on 05-27-2011 9:09 AM
Hello SAP experts
We must activate a FTPs adapter to a vendor. Vendor has sent us a self-signed
certificate
We have loaded the certificate in TrustedCAs
We have entered into the adapter:
Server: CN - found in the certificate
Port: 9990
Connection Security: FTPS (FTP Using SSL / TLS Control and Data Connection
Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
No. X.509 selected
User and password from the vendor
Connect mode: Per File Transfer
Transfer Mode: Binary
From the supplier, we have received:
URLs: ftp:// <IP>: 9990 (AUTH SSL)
ftps:// <IP>: 9989 (Implied)
Port Range: 20995 to 21014
USER / PASSWORD
We can telnet from our side to the mentioned ports
We have not received a root and immediate Certificate
Vendor stated that they have other customer that uses this setup. However we donu2019t know if this is PI customers.
We have tested the SSL on our side with HTTPs.
We get the following error: Peer certificate Rejected city ChainVerifier
Has anyone had the same problem?
Best Regards
Erik
As far as I know and experienced ... self-signed certificates without a root certificate are not supported by PI .
We always ask our external integration partners to use certificates from a proper CA.
Regards,
Steven
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Erik,
I`ve spent some days struggling with the same issue. For testing purpouses we installed a Filezilla server with FTPS mode and it worked with a certificate generated by filezilla itself (self-signed). We did the same for the external FTPS server and failed because of certificate error. Finally we discover that if we were to use only FTPS for control connection it was working fine, it seems that the second time it tries to do the handshake for encrypting the file it fails. We supose that it happens because this second handshake is done using IP address instead of server name.
To sumarize:
In Local network ->
Installed filezilla server in a computer with server name, enable SSL, allow explicit mode, force PROT P. Generate certificate with server name instead of IP address using filezilla. Remove from generated certificate the private key. Import certificate in Visual administrator as TrustedCAs (7.0).
CC - server name, port 21, passive, FTPS control and data connection. Auth TLS, user, pass, pbsz, prot. OK
With external server->
Import certificate in VA. CC - server name, passive, FTPS control and data connection. Auth TLS, user, pass, pbsz, prot.
NOT OK, second handshake error
Don't force PROT P in FTPS server. CC - server name, port 21, passive, FTPS control connection. Auth TLS, user, pass, pbsz, prot. OK
To allow control and data connection encryption maybe is needed to set external name for FTPS server in server settings.
Hope this helps.
Iván.
Hello
Use the tracing tool attached to note #1514898 Diagtool for troubleshooting XI. This should give you a very good idea as to the exact cause of the problem.
Regards
Mark
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Error from diagtool:
Error during disconnect from ftp server as2.progrator.com, ignored: com.sap.aii.adapter.file.ftp.FTPEx: 550 Unexpected reply codeiaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: bad certificate
10:40:42:154 J2EE_GUEST ~l_sender/FTPS_TEST/VANS]_54305 ~rverTrusted(X509Certificate[]) Failed to verify server certificate chain: no trust anchor found
Have you restart R3 Instance, after certificate importing?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Erik,
I think this error occurs during the SSL session handshaking setup. This happens if IS is not able to verify the signature of the certificate of the 3rd party vendor. Pls check the root certificates again, they might not have been installed correctly.
One soultion is u can either ask the 3rd party FTP vendor to resend copies of the appropriate Root certificates. Also, if you can obtain their public key certificate, you can try to extract the Root certs from that.
System Restart is must after import.
Cheers,
Souvik
Edited by: Souvik Chatterjee on May 27, 2011 2:51 PM
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.