cancel
Showing results for 
Search instead for 
Did you mean: 

Steps for File Transfer through FTPS...!!!

Former Member
0 Kudos

Hi ,

Can anyone please tell the steps for file transfer with FTPS.

Does PI file adapter has bulilt in feauture to handle this? or

Do we need to deploy anything to handle this?

Do we need to install any certificates by requesting from partner or It will do the encryptions/authentications on its own?

Any additional Steps we need to mention in File receiver adapter while we send the file through FTPS?

File is going through port 1090(unsecure connection) but it is not going through port (990) which is a secure connection.

Please suggest me.

Thanks

Krupakar

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

PI file adapter will handle it, no need to deploy anything else,

you just select SECURE in connection type and put the requried parameters,

venkatanarayana_vagu
Active Participant
0 Kudos

Hi,

First your XI system should be installed with SAP Java Cryptographic Toolkit

Enabling SSL and Client Certificates on the SAP J2EE Engine

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/197e6aec-0701-0010-4cbe-ad5ff670...

You need to generate the certificate at XI, get it signed by a Trusted authority and pass the root certificate to the sender.

You may see this at file sender settings. Check "Connection Setting" details.

http://help.sap.com/saphelp_nw04/helpdata/en/e3/94007075cae04f930cc4c034e411e1/frameset.htm

Former Member
0 Kudos

Hi,

Thank you for the reply.

I select the Connection Security as "FTPS (FTP Using SSL/TLS for Control and Data Connection)"

and enabled " Use X.509 Certificate for Client Authentication" with Keystore as "service_ssl" and Private Key as "ssl-credentials" . These values I got when I press the button '?'

Every time I am getting the below error.

Error when getting an FTP connection from connection pool: com.sap.aii.af.service.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.securitye.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Do I need to enable "Use X.509 Certificate for Client Authentication" and the values which I mentioned are correct for Keystore and private key?

Do I need to get the Certificate from the partner and install it in XI ?

Please suggest me.

Thanks

Krupakar

T

Shabarish_Nair
Active Contributor
0 Kudos

did you load the certificate?

You need to obtain a certificate from the FTPS source (client certificate) and load it in VA to the trusted CAs keystore.

Former Member
0 Kudos

Hi Shabharish,

I ask the partner to provide the certificate. Once I receive I need to load it in VA to the trusted CAs keystore. and

I need to provide the same details(same names as in Keystore) in File adapter?

Shabarish_Nair
Active Contributor
0 Kudos

No. Nothing is required to be mentioned about the certificate in the file adapter. All you need is to use the option FTPS (FTP Using SSL/TLS for Control and Data Connection)

i dont think you will need to enable Use X.509 Certificate for Client Authentication option.

Once you get the certificate and load it .. try to check the connectivity. In case u still face issues, do get back.

Former Member
0 Kudos

Hi Shabharish,

>> I dont think you will need to enable Use X.509 Certificate for Client Authentication option.

If I am doing without this. I am getting the same below error.

Error when getting an FTP connection from connection pool: com.sap.aii.af.service.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.securitye.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Still waiting for the Certificate from the partner. I am just wondering if the certificate is required then they would have given already. Anyway I will let you know once I receive the reply from them.

Shabarish_Nair
Active Contributor
0 Kudos

wait for the certificate. Load it in trusted CAs as i mentioned and then try the testing

Former Member
0 Kudos

Hi Shabarish,

We got the certificate from the partner and loaded into the trusted CA's. I tried running by giving

Connectivity Security as "FTPS for Control and Data Connection" and Command Order as "AUTH TLS,USER,PASS,PBSZ,PROT"

Ip: XXX.YY.YY.ZZZ

Port: 990

User and pwd.

and I am getting the same below error

Message processing failed. Cause: com.sap.aii.af.ra.ms.api.RecoverableException: Error when getting an FTP connection from connection pool: com.sap.aii.af.service.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

I tried by selecting different options like

1. Without selecting the X509 certificate for client authentication.

2. Keystore as TRUSTED\view\entry-cert

X509 certificate and private key as TRUSTED\view\entry-cert

3. Keystore as TRUSTED\view

X509 certificate and private key as TRUSTED\entry-cert

4.Keystore as "view"

X509 certificate and private key as "entry-cert"

Please help me in this.

Thanks

Krupakar

Shabarish_Nair
Active Contributor
0 Kudos

are you using a Ip address or a host name for the FTPS server?

the CN (common name) of the certificate should match the host or ip name of the server and you sud use the same in the server details in the File CC.

Former Member
0 Kudos

Hi Shabharish,

Thanks for the quick reply.

We are using Ip address .. 203.38.28.200 with port as 990.

>> the CN (common name) of the certificate should match the host or ip name of the server

Do I need to check the certificate to verify what exact CN mentioned in the certificate?

Shabarish_Nair
Active Contributor
0 Kudos

yes check the certificate.

I guess the CN name might be the host name. In that case give the host name instead of IP in CC.

prateek
Active Contributor
0 Kudos

1. Make sure that you have imported the entire CA hierarchy of your server certificate into the list of trusted CA's in XI. Check SAP Note 694290.

2. Make sure that the FTPS server name is understood by XI adapter engine where certificates are loaded. For this, check if the certificate contains the DNS details instead of direct IP address.

