPI connection to create an integration flow between your SAP systems and AWS SFTP server for your file-transfer workloads.

SAP CPI password-based authentication

You can now configure SAP CPI integration with the AWS SFTP server using username- and password-based authentication.

If you are using a different AWS SFTP endpoint, follow the same known host file configuration process shown in the previous SAP CPI known host file configuration. To create username- and password-based authentication, see AWS Transfer for SFTP for SAP file transfer workloads – part 1.

  1.  In SAP CPI monitoring view, choose Security material function.
  2. Choose Add feature, user-credentials.
  3. On the Add User Credentials page, enter the credentials and deploy the following entries:
    • For Name, enter a credential name to retrieve your user name and password credentials in the SAP CPI integration flow.
    • For Type, choose User Credentials.
    • For User, enter the user name created for password-based authentication in part 1 of this series using Secrets Manager.
    • For Password, enter the same password created as part of password-based authentication in part 1 of this series using Secrets Manager.
    • Once deployed, verify the successful deployment of user credentials entry in the SAP CPI security material page.

Setup the user credentials. Adding user credentials for username and password-based authentication









Testing connectivity

To test the connection, create an integration flow in SAP CPI between your preferred HTTPS tool and AWS SFTP.

  1. In the SAP CPI design view, for address, enter (AWS SFTP endpoint).
  2. For Authentication, choose User Name/Password.
  3. For Credential Name, enter SFTP_KENNY (the credential name from the previous step).
  4. For Timeout, enter your desired value.
  5. For Maximum Reconnect Attempts, enter your desired value.
  6. For Reconnect Delay, enter your desired value.

CPI integration-flow. Integration flow setup in SAP CPI between HTTPS tool and AWS SFTP.

You can retrieve the deployed integration flow URL from the SAP CPI manage integration content page.

This post uses SOAP UI to send the SAP MATMAS document using the HTTPS connection method. To send the file to the SAP CPI, upload the SAP material Idoc structure in the HTTPS tool. The integration flow processes the file to the S3 directory using AWS SFTP.

Process file workloads using HTTPS tool Send the SAP material file to AWS SFTP using HTTPS connection tool and SAP CPI intergration.

When the processing is complete, you should see the SAP MATMAS file stored in the S3 directory for post-processing activities.

SAP Matmas file is stored in AWS SFTP S3 directory for post processing activites.


You can migrate your SAP file transfer workloads and SAP export files to S3 seamlessly by using a fully managed AWS SFTP service. You don’t have to worry about managing and maintaining an SFTP server and data resilience for your mission-critical workloads.