on 03-05-2009 4:36 AM
Hi ,
Can anyone please tell the steps for file transfer with FTPS.
Does PI file adapter has bulilt in feauture to handle this? or
Do we need to deploy anything to handle this?
Do we need to install any certificates by requesting from partner or It will do the encryptions/authentications on its own?
Any additional Steps we need to mention in File receiver adapter while we send the file through FTPS?
File is going through port 1090(unsecure connection) but it is not going through port (990) which is a secure connection.
Please suggest me.
Thanks
Krupakar
PI file adapter will handle it, no need to deploy anything else,
you just select SECURE in connection type and put the requried parameters,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
First your XI system should be installed with SAP Java Cryptographic Toolkit
Enabling SSL and Client Certificates on the SAP J2EE Engine
You need to generate the certificate at XI, get it signed by a Trusted authority and pass the root certificate to the sender.
You may see this at file sender settings. Check "Connection Setting" details.
http://help.sap.com/saphelp_nw04/helpdata/en/e3/94007075cae04f930cc4c034e411e1/frameset.htm
Hi,
Thank you for the reply.
I select the Connection Security as "FTPS (FTP Using SSL/TLS for Control and Data Connection)"
and enabled " Use X.509 Certificate for Client Authentication" with Keystore as "service_ssl" and Private Key as "ssl-credentials" . These values I got when I press the button '?'
Every time I am getting the below error.
Error when getting an FTP connection from connection pool: com.sap.aii.af.service.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.securitye.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Do I need to enable "Use X.509 Certificate for Client Authentication" and the values which I mentioned are correct for Keystore and private key?
Do I need to get the Certificate from the partner and install it in XI ?
Please suggest me.
Thanks
Krupakar
T
No. Nothing is required to be mentioned about the certificate in the file adapter. All you need is to use the option FTPS (FTP Using SSL/TLS for Control and Data Connection)
i dont think you will need to enable Use X.509 Certificate for Client Authentication option.
Once you get the certificate and load it .. try to check the connectivity. In case u still face issues, do get back.
Hi Shabharish,
>> I dont think you will need to enable Use X.509 Certificate for Client Authentication option.
If I am doing without this. I am getting the same below error.
Error when getting an FTP connection from connection pool: com.sap.aii.af.service.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.securitye.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Still waiting for the Certificate from the partner. I am just wondering if the certificate is required then they would have given already. Anyway I will let you know once I receive the reply from them.
Hi Shabarish,
We got the certificate from the partner and loaded into the trusted CA's. I tried running by giving
Connectivity Security as "FTPS for Control and Data Connection" and Command Order as "AUTH TLS,USER,PASS,PBSZ,PROT"
Ip: XXX.YY.YY.ZZZ
Port: 990
User and pwd.
and I am getting the same below error
Message processing failed. Cause: com.sap.aii.af.ra.ms.api.RecoverableException: Error when getting an FTP connection from connection pool: com.sap.aii.af.service.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
I tried by selecting different options like
1. Without selecting the X509 certificate for client authentication.
2. Keystore as TRUSTED\view\entry-cert
X509 certificate and private key as TRUSTED\view\entry-cert
3. Keystore as TRUSTED\view
X509 certificate and private key as TRUSTED\entry-cert
4.Keystore as "view"
X509 certificate and private key as "entry-cert"
Please help me in this.
Thanks
Krupakar
1. Make sure that you have imported the entire CA hierarchy of your server certificate into the list of trusted CA's in XI. Check SAP Note 694290.
2. Make sure that the FTPS server name is understood by XI adapter engine where certificates are loaded. For this, check if the certificate contains the DNS details instead of direct IP address.
Regards,
Prateek
The CN(common name) in certificate has something like "udmyg1sweb1" and they provide the ipaddress 203.38.28.200 with port as 990 to connect there system.
- Do I need to put the "udmyg1sweb1" in CC?
- It is connecting to the same ipaddress 203.38.28.200 with different port 1090(which is not Secure connection). It is a direct FTP connection.
- Is there anything to do with firewall from my side? like opening the port in firewall?
