PUBLIC

Configuring the SFTP Integration Process with

SAP CONCUR
How to setup the SFTP integration process with SAP
CONCUR using a batch process
SCOPE ......................................................................................................................................................................... 4
INTRODUCTION .......................................................................................................................................................... 4
KEY BENEFITS...................................................................................................................................................................... 4
DETERMINE THE METHOD OF DATA EXCHANGE ......................................................................................................... 5
PROTOCOL CONNECTION DETAILS ........................................................................................................................................... 5
SSH CIPHER SUPPORT .......................................................................................................................................................... 5
AUTHENTICATION AND FILE TRANSFER DETAILS ......................................................................................................... 5
FILE TRANSFER DNS ENDPOINTS/IPS ...................................................................................................................................... 5
ACCOUNT CREDENTIALS ........................................................................................................................................................ 6
TIME OUT .......................................................................................................................................................................... 6
POLLING ............................................................................................................................................................................ 6
ACCOUNT LOCKING .............................................................................................................................................................. 6
SSH KEY AUTHENTICATION (SFTP) ......................................................................................................................................... 6
SAP CONCUR SFTP DIRECTORY STRUCTURE ................................................................................................................ 6
“ / ” .................................................................................................................................................................................. 6
“ /IN ” ............................................................................................................................................................................... 6
“ /OUT ” ............................................................................................................................................................................ 6
FILE FORMAT SPECIFICATIONS .................................................................................................................................... 6
TEXT ENCODING .................................................................................................................................................................. 6
FILE SIZE ............................................................................................................................................................................ 7
FILE NAMING ...................................................................................................................................................................... 7
IMPORT FILE NAMING SAMPLES ............................................................................................................................................. 7
EXTRACT FILE NAMING SAMPLES ............................................................................................................................................ 7
PGP KEYS .................................................................................................................................................................... 8
CREATING YOUR PGP KEY ..................................................................................................................................................... 8
GUIDELINES AND TIPS WHEN GENERATE YOUR PGP KEY .............................................................................................................. 8
TO UPLOAD YOUR PGP KEY.................................................................................................................................................... 8
TO USE THE SAP CONCUR PGP KEY ...................................................................................................................................... 8
SENDING FILES TO SAP CONCUR ..................................................................................................................................... 9
RETRIEVING FILES TO SAP CONCUR ............................................................................................................................... 10
CREATING YOUR PGP KEY USING GPG4WIN (KLEOPATRA) .......................................................................................... 11
GENERATING YOUR PGP KEY – AT A MICROSOFT WINDOWS ENVIRONMENT ................................................................................. 11
IMPORTING THE SAP CONCUR PUBLIC PGP KEY – AT A MICROSOFT WINDOWS ENVIRONMENT ........................................................ 11
EXPORTING THE COMPANY PUBLIC PGP KEY (ONLY IF AN EXPORTED FILE FROM SAP CONCUR IS GENERATED) ..................................... 11
USING WINSCP TO SEND FILES VIA SFTP PROCESS .....................................................................................................11
STEP 1: GENERATE A BRAND NEW SSH KEY. ................................................................................................................. 12
STEP 2: TESTING THE SFTP CONNECTION ..................................................................................................................... 14
AUTOMATIZING THE PROCESS ...................................................................................................................................16

2
Proprietary Statement

This document contains proprietary information and data that is the exclusive property of Concur Technologies,
Inc., Redmond, Washington. No part of this document may be reproduced, transmitted, stored in a retrieval
system, translated into any language, or otherwise used in any form or by any means, electronic or mechanical,
for any purpose, without the prior consent of Concur Technologies, Inc.

The information contained in this document is subject to change without notice. Accordingly, Concur
Technologies, Inc. disclaims any warranties, express or implied, with respect to the information contained in
this document, and assumes no liability for damages incurred directly or indirectly from any error, omission, or
discrepancy between any Concur Technologies, Inc. product or service and the information contained in this
document.

