cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

520 Unexpected reply codeControl connection prematurely closed by server

Go to solution
Former Member

on ‎09-13-2013 9:08 AM

0 Kudos

Hi,

I'm getting an error while configuring a FTPS connection to a remote server. Connection to this server using WS_FTP works fine, hence I know that the certificates and login information is correct. The error I'm receiving is:

Channel FTPS_Sender: Error connecting to ftp server 'ftps***.*******.***': com.sap.aii.adapter.file.ftp.FTPEx: 520 Unexpected reply codeControl connection prematurely closed by server

Below is a screenshot from the java log files. Any ideas on how to proceed here are very much appreciated.

The logging on the FTPS server is the following:

HtcNUo/ZggY            20130816 093911 101 FTP   I TRACE       0000

55534552 20663030 30333238 39       [USER *********]

HtcNUo/ZggY            20130816 093911 300 SUP   E TLS_ERR

$**********(71320106) Site sprof check failed(30)

Code 30 means: The common name of the certificate received does not match the one set in the Subject certificate alias field of the Site

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

christian_staschok
Explorer
‎01-17-2014 3:11 PM
0 Kudos

Update: We tested together with SAP for three month. Now, we got a test-patch from SAP and it works with this test-patch. SAP will provide a official patch for PI 7.11 in the next two weeks.

Show replies
Show replies
Former Member
‎01-20-2014 10:52 AM
0 Kudos

We received the same update, and now we can indeed log on to the FTPS server.

Former Member
‎01-20-2014 11:03 AM
0 Kudos

happy it works now, we were overtaken by events in our business, so we stopped investigating.

currently moving to 7.31, while the use of the two interfaces impacted will be discontinued.

can you please mention the number of the official patch when it is published ?

then I can check if there is any work required in 7.31 for this (for future use..)

.

.

Former Member
‎01-20-2014 11:22 AM
0 Kudos

Of course I will.

Answers (7)

Answers (7)

christian_staschok
Explorer
‎01-28-2014 10:07 AM
0 Kudos

Please check note 1968688.

Show replies
Show replies
Former Member
‎01-28-2014 10:41 AM
0 Kudos

thx. from the text in the note it's still fairly hazy what the issue was.

christian_staschok
Explorer
‎01-28-2014 11:42 AM
0 Kudos

Yes, I have the same opinion.

Also it is exhausting, that for every SP-level a different patch is necessary.

Former Member
‎02-14-2014 2:23 PM
0 Kudos

Hello,

we have exactly the same problem to connect our PI 7.31 to the dutch-server.

We implemented the note 1968688 in our system. The SAP writes in the note: the issuers inside the certificate chain needs to be verified with the list of issuers configured in NWA (under 'ssl_service' keystore).

My question to you is, what steps need to be made to properly configure that?

Thanks in advance!

Regards,

Daniel Saizev

Former Member
‎03-03-2014 2:33 PM
0 Kudos

Hello,

we have exactly the same problem to connect our PI 7.31 to the dutch-server.

We implemented the note 1968688 in our system. The SAP writes in the note: the issuers inside the certificate chain needs to be verified with the list of issuers configured in NWA (under 'ssl_service' keystore).

My question to you is, what steps need to be made to properly configure that?

Thanks in advance!

Regards,

Daniel Saizev

iddorijsdijk
Explorer
‎03-04-2014 12:30 PM
0 Kudos

I believe we re-created the certificate we used to logon to the server. We extended it with the CA certificates in the correct order.

Former Member
‎03-13-2014 9:25 AM
0 Kudos

Hi I. Rijsdijk,


Do you use the keystore Trusted CAs to store the certificates? What do you mean by the CA certificates in the correct order? Which order is correct?


Regards,

Daniel

Former Member
‎03-17-2014 8:26 AM
0 Kudos

The used keystore doesn't matter that much. The correct order is bottom-up: so start with the client certificate and work your way down to the root CA.

Former Member
‎10-25-2013 9:07 AM
0 Kudos

Update: finally a response from SAP. They asked us to import the root CA (https://www.logius.nl/fileadmin/logius/product/pkioverheid/certificaten/staatdernederlandenrootca-g2... to the Trusted CA keystore. Unfortunately this didn't help at all.

@Christian and @Ronald: any news from your side yet?

Show replies
Show replies
christian_staschok
Explorer
‎10-30-2013 10:10 AM
0 Kudos

We got a new SDA-file (com.sap.aii.adapter.file.svc.sda) from SAP for testing. With this patch the File-Adapter does not start correctly. It seems, that we will have to wait for a long, long time to get a solution.

Former Member
‎10-03-2013 1:40 PM
0 Kudos

analysis by SAP is still ongoing. We have now downloaded WS_FTP by ipswitch,

an PC FTP(S) client, as a "plan B". with this tool we were able to present our certificate

to the server. 

Show replies
Show replies
christian_staschok
Explorer
‎10-16-2013 1:52 PM
0 Kudos

We also have exactly the same problem to connect our PI-system (release 7.11) to the dutch-server.

Since one week they need a doubled authentification: User/password plus client-certificate.

Are there any news from SAP?

