cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FTPs connection failed - error ".. certificate rejected by ChainVerifier"

Go to solution
Former Member

on ‎05-18-2006 1:17 PM

0 Kudos

Hi,

I wanna use the XI-File/FTP-Adapter to connect to our FTPs-Server.

We have to use Username/Password to connect to the FTPs-Server (it's an Ipswitch WS_FTP-Server) - using X.509 is not possible (it's another department administrating the FTPs-Server).

Now I get the error "Error: Message processing failed: iaik.security.ssl.SSLException: Server

certificate rejected by ChainVerifier".

The Crypto-Package is installed and is working - we tested it by connecting via https to SAP NetWeaver.

Do we need a certificate if we just use USER/PASSWORD-Connection (no X.509)?

Thanx a lot,

bye

Wolfgang

Show replies
Show replies
Answer
View Entire Topic
Former Member
‎05-18-2006 1:48 PM
0 Kudos

Hi Wolfgang,

You need to make sure that your FTPs client ( XI ? ) trusts your FTPs server certificate ( in parallel with your authentication username/password )

This means that you need to import the CA hierarchy of your FTPs server certificate into the list of trusted CA's in XI ( either on J2EE side in the keystore service or in ABAP side via transaction STRUST , depending on where your client is ).

regards

Dirk

Show replies
Show replies
Former Member
‎05-18-2006 3:02 PM
0 Kudos

Hi Dirk,

thanx a lot - I think that's it.

I called the admin of the FTPs-server to send me the CA hierarchy.

Bye

Wolfgang

Former Member
‎05-18-2006 3:07 PM
0 Kudos

Hi Wolfgang

Your welcome.

Please consider assigning points for helpfull answers,

rgds

Dirk

dhagigeorgiou
Product and Topic Expert
Product and Topic Expert
‎01-19-2007 2:11 PM
0 Kudos

Hello Wolfgang,

We are experincing a similar situation.

Did you manage to solve your connection problem?

If yes, what sort of CA files did you upload in the XI keystore?

Former Member
‎02-04-2009 4:37 PM
0 Kudos

We had the same issue with a FTPS connector for Control and Data security.

The strange situation is that the interfaces has been tested successfully in the QA and UAT systems, but when we got to production failed.

"Peer certificate rejected by ChainVerifier"

If the host Peed does not ask for certificate authentication, then installing the certs in the J2EE ketstore is not necessary.

The issue has nothing to the certificates of the certification chain. The issue relies inthe way that the FTPS adapter is implemented for comparing the hostname towards the certificate CN parameter.

The FTP protocol does not include a hostname as part of the technical packets, it only uses the IP addresses.Therefore FTPS implementation has to rely on a reverse DNS look up procedure.

If the hosting FTPS site has a high-availability or load balancing setup, or if has not been setup for properly for global reverse DNS to work then FTPS adapter will only have the IP address to call the chain verification for the host certificate, therefore it fails.

SOLUTION:

We solved the issue by adding the DNS entries for all servers in the high-availability setup in the local "hosts" file of the platform.

Adding then to the local DNS servers will also work.

It took us 3 months to figure this out.

But I am still unclear if the issue responsibility lays on the host side, network setup or the implementation of the FTPS adapter in XI/PI

Ask a Question