on 05-18-2006 1:17 PM
Hi,
I wanna use the XI-File/FTP-Adapter to connect to our FTPs-Server.
We have to use Username/Password to connect to the FTPs-Server (it's an Ipswitch WS_FTP-Server) - using X.509 is not possible (it's another department administrating the FTPs-Server).
Now I get the error "Error: Message processing failed: iaik.security.ssl.SSLException: Server
certificate rejected by ChainVerifier".
The Crypto-Package is installed and is working - we tested it by connecting via https to SAP NetWeaver.
Do we need a certificate if we just use USER/PASSWORD-Connection (no X.509)?
Thanx a lot,
bye
Wolfgang
Hi Wolfgang,
You need to make sure that your FTPs client ( XI ? ) trusts your FTPs server certificate ( in parallel with your authentication username/password )
This means that you need to import the CA hierarchy of your FTPs server certificate into the list of trusted CA's in XI ( either on J2EE side in the keystore service or in ABAP side via transaction STRUST , depending on where your client is ).
regards
Dirk
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We had the same issue with a FTPS connector for Control and Data security.
The strange situation is that the interfaces has been tested successfully in the QA and UAT systems, but when we got to production failed.
"Peer certificate rejected by ChainVerifier"
If the host Peed does not ask for certificate authentication, then installing the certs in the J2EE ketstore is not necessary.
The issue has nothing to the certificates of the certification chain. The issue relies inthe way that the FTPS adapter is implemented for comparing the hostname towards the certificate CN parameter.
The FTP protocol does not include a hostname as part of the technical packets, it only uses the IP addresses.Therefore FTPS implementation has to rely on a reverse DNS look up procedure.
If the hosting FTPS site has a high-availability or load balancing setup, or if has not been setup for properly for global reverse DNS to work then FTPS adapter will only have the IP address to call the chain verification for the host certificate, therefore it fails.
SOLUTION:
We solved the issue by adding the DNS entries for all servers in the high-availability setup in the local "hosts" file of the platform.
Adding then to the local DNS servers will also work.
It took us 3 months to figure this out.
But I am still unclear if the issue responsibility lays on the host side, network setup or the implementation of the FTPS adapter in XI/PI
User | Count |
---|---|
83 | |
10 | |
10 | |
8 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.