cancel
Showing results for 
Search instead for 
Did you mean: 

ChainVerifier Error with SSL- XI FTPS for connect to via proxy server

Former Member
0 Kudos

Hi

We are setting up XI file adapter for FTPS to connect to via proxy server to mainframe server. Our XI server is on AIX 5.3 machine.

we have installed cryptography and placed certificate of mainframe host server in keystore under trusted CA's

XI file adapter connects to Proxy server host name not mainframe. and Proxy FTP server does not have capability to use SSL certificate with secure FTP.

The problem in part is that the common name, the CN on the SSL certificate does not match the DNS name being used. So we are recieving "Chain Verifier: a Certificate name mismatch error"

the common name on certificate is that of mainframe while XI adapter is connecting via Proxy server name.

IS there a way for relaxing the conditions whereby the certificate host name does not have to match the host being contacted ?

Or IS there some other way for XI adapter to connect via proxy server with certiificate been trusted is for the mainframe server.

Please help

Thanks

Edited by: Eswar Devarakonda on Aug 19, 2009 10:21 PM

Edited by: Eswar Devarakonda on Aug 20, 2009 1:11 AM

Accepted Solutions (0)

Answers (1)

Answers (1)

JaySchwendemann
Active Contributor
0 Kudos

This current problem is probably already solved but just my 2¢:

IS there a way for relaxing the conditions whereby the certificate host name does not have to match the host being contacted ?

You may have a look at note 1591971

Or IS there some other way for XI adapter to connect via proxy server with certiificate been trusted is for the mainframe server.

Proxy shouldn't be a problem here. If your mainframe uses a signed certificate from a CA (like Verisign or Thawte or ...) then you just have to put the root (and intermediate) certificate of that CA in your TrustedCAs keystore view (in NWA or Visual Administrator depending on your PI release). If mainframe holds a self signed certificate, you'll probably have to establish a trust in a slightly different manner. Unfortunately I don't have exact information on where to put the self signed certificate then.

However, the important part is that PI needs to trust that mainframe indeed is the host it keeps telling you. That is done by either trusting the CA that signed the mainframes certificate or by importing its very own self signed certificate.

A few side tips here:

  1. We had a problem that the FTPS servers IP address couldn't been matched to its DNS name. We did work around this by having an /etc/hosts/ entry for the FTPS servers DNS name and its IP address. Reverse DNS would probably be a better idea, though
  2. Have a look at XPI Inspector (Note 1514898). It gives you very detailed information on what is going on when the error occurs. You'll have to deploy it on your PI server and then are able to start tracing, perform your process that is failing and inspect the logs. Very, very valuable tool

Hope this helps somebody that stumbles upon this thread

Kind regards

Jens