on 05-30-2008 6:13 PM
Greetings experts! Please, help with the following challenge!
I need to connect XI as a client to an external server at a customer site via FTPS and deliver a file. Communication must be passive, establishing control on port 990 and data on a port specified by the external server in the range of 50,000-50,099. Last, there is a public certificate presented by the external server when trying to initially establish the connection.
I have verified that connection is possible by using an FTPS client from my PC. Firewall holes present, etc. The problem is that while I can get my PC to connect, I cannot get XI to connect to the external server via FTPS.
Is an FTPS capable client included in a common XI installation/implementation? If so, is it part of the J2EE stack? I have verified installation of the Java cryptographic libraries with the Basis Team, but have concerns about availability of an FTPS client based on some threads.
I've read in other threads that the file/FTP adapter is not capable of establishing a passive connection. I find this hard to believe, but is it true?
How do I handle the public certificate from the external server? I believe the certificate is part of a chain from the VeriSign CA. I have three public certificates to choose from: external server, VeriSign Intermediate CA, and VeriSign CA. Should any or all of these be loaded into the keystore available through Visual Admin? If so, where specifically? They cannot be referred to by the file/FTP adapter, as it insists on a private certificate and all of these are public.
Please, let me know if I can offer anything that could be useful in debugging this problem. I've been through lots of documents, threads and logs already, but may have missed something. Thanks in advance for any suggestions!
HI,
Unfortunately there are some concerns with FTPS connectivity with XI.
As you know SFTP is not yet possible with XI, but somehow you could use FTPS.
Please confirm below things this may help you
1. Please make sure to Activate Secure Storage in the File System after Deploying the SAP Java Cryptographic Toolkit. Check below thread for the detail procedure
http://help.sap.com/saphelp_nw04/helpdata/en/cd/14c93ec2f7df6ae10000000a114084/content.htm
2. You can go for Third Part adapters such as Seeburger adapter AS2, OFTPS etc. for better connectivity with FTPS
refer
EDI Adapter by SeeBurger
B2B(EDI) Integration using SAP Netweaver XI and Seeburger AS2 Adapter
Integrating XI with SeeBurger
3. Search the options of your client's software to find where its public and private keys are stored, these are 2 files present on the FTP server, then put the Public key of the XI server on the Client FTP Server and likewise for the Public Key of the FTP Server on the XI Server.
This enables the SSL handshake, i.e. Exchange of certificates.
Thanks
Swarup
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for the quick suggestions. Unfortunately, they raise more questions. (Numbers refer to those in the response to the original post.)
1. My Basis Team indicates that Secure Storage on the file system wasn't activated. So, they activated it and restarted everything. This had no impact at all on my attempt to connect to an external server via FTPS.
How is activation of Secure Storage on the file system related to FTPS communication to external server?
2. I am not interested in 3rd party offerings. I had considered the SFTP adapter from Seeburger, but it is too costly.
3. When I connect to external server, it presents its own certificate and expects me to accept it, then authenticate by logging in. I do not know whether the FTPS software running on the external server would understand my presenting a certificate in return.
Is the suggestion that the FTPS client in XI cannot accept a certificate in a one-way manner? That the XI FTPS client must also present a certificate so that a handshake can occur?
If this is how it must work in XI, then I will try to arrange a test with my customer. However, when testing from my PC I simply accept the offered certificate, log in and move data.
Assume that the customer is in possession of my public certificate and has placed it in their key store. To attempt a handshake, must I refer to my certificate's private counterpart in the appropriate fields in the file/FTP adapter? If the process is any more detailed than this, please explain fully.
Thanks again.
HI,
Please find here with the response to the questions corresponding to the serial nos.
1. How is activation of Secure Storage on the file system related to FTPS communication to external server?
--> Once you had Deployed the SAP Java Cryptographic Toolkit, then you have allow the File adapter to be compatiable to use this Java Cryptographic Toolkit for encryption purpose. This can be possible by activating the Secure Storage on the file system.
2. Third Party adapter was one of the alternative that I remembered at that time, so had suggested. No probs.
3.Is the suggestion that the FTPS client in XI cannot accept a certificate in a one-way manner? That the XI FTPS client must also present a certificate so that a handshake can occur?
---> Yes you must have the certificate on both side, that will autheticate the FTPS client in XI. This is normally used to be the combination of public and private key pairs. Under one way manner you will be accepting the certificate, but how it will validate if its not available on receiver side.
Normally, whenever you will select the FTPS option and will give the related details in communication channel, you will find some more new parameters related to this certificates under sender/receiver agreement . Plz fill-up the those parameters with proper values.
I hope this will clarify your most of doubts
Thanks
Swarup
Edited by: Swarup Sawant on May 31, 2008 12:46 AM
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.