This document is provided “as-is”. Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice. You bear the risk of using it.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or
connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any SAP product or
CONCUR product. You may copy and use this document for your internal, reference purposes.
This document has the intent of helps, you or your company, and can guide you in the execution of
the configuration. This is not an official SAP CONCUR document. It's just a guide / example of how
the configuration could be done. Therefore, we are not responsible for actions and results referring
to the actions presented in it.

3
SCOPE
The points described below are intended to act as a general guide about the generation of an SFTP connection
that is required for the integration by text files between customer environments and SAP Concur, the tools and
processes are general, and it is the Client's responsibility. execute them correctly as well as select the software
that the Client prefers to generate said SFTP connection, for more information on the integration consult File
Transfer User Guide
.

INTRODUCTION
Welcome to the integration scenario of your environment with SAP Concur SFTP using a batch process.
This straightforward and time-efficient integration is designed to exchange data between your company and
SAP Concur. This integration could be used to insert data into SAP Concur like:
• Lists
• Employee master data
• Date related with employee
• Payment confirmation
• Validation tables
• Etc.

Or this integration could be used to retrieve data from SAP Concur, like:
• SAE – Standard Accounting Extract
o Expenses & Cash Advance
o Attendees
• Travel & Request Extract
• Etc.

If you're responsible for the admin tasks at your company and will carry out all installation and integration
steps, then this guide is for you. With its information about software components, access rights, and system
prerequisites on the customer side, this guide will assist you in the integration process.

Key Benefits
The integration offers numerous advantages for all involved stakeholders:
• For IT
o 5 (five) layers of security involved at the integration process
▪ Usage of SFTP protocol (has an encryption by default);
▪ Dedicated infrastructure for each customer at the SAP Concur side;
▪ Authentication via SSH key;
▪ File encryption using a PGP key;
▪ No inbound connection.
o The connection has only one flow CUSTOMER → SAP Concur;
o No SFTP server infrastructure is requested at the customer side. Only a SFTP client
o Transmits credentials and data over an encrypted channel.
o All communication is over a single TCP port, simplifying firewall configuration.
o Well-suited to automated processing, transferring multiple files.

• For your company:

o Automate process of creation/update employee information related.

• For the employee:

o An update profile at SAP Concur.

4
DETERMINE THE METHOD OF DATA EXCHANGE
You must determine your preferred method for sending/retrieve files to/from SAP Concur and the software
used to carry out the exchange of files. When making this decision, consider the types of software that our
managed file transfer gateway supports.

On this guide you will see an example using the following softwares:
• WinSCP (sftp client)
o used to send/retrieve files from SAP Concur;
o used to generate the SSH key. That will be used at the SFTP authentication process

• GPG 4 Win (Kleopatra)

o Used to generate the company encryption key;
o Import the SAP Concur public encryption key;
o Used to encrypt files before send it to SAP Concur

Protocol Connection Details

NOTE: All accounts must use SFTP (Secure File Transfer Protocol) with SSH (Secure Shell) Key
Authentication.

SSH Cipher Support

IMPORTANT: SAP Concur recommends choosing the very strongest cipher supported both by SAP
Concur and the client site to maintain a strong security posture.

AUTHENTICATION AND FILE TRANSFER DETAILS

File Transfer DNS Endpoints/IPs

The following file transfer DNS endpoints are used by SAP Concur:
• US: mft-us.concursolutions.com (12.129.29.138)
• EMEA: mft-eu.concursolutions.com (46.243.56.21)

NOTE: SAP Concur recommends connecting to the DNS endpoint since IP addresses are
subject to change.

5
 Account Credentials
The SAP Concur data exchange is secured using username/key authentication. Your
username is your Concur Entity ID.

SSH Key Authentication using SFTP is required for all accounts.

Time Out
After you transfer your files to/from SAP Concur, please disconnect your connection.
Connections that are idle for an extended period will time out.

