cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FTPs connection failed - error ".. certificate rejected by ChainVerifier"

Go to solution
Former Member

on ‎05-18-2006 1:17 PM

0 Kudos

Hi,

I wanna use the XI-File/FTP-Adapter to connect to our FTPs-Server.

We have to use Username/Password to connect to the FTPs-Server (it's an Ipswitch WS_FTP-Server) - using X.509 is not possible (it's another department administrating the FTPs-Server).

Now I get the error "Error: Message processing failed: iaik.security.ssl.SSLException: Server

certificate rejected by ChainVerifier".

The Crypto-Package is installed and is working - we tested it by connecting via https to SAP NetWeaver.

Do we need a certificate if we just use USER/PASSWORD-Connection (no X.509)?

Thanx a lot,

bye

Wolfgang

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-18-2006 1:48 PM
0 Kudos

Hi Wolfgang,

You need to make sure that your FTPs client ( XI ? ) trusts your FTPs server certificate ( in parallel with your authentication username/password )

This means that you need to import the CA hierarchy of your FTPs server certificate into the list of trusted CA's in XI ( either on J2EE side in the keystore service or in ABAP side via transaction STRUST , depending on where your client is ).

regards

Dirk

Show replies
Show replies
Former Member
‎05-18-2006 3:02 PM
0 Kudos

Hi Dirk,

thanx a lot - I think that's it.

I called the admin of the FTPs-server to send me the CA hierarchy.

Bye

Wolfgang

Former Member
‎05-18-2006 3:07 PM
0 Kudos

Hi Wolfgang

Your welcome.

Please consider assigning points for helpfull answers,

rgds

Dirk

dhagigeorgiou
Product and Topic Expert
Product and Topic Expert
‎01-19-2007 2:11 PM
0 Kudos

Hello Wolfgang,

We are experincing a similar situation.

Did you manage to solve your connection problem?

If yes, what sort of CA files did you upload in the XI keystore?

Former Member
‎02-04-2009 4:37 PM
0 Kudos

We had the same issue with a FTPS connector for Control and Data security.

The strange situation is that the interfaces has been tested successfully in the QA and UAT systems, but when we got to production failed.

"Peer certificate rejected by ChainVerifier"

If the host Peed does not ask for certificate authentication, then installing the certs in the J2EE ketstore is not necessary.

The issue has nothing to the certificates of the certification chain. The issue relies inthe way that the FTPS adapter is implemented for comparing the hostname towards the certificate CN parameter.

The FTP protocol does not include a hostname as part of the technical packets, it only uses the IP addresses.Therefore FTPS implementation has to rely on a reverse DNS look up procedure.

If the hosting FTPS site has a high-availability or load balancing setup, or if has not been setup for properly for global reverse DNS to work then FTPS adapter will only have the IP address to call the chain verification for the host certificate, therefore it fails.

SOLUTION:

We solved the issue by adding the DNS entries for all servers in the high-availability setup in the local "hosts" file of the platform.

Adding then to the local DNS servers will also work.

It took us 3 months to figure this out.

But I am still unclear if the issue responsibility lays on the host side, network setup or the implementation of the FTPS adapter in XI/PI

Answers (2)

Answers (2)

Former Member
‎03-16-2009 9:51 PM
0 Kudos

Hi All,

We are having same issue with the FTPS in our SAP PI systems. On the Target FTP server side we are using the Proftpd software for the FTPS installed and configuration on port 990 and generated Certificate on FTP Server using Proftpd software.

In SAP PI server Communication Channel Configuration we use below FTP configuration.

FTP Connection Parameters.

Server : xxxxx

Port :990

Data Connection : Passive

Connection Security : FTPS (FTP Using SSL/TLS) for Control Connection

Command Order : AUTH TLS,USER,PASS,PBSZ,PROT

We are not using any [ ] X.509 Certificate for Clinet Authentication

The above Parameter settings for FTPS working fine without any issues, CC Polling process successfully finishing for every 60 seconds as defined.

ISSUE

When we change the Connection Security : FTPS(FTP Using SSL/TLS) for Control and Data connection

and start the CC its geting errors "........ Certificate rejected by Chain Verifier".

We tried with couple of options on the Proftpd FTP client configuration file

with TLSRequired <on> <auth+data> but getting same error, but its working fine with the option

TLSRequired ctrl.

Please let us know your suggestions whether we can continue withe the Control Connection option or any solution if we use Control and Data Connection.

Thanks in advance

Gary.

Show replies
Show replies
Former Member
‎03-17-2009 7:16 AM
0 Kudos

Hi Gary,

For the Server name, give the hostname instead of Ip address. The hostname you can see in the certificate under "CN " . Put the same hostname in server of file adapter and try to connect.

-Krupakar

Former Member
‎03-17-2009 2:27 PM
0 Kudos

Hi Krupakar,

Thanks for quick reply.

We are using the FQDN only as a Server name instead of IP address.

Its working fine when we select Control Connection.

But if we change to Control and Data Connection its failing by giving the Certificate Rejected by Chain Verifier

is that mandatory to select the [ ] X.509 Certificate for Client Authentication option when we use control and Data Connection? for the above Control connection its working without the Certificate exchange.

Please advice.

Thanks in advance

Gary

Former Member
‎03-18-2009 12:30 AM
0 Kudos

>> But if we change to Control and Data Connection its failing by giving the Certificate Rejected by Chain Verifier.

I assume they are authenticating only for control connection. That is the reason it is failing for Control and Data connection.

>> is that mandatory to select the [ ] X.509 Certificate for Client Authentication option when we use control and Data Connection?

No.. Its not mandatory to select the X.509 Certificate , you can see only Private keys in the keystore list when you press "?".. but you cannot see the Public certificates(which you received from your partner) which you installed in Keystorage in Visual admin.

As far I know no need to use X.509 Certificate for both control connection and Control & Data Connection .

Former Member
‎07-15-2016 9:57 AM
0 Kudos

Hello Gary,

we are facing the same issue. When I configure the file/FTP receiver adapter with connection security set to "FTPS (FTP using SSL/TLS) for Control connection", it works but then the data flow is not encrypted. That is not what we want. But when we set it to "FTPS (FTP using SSL/TLS) for Control and data connection", we found out that the SAP adapter sends the SSL certificate to the FTP server not only as the first part of the control connection, but also as the first part of the data connection. The FTP server is not able to handle this and the adapter runs into the "chain verifier exception". We found that out with a detailed FTP command debugging on the FTP server.

  • In fact, when we choose "FTPS (...) for Control connection", the adapter generates the FTP command "PROT C" which caused the data connection to be without encryption.
  • When we choose "FTPS (...) for Control and data connection", the adapter generates the FTP command "PROT P" which caused the data connection to be encrypted, but also sends the SSL certificate as the first part of the data transfer session. This causes the problem, because the FTP server cannot handle this certificate as the first part of the data session.

Now here is my question: Do you (or anybody else) know if this is a misbehavior of the SAP adapter or just a missing feature of the partner's FTP server? Did you solve your issue in the meantime?

BR, Joerg

former_member250743
Member
‎09-20-2016 3:20 PM
0 Kudos

This message was moderated.

Former Member
‎05-18-2006 1:23 PM
0 Kudos

Hi Wolfgang,

You need to make sure that your FTPs client ( XI ? ) trusts your FTPs server certificate ( in parallel with your authentication username/password )

This means that you need to import the CA hierarchy of your FTPs server certificate into the list of trusted CA's in XI ( either on J2EE side in the keystore service or in ABAP side via transaction STRUST , depending on where your client is ).

regards

Dirk

Show replies
Show replies
Ask a Question