cancel
Showing results for 
Search instead for 
Did you mean: 

FTP/SSL Connection Problem for FTP Receiver Adapter

Former Member
0 Kudos

Hello All,

We are trying to establish an FTPS/SSL connection with one of our customers from our XI(Unix) system, and are receive following error:

<b>iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier</b>

Communication Channel Parameters:

Connection Security: FTP (FTP Using SSL/TLS) for Control Connection or FTP (FTP Using SSL/TLS) for Control Connection and Data Connection

Command Order: AUTH TLS, USER, PASS, PBSZ, PROT

Checkbox - Use X.509 Certificate.... checked (Certificate was provided by third party (customer issued) and uploaded to service_ssl certificate store on J2EE server)

Data Connection: Passive

Port: 10021

Keystore: service_ssl

X.509 Certificate & Private Key: ssl-credentials

Note: Initial handshaking occurs but connection is being dropped by the third party FTP Server when SSL certificate credentials are being validated. We also tried connecting to the third party FTPS server using standard FTPS client(FileZilla software), this connection gets established successfully with no certificate issues which means certificate and third party FTP Server is functioning correctly.

We therefore are thinking that the problem lies with our XI system being unable to load the certificate information correctly at the point when FTPS session is being established.

Your help and suggestions will be greatly appreciated.

Thanks and Best Regards

Prashant Rajani

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Prashant,

Check these..

Hope it solves ur issue:)

cheers,

Prashanth

P.S Please mark helpful answers

Former Member
0 Kudos

Hi Prashanth,

Thanks a bunch for your inputs.

But it seems the CA hierarchy of FTPs server certificate has already been imported by BASIS team into the list of trusted CA's in XI on J2EE side in the keystore service.

This is why we specified Keystore as service_ssl and Private key as ssl-credentials. service_ssl has CA hierarchy.

Keystore: service_ssl

X.509 Certificate & Private Key: ssl-credentials

I am not sure if need to use STRUST on ABAP side but as our client on J2EE side, think service_ssl configuration at J2EE was appropriate one which BASIS imported.

Please correct me if am wrong and provide your suggestions if there is something else you can think of which needs to be done at our end.

I'll be marking helpful answers.

Thanks and Best Regards

Prashant

Former Member
0 Kudos

Hi Prashant,

Ping the ftp server from XI box and get its hostname. Ask the FTP Administrator to generate a certificate in FTP Server with common name = hostname of FTP Server(that u obtained by pinging from XI box).

This is done because Xi does a strict Server name check before verifying in Trusted CAS.

If required add that certificate to Trusted CAs in Keystore.

use standard(default)FTPS Configuration.

First try without client authentication then proceed with it.

Try this and get back.

Regards,

Sudharshan

Former Member
0 Kudos

Hi Sudarshan,

Thanks for your inputs!

We can successfully resolve the FQDN(Fully Qualified Domain Name) of the remote FTP server, and that the certificate has been configured with the FQDN of the remote FTPS server.

<b>Please Note:</b>The file gets created at target directory but it doesn't contain any data(blank file) and communication channel has error:

<b>FTPs connection failed - error ".. certificate rejected by ChainVerifier</b>

Thanks and Regards

Prashant

Former Member
0 Kudos

Hello All,

Further in order to test connection set up and communication channel configuration we tried simulating the FTP connection locally by configuring FTP Server using FileZilla at a local machine and accessed it from Client's XI Server.

This set up simulates the problem we encounter with our customer's FTP Server.

If connection security parameter in communication channel for Sender FTP Adapter is set to <b>"FTPs( FTP Using SSL/TLS) with Control Connection" only</b>, file gets successfully created with data at the FTP server but as soon as we switch the connection security parameter to <b>"FTPs( FTP Using SSL/TLS) with Control and Data Connection"</b>, we receive error "Certificate rejected by Chain Verifier". The initial handshaking happens successfully and file gets created at the FTP Server but its empty, connection fails when attempt is made to write data into file and we end up with said error thereby closing the connection.

This is what the FTP (FileZilla) sees when the XI system attempts to set-up a fully encrypted data (FTPS) connection i.e., connection security parameter value as<b>"FTPs( FTP Using SSL/TLS) with Control and Data Connection"</b> :-

- (not logged in) (10.18.106.34)> Connected, sending welcome message...