Polling
Do not authenticate repeatedly to SAP Concur, as this can trigger a Denial of Service (DOS)
and adversely impact file transfer performance. SAP Concur recommends connecting no more
than twice in an hour.

IMPORTANT: An account will be disabled if its behavior jeopardizes overall file transfer activity
and performance. This may include disabling IP addresses which would affect other accounts
attempting to connect with the same IPs.

Account Locking
User accounts will be locked after five (5) consecutive failed authentication attempts. The
customer will not receive an account locked message, it will appear as if they are entering an
incorrect password even after the account is locked. Customers who have locked themselves
out of their accounts should contact SAP Concur support to have their account unlocked.

SSH Key Authentication (SFTP)

o Keys must be RSA format (2048-4096 bit, 2048 recommended).
o For existing accounts, open a case on the SAP Concur support portal to request SSH key
authentication and attach your SSH public key file to the case.

SAP CONCUR SFTP DIRECTORY STRUCTURE

Each customer and vendor is setup with their own directory structure. They do not have the ability to
traverse to other directories.

NOTE: All files are deleted from client/vendor file transfer directories after 14 days.

“/”
Download the SAP Concur PGP public key, concursolutionsrotate.asc. All files uploaded to
SAP Concur for processing must be encrypted with this key.

“ /in ”
• Upload ONLY properly named encrypted files you want processed.

• The SAP Concur file handling process is triggered at the end of a successful upload. As such,
renaming files and repeated uploads are not allowed and will have unexpected results.

“ /out ”
• Files created by SAP Concur (extracts, etc.) will be encrypted with your PGP key and placed
here for you to download.

FILE FORMAT SPECIFICATIONS

Text Encoding
Any files uploaded as text must be encoded as ASCII or UTF-8 with a byte order mark (0xef
0xbb 0xbf)

6
File Size
Uploaded files cannot exceed a size of 1GB uncompressed maximum.

File Naming
• File Type

• Entity ID

• Unique visual identifier

o NOTE: The unique visual identifier is not evaluated by the system but can be helpful
when identifying files, it is not required.

• Date and time stamp

o NOTE: The preferred format is YYYYMMDDHHMMSS

• Only alphanumeric characters, minus sign (-), underscore (_) and dot (.) should be used in
file names

• Spaces are not allowed in file names

Import File Naming Samples

If there is a file type not listed below and you need further help for naming your files, please
contact SAP Concur support. All the file names below are an example.

Extract File Naming Samples

If there is a file type not listed below and you need further help understanding your extract
files, please contact SAP Concur support. All the file names below are an example

7
PGP KEYS
All files must be PGP encrypted. SAP Concur can only support a single key from a customer at
a time.

Any files delivered from SAP Concur to your /out directory will be OpenPGP.

At the section CREATING YOUR PGP KEY USING GPG4WIN (KLEOPATRA) at this guide you can
see the steps to create your PGP key

Creating your PGP Key

• Use OpenPGP compliant software

• PGP public key must be formatted as OpenPGP (version 4)

• Keys should be RSA (sign and encrypt, 2048 to 4096bit, 2048 recommended). This is the
default GnuPG option when generating keys.

• You will need to have a public signing key and an encryption sub-key

Guidelines and Tips when generate your PGP Key

Customers may rotate keys at any time by following these instructions but must restrict this action
to a single supported key as stated above. Be sure to create your new PGP key in advance of the
expiration of the current key to ensure your file transfers are not interrupted. Additionally,
specifying an expiration date supports a best practice policy of regular rotation. However, this is
optional and SAP Concur supports customer keys with no specified expiration date.

• SAP Concur strongly recommends rotating keys every 2 years at minimum, or at any time you
believe the key might be compromised, to maintain a strong security posture.

• If you require a list of the encryption, hashing, and compression algorithms currently supported
by SAP Concur, open a case on the SAP Concur Support Portal. You must use preferences
found in the SAP Concur PGP key when you encrypt files to be uploaded to SAP Concur.

