cancel
Showing results for 
Search instead for 
Did you mean: 

Using XI as FTP SSL client that puts file on a server

Former Member
0 Kudos

Hi experts,

I have been struggling for weeks now to configure XI to act as an FTP client using SSL.

We have to send a server a file using SSL. The server has requested to use a client certificate, so we have purchased one from SAP and we have installed it in the keystore of XI in Visual Admin as described by SAP.

I have configured a receiver adapter to send the file to the server. I can see that the connection is established properly to the server, but the server certificate is rejected by chain verifier.

So I have installed the server certificate in the Trusted CA view of the keystore. But still, it isn't working. Please note that the server certificate is a self signed certificate as this is just in testing right now. The DN name is good on the certificate (Same as the one in the communication channel).

What am I missing? Does anyone know?

Points will definitely be rewarded as we are stuck right now.

Kind regards,

Paula Rizk

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi,

I have configured a receiver adapter to send the file to the server. I can see that the connection is established properly to the server, but the server certificate is rejected by chain verifier.

What error message you are getting?

So I have installed the server certificate in the Trusted CA view of the keystore. But still, it isn't working. Please note that the server certificate is a self signed certificate as this is just in testing right now. The DN name is good on the certificate (Same as the one in the communication channel).

What is the Command Order that you have given in your CC? The CN (common name) of the certificate should match the host or IP name of the server and you should use the same in the server details in the File Channel.

The FTPS server name should be understood by PI AE where certificates are loaded. If the certificate contains the DNS details instead of direct IP address, then it can be a problem.

Hope this helps.

Regards,

Neetesh

Former Member
0 Kudos

Hi Neetesh,

Thank you for your reply.

The problem is that the server certificate is a self-signed certificate with a CN host name different than the host name used to connect with in the communication channel.

I contacted our partner and they said it is because this is the front end server in their layered structure.

Is there any way that we can make XI work with this one?

When I use cuteFTP instead of XI, and I try to connect to their site, it prompts me to accept that certificate automatically and it works. How come XI does not work?

Any help is appreciated.

Regards,

Paula

Former Member
0 Kudos

The command order is the default one:

AUTH TLS, USER, PASS, PBSZ, PROT

Thanks,

Paula

Former Member
0 Kudos

Hi,

The problem is that the server certificate is a self-signed certificate with a CN host name different than the host name used to connect with in the communication channel.

As I had mentioned earlier, the CN (common name) of the certificate should match the host or IP name of the server and you should use the same in the server details in the File Channel.

I contacted our partner and they said it is because this is the front end server in their layered structure.

Is there any way that we can make XI work with this one?

So, you mean to say that you will be FTPing to the front end server, which is mapped to another server where you have to actually read/write file? Correct me if I am wrong.

If my understanding is correct, then do something like this -

Example:-

Front end Server - A_Serv

Actual Server to read / write - B_Serv

In you File CC -

Server -> A_Serv

Source Directory -> //B_Serv/<Rest of path>

Your command order sequence is fine. Hope this helps.

Regards,

Neetesh

ravi_raman2
Active Contributor
0 Kudos

Neetesh,

I believe they are FTP`ing it to a Share where it will be picked up from, if that's the case then this design would need to be revisited as the share does not need a cert, unless the share is on the Thirdparty end.

Definitely need more clarification on scenario.

Regards

Ravi Raman

Former Member
0 Kudos

Ravi,

If your understanding is correct, then there is no need of certificates. But my guess is that the front end server and the shared servers are on the 3rd party, for which the certificates will be required.

Let's wait for more clarifications.

Regards,

Neetesh

Former Member
0 Kudos

Thanks guys for your replies.

We are trying to ftp to a third party server using SSL. I believe it is a shared server yes. And that is why the host name is different on the certificate I have imported into the trusted CA view.

Not even sure if this should go to the trusted CA view since this is not a trusted CA...

Isn't there a way to see in more detail what the error is. Server certificate rejected by chain verifier is very generic.

Thanks again!

Paula

Former Member
0 Kudos

Isn't there a way to see in more detail what the error is. Server certificate rejected by chain verifier is very generic.

Check the Audit log (Log Viewer) in NWA.

Regards,

Neetesh