cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FTPS communication error - Peer certificate rejected by ChainVerifier

Go to solution
Former Member

on ‎02-20-2013 11:49 AM

0 Kudos

Hello gurus,

I have a JDBC to FTPs scenario in PI 7.31. I need to use SSL in my FTP Receiver.


I have read posts:

http://scn.sap.com/people/rajasekhar.reddy14/blog/2010/04/13/how-to-configure-ftps-in-file-adapter ,
http://scn.sap.com/thread/2047687 , http://help.sap.com/saphelp_nwpi71/helpdata/EN/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm

http://help.sap.com/saphelp_nwpi71/helpdata/EN/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm  .


Here is some information:

FTP

I was sent a certificate named "root_cert" by e-mail. I imported the certificate "root_cert" and set up FTP receiver channel as in pictures:

But I have an error:

"Error when getting an FTP connection from connection pool: com.sap.aii.af.lib.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier"

FTP server and PI are on the same server.

FTP Receiver works fine without connection security.

I restarted channel after every change.

Please, help to solve the question.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

gagandeep_batra
Active Contributor
‎02-20-2013 12:05 PM
0 Kudos

Hi VLaDimir,

Did you check the following thread?

http://scn.sap.com/thread/1396047

Regards

Gagan

Show replies
Show replies
Former Member
‎02-20-2013 12:56 PM
0 Kudos

Hello Gagandeep,

I found solution in thread in http://scn.sap.com/message/6973343

"For the Server name, give the hostname instead of Ip address. The hostname you can see in the certificate under "CN " . Put the same hostname in server of file adapter and try to connect."

I have changed channel field"Server": use hostname instead ip - And It works!!! With X509 and without it!

Regards,

Vladimir

Answers (1)

Answers (1)

Former Member
‎02-20-2013 12:09 PM
0 Kudos

Hi Vladimir,

Are you using SSL for client authentication also?

Have you exchanged your certificates in that case with FTP provider.

If you are not using certificate for client authentication then there is no need to tick the checkbox X.509 client authentication.

Also the root certificate needs to be imported in trustedCAs keystore only.

Regards,

Beena.

Show replies
Show replies
Former Member
‎02-20-2013 12:35 PM
0 Kudos

Hello Beena,

I tryied to use channel without checkbox X.509 and result is negative.

I tried your advise and deleted "root_cert" from other places except trustedCA.

Negative.

You are right: It is enough to import sertificate only in one place - trustedCA.

Regards,

Vladimir

Former Member
‎02-20-2013 1:11 PM
0 Kudos

Hi Vladimir,

Is there any certificate chain? in that case, you need to import all the certificates in that chain.

Also following are the steps if you are not using client authentication:

1. Ensure Root certificate is stored in trustedCAs keystore

2. certificate is valid, check the expiry date
3. firewall issue - but in your case FTP is already working

4. port is correct, I am not sure if same port 21 will be used for FTPS also

5. provide username password for client authentication

http://help.sap.com/saphelp_nwpi711/helpdata/en/44/6830e67f2a6d12e10000000a1553f6/frameset.htm

Prerequisites

To use FTPS (File Transfer Protocol using SSL/TLS), the following prerequisites must be met:

The CA certificate used to sign the server certificate must be added to the TrustedCAs keystore view.

Regards,

Beena.

Former Member
‎02-20-2013 1:18 PM
0 Kudos

Hi Beena,

There is no certificate chain: only one root certificate.

1. Yes

2. Ok

3. Ok

4. Port 21. Ok

5. Ok.

I found solution in thread in http://scn.sap.com/message/6973343

"For the Server name, give the hostname instead of Ip address. The hostname you can see in the certificate under "CN " . Put the same hostname in server of file adapter and try to connect."

I have changed channel field"Server": use hostname instead ip - And It works!!! With X509 and without it!

Regards,

Vladimir.

Ask a Question