on 11-11-2015 4:08 AM
Hi Experts,
I have a following FTPs server which I get files from and put files to:
Parameter | Value |
---|---|
Control Port hostname/URL | host1.com |
Control Port | 21 |
Data Port hostname/URL | host2.com |
Data Port | 9900 - 9999 |
Now, my FTPs receiver can successfully put files in the FTPs server. But somehow, the FTPs sender channel cannot poll the directory in the FTPs server, everytime it polls the FTPs server, there's always an error message:
'Error occured while connecting to the FTP server "host1.com:21": java.io.EOFException: Connection closed by remote host.'
Here are the configuration of the FTPs sender adapter:
Connection Security: FTPS (FTP using SSL/TLS) for Control and Data Connection
Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
Data Connection: Passive
I wonder why the FTPs receiver channel has no problem connecting, but the FTPs sender channel receive the "Connection closed by remote host" error message. Is there any way to troubleshoot this?
Thank you,
Suwandi C.
Hi Experts,
I've found out from the trace file that if I put a name in the file name, something like: 'Filename*' then the connection is in error at the LIST command. But, if I put just '*' (asterisk) in the file name, then the LIST command is successful and we can continue to retrieve the files.
The problem is by putting asterisk (*) in the file name parameter, then the channel will pick all files, but I may not pick all files.
Has someone experience this? Is there any other way to limit files picking in FTP sender channel other than setting it in the filename?
Regards,
Suwandi C.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Experts,
Thank you for the reply.
as I recall, that the FTPS receiver channel works fine, the one with issue is the FTPS sender channel.
If the FTPS server vendor said that the issue is at the cipher version mismatch between SAP PI and their FTPS server, then why does the FTPS receiver channel works? I guess there would still be a SSL/TLS handshake and security negotiation going on in the FTPS receiver channel. CMIIW.
Regards,
Suwandi C.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Experts,
I've received a response from the FTPS vendor, they said that PI is trying to connect using the old TLS version and Cipher.
The log message at the FTPS server is:
Ensure that client is using ssl_tlsv2 and any of the following ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA, TLS_RSA_WITH_NULL_MD5].
How to check what TLS version is and cipher method is used in PI and how to change them?
I found out that ssl_tlsv2 means a context protocol which supports: TLSv1.2, TLSv1.1, TLSv1.0 and SSLv3
PI has sent SSL using version 3.1 (I think SSLv3.1 means TLSv1.0), since TLS1.0 is supported in ssl_tlsv2, that means we need to check on the cipher mode?
Regards,
Suwandi C.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Suwandi,
Please have a look into the below links,
http://service.sap.com/sap/support/notes/2065806
http://service.sap.com/sap/support/notes/510007https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F6465...
2092630 - Turning off SSLv3 on SAP NETWEAVER AS ABAP and AS JAVA, and on SAP HANA XS
Hope these helps you.
Thanks,
Satanik
Hi All,
Thanks for the advice.
Yes, currently we're in the progress of installing the XPI inspector but we're facing a difficulty in installing it.
We've also contacted the third party FTP vendor to check on their log.
Thank you,
Suwandi C.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raghuraman,
Thanks for the reply. Do you mean at the same server as the PI server? No, the FTPs server is from a third party vendor.
Actually after checking at the trace log file, I've found the following at the log:
ssl_debug(245): Starting handshake (iSaSiLk 4.403)...
ssl_debug(245): Sending v3 client_hello message to host2.com:9907, requesting version 3.1...
ssl_debug(245): IOException while handshaking: Connection closed by remote host.
ssl_debug(245): Sending alert: Alert Fatal: handshake failure
ssl_debug(245): Shutting down SSL layer...
The SSL handshake process is successful at the control port, but then during the SSL handshake with the data port, there's an IOException.
What could possibly causing an IOException?
Thank you,
Suwandi C.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi John,
Thanks for the reply.
Trying to telnet to host1.com port 21 works successfully since it is connecting to the control port and no SSL handshake is in process. That's the furthest that we've ever tested at the OS level
We haven't been able to simulate the connection at the OS level for the handshake process, I'm still working on that with the basis team.
The firewall seems to have been opened by the network team, but somehow I have no way to test it since the data port will only be opened at the server once there's a control connection connected to the server (CMIIW).
Regards,
Suwandi C.
Hi Suwandi,
According with your log it seems the hadshake is being done in the port 9907, although you are using FTP over SSL you should think that depending the SSL version protocol and the FTP server, it could be extra messages doing the communication.
Talk with your basis team to install the XPI inspector tool, and togeter to figure out with the logs the possible issue.
http://scn.sap.com/community/pi-and-soa-middleware/blog/2013/03/22/xpi-inspector
Hi Suwandi,
Inaki has given you a very good idea about having XPI inspector installed and that should help you in getting further logs of the failures.
Also, please check once more with the partner if the SSL key pair is correct at both end and if they can accept sslv3 at their end.
As, I can see in the log that a v3 client_hello is being sent as part of the initial request.
ssl_debug(245): Sending v3 client_hello message to host2.com:9907, requesting version 3.1...
ssl_debug(245): IOException while handshaking: Connection closed by remote host.
Thanks,
Satanik
Hi All,
Thanks for the replies.
Yes, the folder has a read permission. I also have tried both connection mode (permanently or per file transfer) but still fails..
I wonder if there's a log where I can see in which step/command does this connection actually fails, because the error message is quite general.
Thank you,
Suwandi C.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Suwandi,
After Raghuraman suggestion, you can change PI Connect Mode section (Permanently or per file transger). Also, that error could be when the FTP channel is hung or the server FTP doesn't close correctly the communication.
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Suwandi,
Check whether the folder has read permissions inorder to pick the file.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
9 | |
8 | |
6 | |
6 | |
6 | |
5 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.