Fiori treasury apps fail to process batch payments via SFTP integration with external banks

ERP SAP S/4HANA
, , , , , , , ,
1

We’re experiencing critical failures with batch payment processing through Fiori Treasury apps in our S/4HANA 1809 environment. When treasury users attempt to submit batch payments via SFTP connection, the process fails with AIF error diagnostics showing connection refused messages.

The SFTP host key management appears correct in our Communication Arrangement setup, but payments consistently fail at the transmission stage. We’ve verified the Fiori Communication Arrangement configuration matches our network team’s specifications.

Error from AIF monitor:


AIF Error: SFTP_CONNECTION_FAILED
Host key verification failed for treasury.bank.com:22
Expected: ssh-rsa AAAAB3NzaC1yc2EAAA...
Received: (connection timeout)

This is blocking our daily payment runs affecting vendor relationships. Has anyone resolved similar SFTP authentication issues with Fiori treasury integrations?

2

Let me provide the complete resolution path addressing all three critical areas:

1. SFTP Host Key Management: The root cause is improper host key registration. You must obtain the complete SSH public key from your SFTP server (not just the fingerprint shown in your error). From the SFTP server, run:


ssh-keyscan -t rsa treasury.bank.com

This outputs the full public key. In SAP, go to transaction STRUST, select ‘SSL Client (Anonymous)’ node, and import this key as a trusted certificate. The key format must be exactly as captured - any line breaks or formatting changes will cause validation failures.

2. Fiori Communication Arrangement Configuration: Navigate to ‘Communication Arrangements’ in Fiori Launchpad (or use transaction /IWFND/MAINT_SERVICE). Create/edit your treasury payment arrangement:

  • Scenario: SAP_COM_0123 (Treasury Payment Processing)
  • Communication System: Must reference an RFC destination of type ‘T’ (TCP/IP), NOT type ‘G’
  • Host: treasury.bank.com
  • Port: 22
  • Authentication: Public Key (reference the certificate from STRUST)
  • Communication User: Assign user with business role SAP_BR_TREASURY_ACCOUNTANT

The Communication Arrangement must explicitly link to the SFTP destination registered in table SSFTP_DEST. Verify this mapping using SE16 and check field DEST_NAME matches your RFC destination.

3. AIF Error Diagnostics Resolution: Your AIF monitoring is correctly identifying the failure point. To get more detailed diagnostics:

  • Transaction /AIF/ERR for error monitoring
  • Check customizing table /AIF/T_FINF_D for interface-specific settings
  • Enable trace level 3 for the treasury payment interface in /AIF/CUST
  • Review the detailed technical log which will show the exact SSL handshake failure

After importing the correct host key in STRUST, restart the ICM process (transaction SMICM → Administration → ICM → Restart - Hard) to ensure the trust manager reloads the certificate cache.

Test the configuration:


// In SE37, test function module SFTP_CONNECT
RFC_DESTINATION = 'TREASURY_SFTP_DEST'
HOST = 'treasury.bank.com'
PORT = 22

If this function succeeds, your Fiori treasury batch payment process should work. The key insight is that S/4HANA 1809 requires the complete certificate chain in STRUST, not just fingerprint validation. Many implementations miss this detail because the error message is misleading - it’s not a network timeout, it’s certificate validation failing which causes the connection to abort.

Also verify SAP Note 2847156 is implemented - it fixes a specific bug in 1809 where SFTP host key validation fails intermittently for Fiori Communication Arrangements even when correctly configured.

3

I’ve seen this pattern before with SFTP host key mismatches. The error suggests the host key isn’t being properly validated during the handshake. Check if your Communication Arrangement has the correct host key fingerprint stored. In transaction STRUST, verify the SSL client certificate is current and matches what the SFTP server expects. Also review the AIF monitoring interface customizing table to ensure error handling isn’t suppressing detailed diagnostic info.

4

You’re mixing protocols here which explains the confusion. RFC destination type ‘G’ is for HTTP/HTTPS connections, not SFTP. For SFTP batch payment processing, you need to configure an RFC destination of type ‘T’ (TCP/IP connection) or use the newer Communication Arrangement framework properly. The Fiori app likely expects a specific destination name. Check table SSFTP_DEST for registered SFTP destinations and verify the host key is stored in the SAP trust manager. In S/4HANA 1809, you might need to apply note 2891234 for proper SFTP host key handling in treasury scenarios. The host key must be imported through transaction STRUST under SSL Client (Anonymous) node before the Communication Arrangement can validate it successfully.

5

From network perspective, connection timeouts usually indicate firewall rules or routing issues rather than authentication failures. Can you confirm the SAP application server has direct network path to treasury.bank.com on port 22? Run a telnet test from the app server OS level. If that fails, it’s definitely network layer not SAP configuration. We had similar issue where DMZ firewall was blocking outbound SFTP from SAP landscape.

6

Adding to previous responses - the Communication Arrangement for treasury needs very specific configuration. Go to transaction SICF and verify service /sap/bc/srt/scs/sap/treasurypaymentbatch is active. Then in Fiori Launchpad, check the Communication Arrangement maintenance app (F1471) and ensure your arrangement references the correct SFTP destination.

For the host key issue specifically, you need to capture the actual SSH host key from your SFTP server and import it properly into STRUST. Don’t just copy the fingerprint - you need the full public key in OpenSSH format.

7

Network team confirmed connectivity is fine - telnet to the SFTP host succeeds from app server. The issue seems specific to how Fiori Communication Arrangement handles the SFTP handshake. We’re using RFC destination type ‘G’ for HTTP connections but the SFTP connection parameters might need different configuration. The AIF error diagnostics show the connection attempt but then immediate failure on host key verification step.