• SAP Concur recommends choosing the very strongest cipher supported both by SAP Concur
and the client site to maintain a strong security posture.

To upload your PGP key

• Clients: Open a case on the SAP Concur support portal to request PGP key import, attaching
your PGP public key file to your case. Or if you are working during a project implementation,
send your public PGP key to the implementation team.

To use the SAP CONCUR PGP key

Files uploaded to SAP Concur must be encrypted with the SAP Concur public PGP key
(concursolutionsrotate.asc):
• concursolutionsrotate.asc
o Key file is available in the client’s/vendor’s root folder
o RSA 4096-bit signing and encryption subkey
o Key expires every two years
o Client/vendor is responsible for replacing the key before it expires
▪ Next expiry date: September 4, 2022
▪ SAP Concur plans to replace the current rotating public PGP key in the
client’s/vendor’s root folder 90 days before the expiration date

You can choose to sign the OpenPGP files you send to SAP Concur, but SAP Concur must
already have your PGP key.

IMPORTANT: The SAP Concur legacy PGP key is still supported for existing accounts but will
be deprecated in the future. SAP Concur recommends all accounts use the more secure
rotating public key, (concursolutionsrotate.asc).

8
SENDING FILES TO SAP CONCUR

1. You need a “machine/software bridge” to generate this file and encrypt with PGP key. This is a
customer responsibility. This software could be a SAP PI/PO, SAP Cloud Platform Integration (CPI),
SAP Hana Cloud Integration (HCI) or any other SFTP client software;

2. The file needs to be encrypted only and exclusively with a SAP Concur PGP key;

3. The file needs to follow a naming convention.

4. SAP Concur is a UNICODE solution, but accept NON-UNICODE characters, to send special
characters to SAP Concur send files using BINARY mode without alteration and in UTF-8 with BOM

5. Using the SFTP file transfer, files are processed Over Night Process Windows, from 06:00 PM – 05:00
AM (PST timezone) // 10:00 PM – 09:00 AM (Brazilian Time) // 07:00 PM – 06:00 AM (Mexico time).

9
RETRIEVING FILES TO SAP CONCUR

1. If you are exporting data (retrieving) from SAP CONCUR, you need a “machine/software bridge” to
consume this file and decrypt with your own PGP key. This is a customer responsibility. The software’s
could be a SAP PI/PO, SAP Cloud Platform Integration (CPI/HCI) or any other SFTP client software
and any decryption software that you want;

2. The generate by SAP Concur will be encrypted with the customer PGP key (see section below -
Creating your PGP Key).

3. The will needs to follow a naming convention.

4. SAP Concur is a UNICODE solution, but accept NON-UNICODE characters, the file will be generated
using BINARY mode without alteration and in UTF-8 with BOM

5. Using the SFTP file transfer, files are processed Over Night Process Windows, from 06:00 PM – 05:00
AM (PST timezone) // 10:00 PM – 09:00 AM (Brazilian Time) // 07:00 PM – 06:00 AM (Mexico time).

10
CREATING YOUR PGP KEY USING GPG4WIN (KLEOPATRA)
First, you need to have a software for file encryption. At this example we are using Gpg4win (GNU Privacy
Guard for Windows) is Free Software and can be installed with just a few mouse clicks. You can obtain it at
https://www.gpg4win.org/

After the installation let’s use the following command line sequence to generate your PGP key (public and
private) and import the SAP Concur public PGP key.

• PGP public key must be formatted as OpenPGP (version 4);

• ASCII-armored keys are supported.

• You will need to have a public signing key, and an encryption sub-key (this is the default generated by
GnuPG, for example);

• Keys should be either DSS/ElGamal (1024-3072 bit, 2048 recommended) or RSA type 1 (sign and
encrypt, 1024-4096 bit, 2048 recommended);

• Set key to never expire.

