cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connect File/FTP adapter to external server (FTPS, passive, certificate)

former_member511081
Discoverer

on ‎05-30-2008 6:13 PM

0 Kudos

Greetings experts! Please, help with the following challenge!

I need to connect XI as a client to an external server at a customer site via FTPS and deliver a file. Communication must be passive, establishing control on port 990 and data on a port specified by the external server in the range of 50,000-50,099. Last, there is a public certificate presented by the external server when trying to initially establish the connection.

I have verified that connection is possible by using an FTPS client from my PC. Firewall holes present, etc. The problem is that while I can get my PC to connect, I cannot get XI to connect to the external server via FTPS.

Is an FTPS capable client included in a common XI installation/implementation? If so, is it part of the J2EE stack? I have verified installation of the Java cryptographic libraries with the Basis Team, but have concerns about availability of an FTPS client based on some threads.

I've read in other threads that the file/FTP adapter is not capable of establishing a passive connection. I find this hard to believe, but is it true?

How do I handle the public certificate from the external server? I believe the certificate is part of a chain from the VeriSign CA. I have three public certificates to choose from: external server, VeriSign Intermediate CA, and VeriSign CA. Should any or all of these be loaded into the keystore available through Visual Admin? If so, where specifically? They cannot be referred to by the file/FTP adapter, as it insists on a private certificate and all of these are public.

Please, let me know if I can offer anything that could be useful in debugging this problem. I've been through lots of documents, threads and logs already, but may have missed something. Thanks in advance for any suggestions!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎05-30-2008 6:31 PM
0 Kudos

HI,

Unfortunately there are some concerns with FTPS connectivity with XI.

As you know SFTP is not yet possible with XI, but somehow you could use FTPS.

Please confirm below things this may help you

1. Please make sure to Activate Secure Storage in the File System after Deploying the SAP Java Cryptographic Toolkit. Check below thread for the detail procedure

http://help.sap.com/saphelp_nw04/helpdata/en/cd/14c93ec2f7df6ae10000000a114084/content.htm

2. You can go for Third Part adapters such as Seeburger adapter AS2, OFTPS etc. for better connectivity with FTPS

refer

EDI Adapter by SeeBurger

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/206e2b65-2ca8-2a10-edad-f2d13916...

B2B(EDI) Integration using SAP Netweaver XI and Seeburger AS2 Adapter

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/00f9cdf5-d812-2a10-03b4-aff3bbf7...

Integrating XI with SeeBurger

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6dc02f5d-0601-0010-cd9d-f4ff9a7e...

3. Search the options of your client's software to find where its public and private keys are stored, these are 2 files present on the FTP server, then put the Public key of the XI server on the Client FTP Server and likewise for the Public Key of the FTP Server on the XI Server.

This enables the SSL handshake, i.e. Exchange of certificates.

Thanks

Swarup

Show replies
Show replies
former_member511081
Discoverer
‎05-30-2008 11:31 PM
0 Kudos

Thank you for the quick suggestions. Unfortunately, they raise more questions. (Numbers refer to those in the response to the original post.)

1. My Basis Team indicates that Secure Storage on the file system wasn't activated. So, they activated it and restarted everything. This had no impact at all on my attempt to connect to an external server via FTPS.

How is activation of Secure Storage on the file system related to FTPS communication to external server?

2. I am not interested in 3rd party offerings. I had considered the SFTP adapter from Seeburger, but it is too costly.

3. When I connect to external server, it presents its own certificate and expects me to accept it, then authenticate by logging in. I do not know whether the FTPS software running on the external server would understand my presenting a certificate in return.

Is the suggestion that the FTPS client in XI cannot accept a certificate in a one-way manner? That the XI FTPS client must also present a certificate so that a handshake can occur?

If this is how it must work in XI, then I will try to arrange a test with my customer. However, when testing from my PC I simply accept the offered certificate, log in and move data.

Assume that the customer is in possession of my public certificate and has placed it in their key store. To attempt a handshake, must I refer to my certificate's private counterpart in the appropriate fields in the file/FTP adapter? If the process is any more detailed than this, please explain fully.

Thanks again.

Former Member
‎05-30-2008 11:46 PM
0 Kudos

HI,

Please find here with the response to the questions corresponding to the serial nos.

1. How is activation of Secure Storage on the file system related to FTPS communication to external server?

--> Once you had Deployed the SAP Java Cryptographic Toolkit, then you have allow the File adapter to be compatiable to use this Java Cryptographic Toolkit for encryption purpose. This can be possible by activating the Secure Storage on the file system.

2. Third Party adapter was one of the alternative that I remembered at that time, so had suggested. No probs.

3.Is the suggestion that the FTPS client in XI cannot accept a certificate in a one-way manner? That the XI FTPS client must also present a certificate so that a handshake can occur?

---> Yes you must have the certificate on both side, that will autheticate the FTPS client in XI. This is normally used to be the combination of public and private key pairs. Under one way manner you will be accepting the certificate, but how it will validate if its not available on receiver side.

Normally, whenever you will select the FTPS option and will give the related details in communication channel, you will find some more new parameters related to this certificates under sender/receiver agreement . Plz fill-up the those parameters with proper values.

I hope this will clarify your most of doubts

Thanks

Swarup

Edited by: Swarup Sawant on May 31, 2008 12:46 AM

former_member511081
Discoverer
‎08-15-2008 8:39 PM
0 Kudos

We have given up on FTPS in favor of purchasing an SFTP adapter. Much simpler to connect and manage. More common. Does away with certificate headaches.

Thanks for all help and suggestions!

Ask a Question