Skip to Content
avatar image
Former Member

FTPs connection failed - error ".. certificate rejected by ChainVerifier"

Hi,

I wanna use the XI-File/FTP-Adapter to connect to our FTPs-Server.

We have to use Username/Password to connect to the FTPs-Server (it's an Ipswitch WS_FTP-Server) - using X.509 is not possible (it's another department administrating the FTPs-Server).

Now I get the error "Error: Message processing failed: iaik.security.ssl.SSLException: Server

certificate rejected by ChainVerifier".

The Crypto-Package is installed and is working - we tested it by connecting via https to SAP NetWeaver.

Do we need a certificate if we just use USER/PASSWORD-Connection (no X.509)?

Thanx a lot,

bye

Wolfgang

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    May 18, 2006 at 12:48 PM

    Hi Wolfgang,

    You need to make sure that your FTPs client ( XI ? ) trusts your FTPs server certificate ( in parallel with your authentication username/password )

    This means that you need to import the CA hierarchy of your FTPs server certificate into the list of trusted CA's in XI ( either on J2EE side in the keystore service or in ABAP side via transaction STRUST , depending on where your client is ).

    regards

    Dirk

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      We had the same issue with a FTPS connector for Control and Data security.

      The strange situation is that the interfaces has been tested successfully in the QA and UAT systems, but when we got to production failed.

      "Peer certificate rejected by ChainVerifier"

      If the host Peed does not ask for certificate authentication, then installing the certs in the J2EE ketstore is not necessary.

      The issue has nothing to the certificates of the certification chain. The issue relies inthe way that the FTPS adapter is implemented for comparing the hostname towards the certificate CN parameter.

      The FTP protocol does not include a hostname as part of the technical packets, it only uses the IP addresses.Therefore FTPS implementation has to rely on a reverse DNS look up procedure.

      If the hosting FTPS site has a high-availability or load balancing setup, or if has not been setup for properly for global reverse DNS to work then FTPS adapter will only have the IP address to call the chain verification for the host certificate, therefore it fails.

      SOLUTION:

      We solved the issue by adding the DNS entries for all servers in the high-availability setup in the local "hosts" file of the platform.

      Adding then to the local DNS servers will also work.

      It took us 3 months to figure this out.

      But I am still unclear if the issue responsibility lays on the host side, network setup or the implementation of the FTPS adapter in XI/PI

  • avatar image
    Former Member
    May 18, 2006 at 12:23 PM

    Hi Wolfgang,

    You need to make sure that your FTPs client ( XI ? ) trusts your FTPs server certificate ( in parallel with your authentication username/password )

    This means that you need to import the CA hierarchy of your FTPs server certificate into the list of trusted CA's in XI ( either on J2EE side in the keystore service or in ABAP side via transaction STRUST , depending on where your client is ).

    regards

    Dirk

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 16, 2009 at 09:51 PM

    Hi All,

    We are having same issue with the FTPS in our SAP PI systems. On the Target FTP server side we are using the Proftpd software for the FTPS installed and configuration on port 990 and generated Certificate on FTP Server using Proftpd software.

    In SAP PI server Communication Channel Configuration we use below FTP configuration.

    FTP Connection Parameters.

    Server : xxxxx

    Port :990

    Data Connection : Passive

    Connection Security : FTPS (FTP Using SSL/TLS) for Control Connection

    Command Order : AUTH TLS,USER,PASS,PBSZ,PROT

    We are not using any [ ] X.509 Certificate for Clinet Authentication

    The above Parameter settings for FTPS working fine without any issues, CC Polling process successfully finishing for every 60 seconds as defined.

    ISSUE

    When we change the Connection Security : FTPS(FTP Using SSL/TLS) for Control and Data connection

    and start the CC its geting errors "........ Certificate rejected by Chain Verifier".

    We tried with couple of options on the Proftpd FTP client configuration file

    with TLSRequired <on> <auth+data> but getting same error, but its working fine with the option

    TLSRequired ctrl.

    Please let us know your suggestions whether we can continue withe the Control Connection option or any solution if we use Control and Data Connection.

    Thanks in advance

    Gary.

    Add comment
    10|10000 characters needed characters exceeded