Generating your PGP Key – at a Microsoft Windows environment

Importing the SAP Concur public PGP key – at a Microsoft Windows environment

Exporting the Company Public PGP key (only if an exported file from SAP Concur is generated)

USING WINSCP TO SEND FILES VIA SFTP PROCESS

We will show you how to use WinSCP to send files via SFTP adapter. WinSCP could be obtained at
https://winscp.net/eng/index.php

This process requires that you generate a SSH key (public and private part), SSH keys are used as an
alternative for password-based authentication. They are effective in simplifying and accelerating the login
process when a user tries to access a SFTP.

Below, we have provided a step-to-step guide to generate the SSH keys through WinSCP and how to use it
from a command line. But you can use any tool as you prefer.

11
STEP 1: GENERATE A BRAND NEW SSH KEY.

• Open WinSCP, and click on the TOOLS button and select RUN PUTTY GEN

• After that PuttyGen launch, select the following options:

o RSA or SSH-2 RSA
o Type 2048
o And click on “Generate” button and move your mouse to create your SSH key faster.

• Below is how the generated key will look like. Change the KEY COMMENT field, and insert something
like showed at the image below

12
• Save the public (no extension) and private key (ppk file format) on your system, click on the buttons
SAVE PUBLIC KEY and SAVE PRIVATE KEY respectively

• Send the public key generated to the SAP Concur implementation team. This public SSH key file will be
imported at SAP Concur library.

13
STEP 2: TESTING THE SFTP CONNECTION
Before test the connection, wait until the SAP Concur implementation team let you know that the SSH
public key was imported successfully.

• Open WinSCP

• Insert the data provided by the SAP Concur implementation team

• Change the configuration to use the private SSH key generated. Click on the ADVANCED button and
on the ADVANCED… option

• In the new "Advanced Site Settings" window:

o go to the "SSH" section and select the "Authentication" option.
o in the right part of the window, section "Authentication Parameters" indicate the path where
the SSH private key is located and finally click on Ok.

14
• Click on the buton LOGIN.

• If you see the structure like the image highlighted below, you are connected to SAP Concur SFTP.

15
AUTOMATIZING THE PROCESS
Now you have the pre-requisites to automatize the process to send files to SAP Concur SFTP.

The first action is prepare the file, encrypting it and after the encryption send to SAP Concur SFTP. The batch
below is an example of how to do it using GPG4Win and WinSCP.

A CMD file could be created and scheduled on the operational system to run every x time

.
SCRIPT

echo ===========================
echo WinSCP & GnuPG config
echo ===========================

option batch abort

option confirm off

set year=%date:~6,4%
set month=%date:~3,2%
set day=%date:~0,2%
set hora=%time:~0,2%

set minute=%time:~3,2%
set second=%time:~6,2%

set filename=%year%%month%%day%%hora%%minute%%second%

REM -- removing blank spaces and switching by zero

set filename=%filename: =0%

REM -- EntityID = user to connect at SAP Concur SFTP Server. Switch xxxx by the SFTP user provided by
the SAP Concur Team.
set entityID=xxxxxxxx

REM removing blank spaces

REM set filename=%filename: =%

echo %filename%

REM encrypting file

REM remember to set the path where you want to generate the encrypted file and remember where the
original file will be located. Here c:\temp was used.

cd C:\Program Files (x86)\GnuPG\bin\

gpg --yes --batch -e -r 40AC5D35 -o C:\temp\employee_%entityID%_%filename%.pgp c:\temp\test.txt

TIMEOUT /T 10

REM sending file through SFTP

REM remember to set the path where you saved the SSH private key. Here c:\temp was used.

cd C:\Program Files (x86)\WinSCP\

winscp.com /command "open sftp://%entityID%@mft-us.concursolutions.com -
privatekey=""c:\temp\company_private.ppk"" " "put ""C:\temp \employee_%entityID%_%filename%.pgp""
""/in/employee_%entityID%_%filename%.pgp"" "-nopreservetime"" "exit"

16
www.sap.com/contactsap

© 2020 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/copyright for additional trademark information and notices.