Support for Base64-Encoded Fingerprints in SFTP Adapter

Introduction: When working with the SFTP Adapter in SAP Process Orchestration, one critical step during the SSH handshake is the validation of the server fingerprint. This fingerprint ensures that the adapter is connecting to the correct server and not an imposter, thereby guaranteeing the authenticity of the communication channel.

Traditionally, server fingerprints were shared in hexadecimal format (e.g., MD5:9c:b9:de:cc:… or SHA1:3f:17:6c:bb:…). However, many modern servers now provide fingerprints in Base64 format (e.g., SHA256:rmwIF2dwgkeh0m/…).

This difference in representation can lead to problems when setting up or running an SFTP channel, especially if the adapter only expects a hex-formatted fingerprint while the server provides Base64.

Problem / Symptom: The fingerprint mismatch often surfaces as a runtime error during message processing. For example, you might notice the following entry in the channel logs:

Exception received: com.jcraft.jsch.JSchException: Fingerprint invalid. Fingerprint is: SHA256:rmwIF2dwgkeh0m/

At first glance, the fingerprint looks valid as it is prefixed with SHA256:. But the problem is that the adapter expects a hexadecimal value, whereas the server has sent the fingerprint in Base64 encoding. Because of this mismatch, the adapter cannot validate the server during the SSH handshake, and message processing fails.

Solution: To address this issue, the SFTP Adapter has been enhanced to support Base64-encoded server fingerprints (e.g., SHA256:rmwIF2dwgkeh0m/…).

A new advanced mode parameter has been introduced:

useBase64Fingerprint (default: false)

Default behavior (false)
If the parameter is not set or explicitly set to false, the adapter automatically converts Base64-encoded server fingerprints into the expected hexadecimal format before performing validation.Example:Server Fingerprint (Base64): SHA256:rmwIF2dwgkeh0m/…Channel Fingerprint (configured in Hex): ae:6c:08:17:67:70:82:47:…Adapter converts Base64 → Hex internally, then compares.When set to true
The adapter directly reads the server fingerprint in Base64 format. In this case, the channel must also be configured with the fingerprint in Base64 format.Example:Server Fingerprint (Base64): SHA256:rmwIF2dwgkeh0m/…Channel Fingerprint (Base64): SHA256:rmwIF2dwgkeh0m/…Both are compared as Base64 strings.

This enhancement gives flexibility for both legacy configurations (hex fingerprints) and modern servers (Base64 fingerprints), ensuring compatibility and reducing configuration errors.

For SP/patch level details following SAP Note can be referred: 3652688 – Support for Base64-Encoded Fingerprints in SFTP Adapter

 

​ Introduction: When working with the SFTP Adapter in SAP Process Orchestration, one critical step during the SSH handshake is the validation of the server fingerprint. This fingerprint ensures that the adapter is connecting to the correct server and not an imposter, thereby guaranteeing the authenticity of the communication channel.Traditionally, server fingerprints were shared in hexadecimal format (e.g., MD5:9c:b9:de:cc:… or SHA1:3f:17:6c:bb:…). However, many modern servers now provide fingerprints in Base64 format (e.g., SHA256:rmwIF2dwgkeh0m/…).This difference in representation can lead to problems when setting up or running an SFTP channel, especially if the adapter only expects a hex-formatted fingerprint while the server provides Base64.Problem / Symptom: The fingerprint mismatch often surfaces as a runtime error during message processing. For example, you might notice the following entry in the channel logs:Exception received: com.jcraft.jsch.JSchException: Fingerprint invalid. Fingerprint is: SHA256:rmwIF2dwgkeh0m/…At first glance, the fingerprint looks valid as it is prefixed with SHA256:. But the problem is that the adapter expects a hexadecimal value, whereas the server has sent the fingerprint in Base64 encoding. Because of this mismatch, the adapter cannot validate the server during the SSH handshake, and message processing fails.Solution: To address this issue, the SFTP Adapter has been enhanced to support Base64-encoded server fingerprints (e.g., SHA256:rmwIF2dwgkeh0m/…).A new advanced mode parameter has been introduced:useBase64Fingerprint (default: false)Default behavior (false)If the parameter is not set or explicitly set to false, the adapter automatically converts Base64-encoded server fingerprints into the expected hexadecimal format before performing validation.Example:Server Fingerprint (Base64): SHA256:rmwIF2dwgkeh0m/…Channel Fingerprint (configured in Hex): ae:6c:08:17:67:70:82:47:…Adapter converts Base64 → Hex internally, then compares.When set to trueThe adapter directly reads the server fingerprint in Base64 format. In this case, the channel must also be configured with the fingerprint in Base64 format.Example:Server Fingerprint (Base64): SHA256:rmwIF2dwgkeh0m/…Channel Fingerprint (Base64): SHA256:rmwIF2dwgkeh0m/…Both are compared as Base64 strings.This enhancement gives flexibility for both legacy configurations (hex fingerprints) and modern servers (Base64 fingerprints), ensuring compatibility and reducing configuration errors.For SP/patch level details following SAP Note can be referred: 3652688 – Support for Base64-Encoded Fingerprints in SFTP Adapter   Read More Technology Blog Posts by SAP articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author