- (not logged in) (10.18.106.34)> 220-FileZilla Server version 0.9.18 beta

- (not logged in) (10.18.106.34)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)

- (not logged in) (10.18.106.34)> 220 Please visit http://sourceforge.net/projects/filezilla/

- (not logged in) (10.18.106.34)> AUTH TLS

- (not logged in) (10.18.106.34)> 234 Using authentication type TLS

- (not logged in) (10.18.106.34)> SSL connection established

- (not logged in) (10.18.106.34)> USER test

- (not logged in) (10.18.106.34)> 331 Password required for test

- (not logged in) (10.18.106.34)> PASS ***********

- test (10.18.106.34)> 230 Logged on

- test (10.18.106.34)> PBSZ 0

- test (10.18.106.34)> 200 PBSZ=0

- test (10.18.106.34)> PROT P

- test (10.18.106.34)> 200 Protection level set to P

- test (10.18.106.34)> SYST

- test (10.18.106.34)> 215 UNIX emulated by FileZilla

- test (10.18.106.34)> PWD

- test (10.18.106.34)> 257 "/" is current directory.

- test (10.18.106.34)> CWD /payment/

- test (10.18.106.34)> <b>250 CWD successful. "/payment" is current directory.</b>- test (10.18.106.34)> TYPE I

- test (10.18.106.34)> 200 Type set to I

- test (10.18.106.34)> PASV

- test (10.18.106.34)> <b>227 Entering Passive Mode (10,27,7,103,15,63)</b>- test (10.18.106.34)> STOR BHPDSB20060911-153840-834.txt

- test (10.18.106.34)> <b>150 Connection accepted</b>

- test (10.18.106.34)> <b>Data connection SSL warning: SSL3 alert read: fatal: bad certificate</b>

- test (10.18.106.34)> <b>Data connection SSL warning: SSL_accept: failed in SSLv3 read client certificate A</b>- test (10.18.106.34)> <b>Data connection SSL warning: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate</b>- test (10.18.106.34)> <b>Data connection SSL warning: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure</b>- test (10.18.106.34)> <b>426 Connection closed; transfer aborted.</b>- test (10.18.106.34)> QUIT

- test (10.18.106.34)> 221 Goodbye

- test (10.18.106.34)> SSL connection established

Please suggest your valuable inputs if we are missing out something. Any helpful inputs in this regard is highly appreciated.

Thanks and Best Regards

Prashant

Former Member
0 Kudos

Hi All,

<b>Correction:</b> Please read it <b>Receiver FTP Adapter</b> instead of <b>Sender FTP Adapter</b>.

Regards

Prashant

Former Member
0 Kudos

Prashant, what was the solution? We have the same issue. We get the control connection encrypted by SSL, but then the data connection fails to negotiate TLS encryption. Any clues?

Andy.

Former Member
0 Kudos

Did anyone resolve this issue?

We were not able to connect using either control or control and data.

Let us know if there is a resolution to this problem. We are running PI 7.0 SP12.

Former Member
0 Kudos

Hi Prashant,

did you solve this problem, it seems like we are having the same issue.

Beste Regards,

Erik Hubers

Former Member
0 Kudos

Hello All,

Anyone solved this issue? we got the same issue.

Please share your experience, many thanks!

Jacky

Former Member
0 Kudos

Hello,

I've been dealing with this for quite some time and these are my conclusions.

  • Validate the dates of the certificate
  • If you have a chain of certificates, import all of these in nwa, TrustedCA.
  • Use the same server name in communication channel - FTP connection parameters as in the certificate imported in nwa in TrustedCA. Verify that "CN" in the certificate correspond to the server name. If you have a chain of certificate, verify that CN on the certificates correspond to each other.
  • FTPS server has to accept explicit connection type. SAP PI 7.1 file adapter CAN NOT communicate with a server configured to accept implicit connection.
  • Standard port is 21
  • Do not change command order

If you still have some problem complaining about "iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier" you may need to look into SAP note 1591971. This SAP note tells us to add this parameter in communication channel/Advanced/Advanced Mode. 

strictHostnameCheckingfalse

In passive mode the FTPS server is aloud to give us any given IP/port as they wish. This seems to create a conflict with the certificates added in TrustedCA:s common name (CN). You need to explicitly agree on hostname that is not presented in the certificates by adding the above statement.

Hope this helps

JaySchwendemann
Active Contributor
0 Kudos

Adding to that what Arefin said:

You may want to check if the remote FTPS server / host supports reverse DNS. This is needed as SSL needs the hostname to work. If the FPTS server / host does not support this, you might want to consider adding a etc/hosts entry to your PI system "simulating" this reverse DNS behavior.

HTH

Cheers

Jens

Former Member
0 Kudos

Hello Arefin,

your hints have been very helpful for me, thanks a lot for posting them!

Especially the 3rd bullet point and the parameter "strictHostnameChecking" of SAP note 1591971 solved my issues after struggling for 2 weeks with this FTPS stuff.

Best Regards,

Joerg

Former Member
0 Kudos

Nice to hear that I could help

Answers (0)