3634300 - SFTP - Update the SSH-RSA host key to ECDSA Key fingerprint – DC55 - SAP SuccessFactors

SAP SuccessFactors will issue a new site host key on Secure File Transfer Protocol(SFTP) server.

• Site: sftp55.sapsf.eu
• Datacenter: DC55
• Cloud Stack: Germany Region/GERMANY/Frankfurt/GCP Frankfurt
• Scheduled on:  Postponed, new date to be declared  

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors HCM Suite

Why this change?

This change is in alignment with our continuous effort to improve the product security.

What is the change?

The current host key fingerprint of the site.

sftp55.sapsf.eu

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPqkq2N37J9SWFL3XKWKRmaCYS7Z/Hv5otjSchLof7+uY2y4ApqZlxB0cbvAsZVFLweUplVdbEhPvCqUJ4RAyLUyLWmv0S9UUB8rQyVSrcHaIdXWrkLqck3BZwUENkpLGZQClz2SwnSP61uO4v0K2E+0LfCpcKDoQAkDNJS7ziXroxlASqEnolLgBjSZudmZb1bSy35EBwwlvGZcoyAikHOkvKgDChXqLO8sz1Q2Zv0geN90081kEjDUHrYzlYYtNLpf1c3mnDhKsGjO/9kLkC4d/3nXW1bGonLxaZyDXwGVatdyyktjJ7shjMivUqOJTc6Ss6m0e7vFeAbp70EUVfRShcCIpyGSCWCadc4EnmymXiJRNPgfhbW9XVzGZbyOzq4P0OvsW2UtfFaU9o4lzb3CIc5leicuDK14ra3XpR748NBaVgPrg49CVYGk870kkNsjxwryzBbb8PfOb0geSdpPnQ1071AbCVppjv7/FnkzE8yDo53CJlf9keVOoVSIJfB7GLfrzSZ53s/vUBetd2y9fiNeta1A4VQZsuHVDcxpHTaBB4nEN+7hAeW/9GEQ7Vhk7zdj7LjUVmcKwhZonbEnOCda7HqzGw2SLpaeJ4VG1QA32wPAXY8yv2TYNZVdg6wRfwo+ZIYYDDaSytOyvNdmU8uwxbLm7RPblLCqIaWw==

New host key fingerprint (ECDSA)
Attached the .zip file which contains the .pub key.

Any action needed from the customer end?

The first login of any automated setup with SFTP can require a new key to be accepted from the new SFTP SSH Key pair. Therefore, post the SFTP host key change from our side customers will need to accept the new fingerprint one-time, during the first connection attempt.

Example screenshot -

This will vary depending on the system/application in use that is connecting to our SFTP.

If there is no strict key check configured on the customer side, there is no action needed and connection will happen without any manual intervention.

Note:

• The requirement of this key check is on the external system/application connecting to SuccessFactors SFTP, it is not controlled by SuccessFactors.
• Please find the new site hostkey attached .

Is there any change to customer SFTP user account and URL? Does this impact Username/password based login to SFTP?

There will be no change to SFTP URL, username and password. This change does not impact username/password based HTTP login.

Does this impact scheduled Jobs in Provisioning or Integration Center that are configured with SFTP parameters?

Scheduled Jobs will not be impacted.

Is there any impact to SFTP user login via SSH based authentication?

There is no change or impact to SSH based authentication for customers. The only change is SFTP server host key will be updated to new one.

Is there any impact on CPI connection to SFTP?

Please make sure to update the known_hosts file of your Cloud Integration tenant before proposed scheduled date, see above planned upgrade.

Steps (reference KBA 2448457):

1. Download the new SSH host.The key is available in the Attachments section-> DC55_Key_ECDSA pub key.zip
2. Download the known_hosts file from the Cloud Integration web UI.
3. Add the new ECDSA key to the known_hosts file. Format of the line should look as below: 
   -> sftp55.sapsf.eu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTIt...
4. Save and upload.

Note: Do not remove the old key from known_hosts file when you add the new key. Remove the old key only after the switch by SuccessFactors is complete and you confirm that the connection continues to work as is.

For any queries on how to add the new host key to CPI:

Documentation on how to update known hosts file: https://help.sap.com/docs/cloud-integration/sap-cloud-integration/update-known-hosts-file#updating-the-known-hosts-file

The new host key fingerprint (ECDSA) can be found in the attached.zip file which contains the .pub key

For any issues or queries related to SFTP connection in CPI, please use the component: LOD-HCI-PI-CON-FTP.

2448457 - Connection to SFTP Server is failing with "reject HostKey" or "HostKey has been changed" error - SAP for Me

SFTP,SSH,RSA,ECDSA,server,fingerprint,DC55,sftp55,key , KBA , LOD-SF-PLT-FTPS , SFTP Account Creation, Reset Password & Install SSH Service , How To