on 09-13-2013 9:08 AM
Hi,
I'm getting an error while configuring a FTPS connection to a remote server. Connection to this server using WS_FTP works fine, hence I know that the certificates and login information is correct. The error I'm receiving is:
Channel FTPS_Sender: Error connecting to ftp server 'ftps***.*******.***': com.sap.aii.adapter.file.ftp.FTPEx: 520 Unexpected reply codeControl connection prematurely closed by server
Below is a screenshot from the java log files. Any ideas on how to proceed here are very much appreciated.
The logging on the FTPS server is the following:
HtcNUo/ZggY 20130816 093911 101 FTP I TRACE 0000
55534552 20663030 30333238 39 [USER *********]
HtcNUo/ZggY 20130816 093911 300 SUP E TLS_ERR
$**********(71320106) Site sprof check failed(30)
Code 30 means: The common name of the certificate received does not match the one set in the Subject certificate alias field of the Site
Update: We tested together with SAP for three month. Now, we got a test-patch from SAP and it works with this test-patch. SAP will provide a official patch for PI 7.11 in the next two weeks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
happy it works now, we were overtaken by events in our business, so we stopped investigating.
currently moving to 7.31, while the use of the two interfaces impacted will be discontinued.
can you please mention the number of the official patch when it is published ?
then I can check if there is any work required in 7.31 for this (for future use..)
.
.
Please check note 1968688.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
we have exactly the same problem to connect our PI 7.31 to the dutch-server.
We implemented the note 1968688 in our system. The SAP writes in the note: the issuers inside the certificate chain needs to be verified with the list of issuers configured in NWA (under 'ssl_service' keystore).
My question to you is, what steps need to be made to properly configure that?
Thanks in advance!
Regards,
Daniel Saizev
Hello,
we have exactly the same problem to connect our PI 7.31 to the dutch-server.
We implemented the note 1968688 in our system. The SAP writes in the note: the issuers inside the certificate chain needs to be verified with the list of issuers configured in NWA (under 'ssl_service' keystore).
My question to you is, what steps need to be made to properly configure that?
Thanks in advance!
Regards,
Daniel Saizev
Update: finally a response from SAP. They asked us to import the root CA (https://www.logius.nl/fileadmin/logius/product/pkioverheid/certificaten/staatdernederlandenrootca-g2... to the Trusted CA keystore. Unfortunately this didn't help at all.
@Christian and @Ronald: any news from your side yet?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
analysis by SAP is still ongoing. We have now downloaded WS_FTP by ipswitch,
an PC FTP(S) client, as a "plan B". with this tool we were able to present our certificate
to the server.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi , I would like to mention we get same issue on a 7.10 system, same "could not retrieve key" in the java log.
Currently SAP has given us a new SCA to produce more output in the java log. this did not yet resolve the issue, we are waiting for analysis of the data by SAP.
I suspect we are trying to access the same dutch server, which requires X509 client authentication
in the File Communication Controller enabled (originally from 1/7 onwards).
Call for help :
Did anybody ever get an FTPs with X509 client authentication working ? if so please react (preferrably with PI version/patchlevel).
Regards,
Ronald van Aalst
Stedin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
When using certificates for authentication, why do you configure username/password, too?
So either uncheck the "Use X.509 Certificate..." or don't use username/password for authentication if using certificates for authentication.
At least that's my understanding of the settings.
Doesn't hurt to test it out though.
Best regards,
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Some new information from the XPI trace:
"Could not retrieve key and cert to use for X.509 client authentication. Trying anonymous SSL connection."
Apparently PI can't access the necessary X.509 certificate for authentication. That would explain the error. I've used the keystore "TicketKeystore" to store the X.509 authentication certificate. According to this thread, http://scn.sap.com/thread/599819 it could be that the "XI service user" has insufficient rights. Question is which user that could be...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have reread the thread again.
To me it looks like the ftp server is expecting client authentication via a client certificate which you don't have, so username/password (i.e. basic authentication) will not work when using ftps with this ftp server.
That means that you have to use Connection Security set to either FTPS for control connection or FTPS for both control and data connection and tick the checkmar for "Use X.509 Certificate for Client Authentication".
Then give the "Keystore" value and the value for "X.509 Certificate for Client Authentication" according to the SAP help and your local keystore and certificate names.
In NWA you can create your own keystore for client authentication and use it in your channel configuration.
So, if you're still having "Connection Security" set to None either ask your FTP server administrators to allow username/password authentication or get the client certificate for authentication from the ftp server team and configure certificate client authentication in your communication channel.
Best regards,
Peter
Hi,
Did you check if the firewall port is open?
Thanks and Regards,
Naveen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, the firewall port is open for sure. An external FTP client (WS_FTP) is able to logon succesfully. I retrieved the following information from the PI logging:
ftp server returns reply '220 Welcome'
Detected 'AUTH TLS' command: Preparing TLS/SSL connection upgrade
Sending command 'AUTH TLS'
'AUTH TLS' successful: Upgrading control channel to TLS/SSL
ftp server returns reply '234 AUTH command OK, waiting handshake'
Sending command 'USER ********'
ftp server returns reply '331 Send password please'
Sending command 'PASS ***'
ftp server returns reply '520 Control connection prematurely closed by server'
Channel FTPS_Sender: Error connecting to ftp server 'ftps**.***********.***': com.sap.aii.adapter.file.ftp.FTPEx: 520 Unexpected reply codeControl connection prematurely closed by server
Seems like an error in the SSL handshake to me, but how can I investigate this further? Is there a way to increase the PI logging on SSL even further?
User | Count |
---|---|
94 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.