Thanks
Krupakar
>> are you able to ping udmyg1sweb1 and get response from the IP u mentioned?
What kind of response we will get when we ping it?
>> Also you might have to open some ports for FTPS to work with XI. Ask your provider of FTPS of the port range for Passive / Active connections and open them from the n/w at your end.
They mentioned like Implicit port 990 with Either Active/Passive connection. What does this mean? Do we need to open port 990 in our network?
>
> >> are you able to ping udmyg1sweb1 and get response from the IP u mentioned?
>
> What kind of response we will get when we ping it?
>
>
> >> Also you might have to open some ports for FTPS to work with XI. Ask your provider of FTPS of the port range for Passive / Active connections and open them from the n/w at your end.
>
> They mentioned like Implicit port 990 with Either Active/Passive connection. What does this mean? Do we need to open port 990 in our network?
ping from the command prompt and you should see replies.
ask your n/w team if that port (990) is opened.
Hi Shabharish,
>> ping from the command prompt and you should see replies.ask your n/w team if that port (990) is opened.
We are able to connect to the given IP through command prompt. There is already implicit port 990,989 opened in our network. It is connecting to the given IP and it is asking for Username and when we enter the username it is showing error as 503 Bad command sequence.
We are thinking the file hasn't gone through SSL/TLS layer. That is the reason it is not even accepting the username.
Also in the File adapter --> FTP Connection Parameters, when we tick Use X.509 for Client authentication,
We found that in the dropdown list, the partner certificate details are not displaying in the list which we need to provide to the fields Keystore, X.509 certificate and private key.
In the dropdown list , it is showing only two keystore values "service_ssl" and "TicketKeystore"
I think it is showing only private keys of our system and it is not showing any public certificates of partners.
How we can provide the details now in file adapter ? Does the partner certificate has to appear in the drop down list? or
Do we need to mention it manually? In what format we need to provide?
Do I need to ask the partner to provide the Private key certificate?
Please suggest me.
Thanks
Krupakar
so this is what u can try,
1. the public cert provided by ur customer - load it in trusted CAs keystore
2. the Secure File Transfer server uses ports 65024 through 65535 for Passive FTP data connections. Check if they are open
3. Dont use the option X509 certificate....
4. provide user and pwd for authentication
Thanks a lot Shabharish. It is working now.
The CN host name done the trick. I need to mention hostname in channel as "udmyweb1" instead of Ip number 203.30.20.38 (Beacuse the CN Name in certificate is "udmyweb1" )
and I should not tick option X509 certificate.... and it worked.
Once again Thanks a lot for your support.
Still its confusing for me why they have given the option X509 certificate and what private key we need to it..!!
Hi Shabarish,
I have a FTPs scenario which uses just user name and X509 certificates as a client authentication. I imported the X509 certificates provided by customer in TrustedCAs and using our client X509 certificate imported in a custom keystore. I am getting the error 'Peer Certificate Rejected by Chair Verifier'. I found that the comman name(CN) on the certificate is different from Host name. Customer advised that they can't change CN and asked us to disable the check 'Strict HostName checking' in PI. But I see that by default the value will be false. Not able to get the path to check this value.
" The optional strict hostname checking feature of the SSL handshake can be selected for the Adapter Framework, using the Boolean Adapter Framework service property messaging.ssl.serverNameCheck . When enabled, the client verifies that the CN (common name) of the public certificate of the server exactly matches the hostname of the server as part of the SSL handshake procedure."
Any other ideas to fix this issue will be highly appreciated. Thank you so much for your time.
Regards,
Jay
Hi,
Need you help to configure FTPS for my communication channel for file transfer.
We are using XI 7.0
What step should be taken to enable to FTPS file transfer thorough XI communication channel
I gone thorugh the thread , where i understod that i have load the certificate in visual admin in CA.
How should i start for doing this.
Need you help to resolve this.
Regards,
Anil
Edited by: Anil Bhandary on Sep 25, 2009 1:08 PM
Edited by: Anil Bhandary on Sep 25, 2009 1:11 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.