on 05-18-2006 1:17 PM
Hi,
I wanna use the XI-File/FTP-Adapter to connect to our FTPs-Server.
We have to use Username/Password to connect to the FTPs-Server (it's an Ipswitch WS_FTP-Server) - using X.509 is not possible (it's another department administrating the FTPs-Server).
Now I get the error "Error: Message processing failed: iaik.security.ssl.SSLException: Server
certificate rejected by ChainVerifier".
The Crypto-Package is installed and is working - we tested it by connecting via https to SAP NetWeaver.
Do we need a certificate if we just use USER/PASSWORD-Connection (no X.509)?
Thanx a lot,
bye
Wolfgang
Hi Wolfgang,
You need to make sure that your FTPs client ( XI ? ) trusts your FTPs server certificate ( in parallel with your authentication username/password )
This means that you need to import the CA hierarchy of your FTPs server certificate into the list of trusted CA's in XI ( either on J2EE side in the keystore service or in ABAP side via transaction STRUST , depending on where your client is ).
regards
Dirk
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We had the same issue with a FTPS connector for Control and Data security.
The strange situation is that the interfaces has been tested successfully in the QA and UAT systems, but when we got to production failed.
"Peer certificate rejected by ChainVerifier"
If the host Peed does not ask for certificate authentication, then installing the certs in the J2EE ketstore is not necessary.
The issue has nothing to the certificates of the certification chain. The issue relies inthe way that the FTPS adapter is implemented for comparing the hostname towards the certificate CN parameter.
The FTP protocol does not include a hostname as part of the technical packets, it only uses the IP addresses.Therefore FTPS implementation has to rely on a reverse DNS look up procedure.
If the hosting FTPS site has a high-availability or load balancing setup, or if has not been setup for properly for global reverse DNS to work then FTPS adapter will only have the IP address to call the chain verification for the host certificate, therefore it fails.
SOLUTION:
We solved the issue by adding the DNS entries for all servers in the high-availability setup in the local "hosts" file of the platform.
Adding then to the local DNS servers will also work.
It took us 3 months to figure this out.
But I am still unclear if the issue responsibility lays on the host side, network setup or the implementation of the FTPS adapter in XI/PI
Hi All,
We are having same issue with the FTPS in our SAP PI systems. On the Target FTP server side we are using the Proftpd software for the FTPS installed and configuration on port 990 and generated Certificate on FTP Server using Proftpd software.
In SAP PI server Communication Channel Configuration we use below FTP configuration.
FTP Connection Parameters.
Server : xxxxx
Port :990
Data Connection : Passive
Connection Security : FTPS (FTP Using SSL/TLS) for Control Connection
Command Order : AUTH TLS,USER,PASS,PBSZ,PROT
We are not using any [ ] X.509 Certificate for Clinet Authentication
The above Parameter settings for FTPS working fine without any issues, CC Polling process successfully finishing for every 60 seconds as defined.
ISSUE
When we change the Connection Security : FTPS(FTP Using SSL/TLS) for Control and Data connection
and start the CC its geting errors "........ Certificate rejected by Chain Verifier".
We tried with couple of options on the Proftpd FTP client configuration file
with TLSRequired <on> <auth+data> but getting same error, but its working fine with the option
TLSRequired ctrl.
Please let us know your suggestions whether we can continue withe the Control Connection option or any solution if we use Control and Data Connection.
Thanks in advance
Gary.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Krupakar,
Thanks for quick reply.
We are using the FQDN only as a Server name instead of IP address.
Its working fine when we select Control Connection.
But if we change to Control and Data Connection its failing by giving the Certificate Rejected by Chain Verifier
is that mandatory to select the [ ] X.509 Certificate for Client Authentication option when we use control and Data Connection? for the above Control connection its working without the Certificate exchange.
Please advice.
Thanks in advance
Gary
>> But if we change to Control and Data Connection its failing by giving the Certificate Rejected by Chain Verifier.
I assume they are authenticating only for control connection. That is the reason it is failing for Control and Data connection.
>> is that mandatory to select the [ ] X.509 Certificate for Client Authentication option when we use control and Data Connection?
No.. Its not mandatory to select the X.509 Certificate , you can see only Private keys in the keystore list when you press "?".. but you cannot see the Public certificates(which you received from your partner) which you installed in Keystorage in Visual admin.
As far I know no need to use X.509 Certificate for both control connection and Control & Data Connection .
Hello Gary,
we are facing the same issue. When I configure the file/FTP receiver adapter with connection security set to "FTPS (FTP using SSL/TLS) for Control connection", it works but then the data flow is not encrypted. That is not what we want. But when we set it to "FTPS (FTP using SSL/TLS) for Control and data connection", we found out that the SAP adapter sends the SSL certificate to the FTP server not only as the first part of the control connection, but also as the first part of the data connection. The FTP server is not able to handle this and the adapter runs into the "chain verifier exception". We found that out with a detailed FTP command debugging on the FTP server.
Now here is my question: Do you (or anybody else) know if this is a misbehavior of the SAP adapter or just a missing feature of the partner's FTP server? Did you solve your issue in the meantime?
BR, Joerg
Hi Wolfgang,
You need to make sure that your FTPs client ( XI ? ) trusts your FTPs server certificate ( in parallel with your authentication username/password )
This means that you need to import the CA hierarchy of your FTPs server certificate into the list of trusted CA's in XI ( either on J2EE side in the keystore service or in ABAP side via transaction STRUST , depending on where your client is ).
regards
Dirk
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.