Former Member
‎10-23-2013 8:55 AM
0 Kudos

No news yet. We're getting the impression that SAP isn't working very hard to solve this. But perhaps I'm wrong here (I certainly hope so...)

Former Member
‎09-23-2013 10:24 AM
0 Kudos

Hi , I would like to mention we get same issue on a 7.10 system, same "could not retrieve key" in the java log.

Currently SAP has given us a new SCA to produce more output in the java log. this did not yet resolve the issue, we are waiting for analysis of the data by SAP.

I suspect we are trying to access the same dutch server, which requires X509 client authentication

in the File Communication Controller enabled (originally from 1/7 onwards).

Call for help :

Did anybody ever get an FTPs with X509 client authentication working ? if so please react (preferrably with PI version/patchlevel).

Regards,

Ronald van Aalst

Stedin

Show replies
Show replies
Former Member
‎09-23-2013 1:57 PM
0 Kudos

Hi Ronald,

Yes, that's the same issue indeed. I will update this thread as soon as I have a solution available. Can you please do the same?

Iddo

Former Member
‎09-23-2013 3:44 PM
0 Kudos

testing with new SAP software did not succeed connecting.

XPI Traces are handed to SAP and we await their analysis.

Former Member
‎09-23-2013 9:20 AM
0 Kudos

When using certificates for authentication, why do you configure username/password, too?

So either uncheck the "Use X.509 Certificate..." or don't use username/password for authentication if using certificates for authentication.

At least that's my understanding of the settings.

Doesn't hurt to test it out though.

Best regards,

Peter

Show replies
Show replies
Former Member
‎09-17-2013 7:38 AM
0 Kudos

Some new information from the XPI trace:

"Could not retrieve key and cert to use for X.509 client authentication. Trying anonymous SSL connection."

Apparently PI can't access the necessary X.509 certificate for authentication. That would explain the error. I've used the keystore "TicketKeystore" to store the X.509 authentication certificate. According to this thread, http://scn.sap.com/thread/599819 it could be that the "XI service user" has insufficient rights. Question is which user that could be...

Show replies
Show replies
Former Member
‎09-17-2013 2:25 PM
0 Kudos

Hi,

put the x.509 cert into the Trusted CA keystone and rerun the scenario.

TicketKeystore should only be used for LogonTickets for Portal systems et. al.

Best regards,

Peter

Former Member
‎09-18-2013 8:19 AM
0 Kudos

Hi Peter,

I did that, but I still got the same error.

Iddo

Former Member
‎09-18-2013 9:22 AM
0 Kudos

Have reread the thread again.

To me it looks like the ftp server is expecting client authentication via a client certificate which you don't have, so username/password (i.e. basic authentication) will not work when using ftps with this ftp server.

That means that you have to use Connection Security set to either FTPS for control connection or FTPS for both control and data connection and tick the checkmar for "Use X.509 Certificate for Client Authentication".

Then give the "Keystore" value and the value for "X.509 Certificate for Client Authentication" according to the SAP help and your local keystore and certificate names.

In NWA you can create your own keystore for client authentication and use it in your channel configuration.

So, if you're still having "Connection Security" set to None either ask your FTP server administrators to allow username/password authentication or get the client certificate for authentication from the ftp server team and configure certificate client authentication in your communication channel.

Best regards,

Peter

Former Member
‎09-18-2013 9:58 AM
0 Kudos

Here are the settings I created in the communication channel. The certificate for authentication is present (I can even select it using the 'Browse' button).

naveen_chichili
Active Contributor
‎09-13-2013 11:14 AM
0 Kudos

Hi,

Did you check if the firewall port is open?

Thanks and Regards,

Naveen

Show replies
Show replies
Former Member
‎09-16-2013 8:03 AM
0 Kudos

Yes, the firewall port is open for sure. An external FTP client (WS_FTP) is able to logon succesfully. I retrieved the following information from the PI logging:

ftp server returns reply '220 Welcome'

Detected 'AUTH TLS' command: Preparing TLS/SSL connection upgrade

Sending command 'AUTH TLS'

'AUTH TLS' successful: Upgrading control channel to TLS/SSL

ftp server returns reply '234 AUTH command OK, waiting handshake'

Sending command 'USER ********'

ftp server returns reply '331 Send password please'

Sending command 'PASS ***'

ftp server returns reply '520 Control connection prematurely closed by server'

Channel FTPS_Sender: Error connecting to ftp server 'ftps**.***********.***': com.sap.aii.adapter.file.ftp.FTPEx: 520 Unexpected reply codeControl connection prematurely closed by server

Seems like an error in the SSL handshake to me, but how can I investigate this further? Is there a way to increase the PI logging on SSL even further?

aashish_sinha
Active Contributor
‎09-16-2013 8:11 AM
0 Kudos

HI,

Don't know if it is going to fit in your case,

Can you please try mod Active instead using Passive in channel?

Regards

Aashish Sinha

Former Member
‎09-16-2013 8:45 AM
0 Kudos

Hi,

No, setting the mode to active gives exactly the same result on PI. Using active mode on WS_FTP works fine, just as the passive mode.

Iddo

Ask a Question