Regards,

Prateek

Former Member
0 Kudos

The CN(common name) in certificate has something like "udmyg1sweb1" and they provide the ipaddress 203.38.28.200 with port as 990 to connect there system.

- Do I need to put the "udmyg1sweb1" in CC?

- It is connecting to the same ipaddress 203.38.28.200 with different port 1090(which is not Secure connection). It is a direct FTP connection.

- Is there anything to do with firewall from my side? like opening the port in firewall?

Thanks

Krupakar

Shabarish_Nair
Active Contributor
0 Kudos

are you able to ping udmyg1sweb1 and get response from the IP u mentioned?

Also you might have to open some ports for FTPS to work with XI. Ask your provider of FTPS of the port range for Passive / Active connections and open them from the n/w at your end.

Former Member
0 Kudos

>> are you able to ping udmyg1sweb1 and get response from the IP u mentioned?

What kind of response we will get when we ping it?

>> Also you might have to open some ports for FTPS to work with XI. Ask your provider of FTPS of the port range for Passive / Active connections and open them from the n/w at your end.

They mentioned like Implicit port 990 with Either Active/Passive connection. What does this mean? Do we need to open port 990 in our network?

Shabarish_Nair
Active Contributor
0 Kudos

>

> >> are you able to ping udmyg1sweb1 and get response from the IP u mentioned?

>

> What kind of response we will get when we ping it?

>

>

> >> Also you might have to open some ports for FTPS to work with XI. Ask your provider of FTPS of the port range for Passive / Active connections and open them from the n/w at your end.

>

> They mentioned like Implicit port 990 with Either Active/Passive connection. What does this mean? Do we need to open port 990 in our network?

ping from the command prompt and you should see replies.

ask your n/w team if that port (990) is opened.

Former Member
0 Kudos

Hi Shabharish,

>> ping from the command prompt and you should see replies.ask your n/w team if that port (990) is opened.

We are able to connect to the given IP through command prompt. There is already implicit port 990,989 opened in our network. It is connecting to the given IP and it is asking for Username and when we enter the username it is showing error as 503 Bad command sequence.

We are thinking the file hasn't gone through SSL/TLS layer. That is the reason it is not even accepting the username.

Also in the File adapter --> FTP Connection Parameters, when we tick Use X.509 for Client authentication,

We found that in the dropdown list, the partner certificate details are not displaying in the list which we need to provide to the fields Keystore, X.509 certificate and private key.

In the dropdown list , it is showing only two keystore values "service_ssl" and "TicketKeystore"

I think it is showing only private keys of our system and it is not showing any public certificates of partners.

How we can provide the details now in file adapter ? Does the partner certificate has to appear in the drop down list? or

Do we need to mention it manually? In what format we need to provide?

Do I need to ask the partner to provide the Private key certificate?

Please suggest me.

Thanks

Krupakar

Shabarish_Nair
Active Contributor
0 Kudos

so this is what u can try,

1. the public cert provided by ur customer - load it in trusted CAs keystore

2. the Secure File Transfer server uses ports 65024 through 65535 for Passive FTP data connections. Check if they are open

3. Dont use the option X509 certificate....

4. provide user and pwd for authentication

5. ref: - the reply from Changzheng Zhao

Former Member
0 Kudos

Thanks a lot Shabharish. It is working now.

The CN host name done the trick. I need to mention hostname in channel as "udmyweb1" instead of Ip number 203.30.20.38 (Beacuse the CN Name in certificate is "udmyweb1" )

and I should not tick option X509 certificate.... and it worked.

Once again Thanks a lot for your support.

Still its confusing for me why they have given the option X509 certificate and what private key we need to it..!!

Shabarish_Nair
Active Contributor
0 Kudos

good to know

Former Member
0 Kudos

Hi Shabarish,


I have a FTPs scenario which uses just user name and X509 certificates as a client authentication. I imported the X509 certificates provided by customer in TrustedCAs and using our client X509 certificate imported in a custom keystore. I am getting the error 'Peer Certificate Rejected by Chair Verifier'. I found that the comman name(CN) on the certificate is different from Host name. Customer advised that they can't change CN and asked us to disable the check 'Strict HostName checking' in  PI. But I see that by default the value will be false. Not able to get the path to check this value.

" The optional strict hostname checking feature of the SSL handshake can be selected for the Adapter Framework, using the Boolean Adapter Framework service property messaging.ssl.serverNameCheck . When enabled, the client verifies that the CN (common name) of the public certificate of the server exactly matches the hostname of the server as part of the SSL handshake procedure."

Any other ideas to fix this issue will be highly appreciated. Thank you so much for your time.


Regards,

Jay

Answers (1)

Answers (1)

former_member227283
Active Contributor
0 Kudos

Hi,

Need you help to configure FTPS for my communication channel for file transfer.

We are using XI 7.0

What step should be taken to enable to FTPS file transfer thorough XI communication channel

I gone thorugh the thread , where i understod that i have load the certificate in visual admin in CA.

How should i start for doing this.

Need you help to resolve this.

Regards,

Anil

Edited by: Anil Bhandary on Sep 25, 2009 1:08 PM

Edited by: Anil Bhandary on Sep 25, 2009 1:11 PM