Integration Server - FTPS client

Hi,

I’m trying to use the Integration Server as a FTPS client. The Integration Server Administrator Guide is very clear on chapter 11 that it can be use either as a server or a client.

The guide also indicates the following:

If the Integration Server will act as an SSL client, obtain the digital certificates of the certificate authorities that signed the certificates for the Internet resources that you will connect to. Place each certificate in a separate file. Place the files in the directory you use to store digital certificates of certificate authorities.

So I contacted the IT department of the company I’m going to connect to and asked for the certificate. They sent me the following:

  • A File with an extension “p7b” (gd_iis_intermediates.p7b)
  • Certificate File Hash (sha1) : XXX7A 7ª XXXXXXXXXXXXXXXXXXX
  • Certificate Thumbprint (sha1) : XXXXXd8 6c f4 XXXXXXXXXXXXXX


So, I went an created a folder inside the Integration Server config directory called ‘Certificados” (/opt/webMethods712/IntegrationServer/config/Certificados) and copied the “p7b” file on that folder

Then I went to the section “Security > Certificates” on the IS admin page and configure the CA Cerificate Directory equal to “config/Certificados” on the “Trusted Certificates” area.

Finally, then I restarted the IS and tried to connect to the FTPS without success. The IS flow (pub.client.ftp) doesn’t throw an error, but it doesn’t connect either. The flow just doesn’t respond back.

The admin guide specified many more configuration for SSL, but it does not specified clearly which configurations are needed when we want to use the IS only as client.

Any idea what could be wrong?

IS only understand CER/DER format.

Convert the certificate from p7b to cer/der (using openssl), and place the new created file under “Trusted Certificates” area.

Regards

[COLOR=black][FONT=Verdana]Thanks DevNull43.

I went and used OpenSSL and created the cer file using:

openssl pkcs7 -print_certs -in c:\gd_iis_intermediates.p7b -out c:\gd_iis_intermediates.cer

But still it doesn’t connect to the FTPS and no error is thrown.

Does the Integration Server throw an error if it doesn’t find the right certificate when connecting to a particular FTPS?

How can I make sure I got the right certificate?

Thanks Again
[/FONT][/COLOR]

Hi Pereira,
As per my knowledge ‘.p7b’ is the extension of a signature file not the public key and as per my knowledge webMethods supports only ‘.DER’ extension. So you should get the proper public key either in .der format or convert it to .der format then use.

Do you know if Integration Server provides FTPS capabilities for Implicit Client Security inside the “pub.client.ftp” built in service?

Wikipedia explains:

I believe I’m trying to use Implicit connection because the Port of the FTPS address is 990.

Follow up:

So this is what I have done trying to connect to the FTPS using the webMethods 7.1.2 pub.client:ftp flow service

  • Generated our own keypairs (private and public keys). To run this command you have to be positioned on the bin folder of the JAVA _HOME of the Integration Server.

./keytool -genkey -alias mpr_xxx -keystore mapfeprxxx.jks

  • Imported the entity certificate to our keystore

./keytool -keystore /opt/webMethods712/jvm/sol150/jre/lib/security/cacerts -import -file /opt/webMethods712/IntegrationServer/config/Certificados/xxxxxx.cer

  • Run again the service setting before the Integration Server logging level to trace.

Once I run the flow the server.log shows:

FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:01:07 AST TRACE: Invoking service mpCfmMapfreFinance.flujos:testCFMFtp[/font]
FONT=Times New Roman [ISC.0049.49.5] 2010-04-07 08:01:07 AST DEBUG: Invoke : index=1 depth=1[/font]
FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:01:07 AST TRACE: Invoking service pub.client:ftp[/font]
FONT=Times New Roman [ISC.0049.49.5] 2010-04-07 08:01:07 AST DEBUG: Invoke : index=1 depth=1[/font]
FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:01:07 AST TRACE: Invoking service pub.client.ftp:login[/font]
FONT=Times New Roman [ISC.0064.64.20] 2010-04-07 08:01:07 AST TRACE: host: XX.XXX.65.173 port: 990 User ID: XXXX[/font]
FONT=Times New Roman [ISC.0009.9.6] 2010-04-07 08:01:08 AST DEBUG: Error encountered loading certificate /opt/webMethods712/IntegrationServer/config/Certificados/gd_iis_intermediates.cer: iaik.asn1.CodingException: ASN.1 creation error:Length: Too large ASN.1 object: 102[/font]
FONT=Times New Roman [ISC.0064.64.21] 2010-04-07 08:01:08 AST TRACE: Successfully connected to host: XX.XXX.65.173 port: 990[/font]

  • Change the PEM Certificate TO DER format, restarted the IS, run it once again , then the log throw the following

FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:29:09 AST TRACE: Invoking service mpCfmMapfreFinance.flujos:testCFMFtp[/font]
FONT=Times New Roman [ISC.0049.49.5] 2010-04-07 08:29:09 AST DEBUG: Invoke : index=1 depth=1[/font]
FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:29:09 AST TRACE: Invoking service pub.client:ftp[/font]
FONT=Times New Roman [ISC.0049.49.5] 2010-04-07 08:29:09 AST DEBUG: Invoke : index=1 depth=1[/font]
FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:29:09 AST TRACE: Invoking service pub.client.ftp:login[/font]
FONT=Times New Roman [ISC.0064.64.20] 2010-04-07 08:29:09 AST TRACE: host: XX.XXX.65.173 port: 990 User ID: XXXX[/font]
FONT=Times New Roman [ISC.0064.64.21] 2010-04-07 08:29:09 AST TRACE: Successfully connected to host: XX.XXX.65.173 port: 990[/font]

Now it doesn’t throw the Certificate error, but the flow service never respond back as always …

Any more ideas on what can be wrong?

Here is what the FTPS Server is logging:


When trying to connect unsuccessfully to port 990 the following log is display

***********************************************************************
2010-04-07 19:59:18 65.38.221.226 50159 - - 990 ControlChannelOpened - 0 - -
2010-04-07 20:00:27 65.38.221.226 50157 - - 990 ControlChannelClosed - 258 - -

***********************************************************************

When successfully connecting to port 21 the following log is display

***********************************************************************
2010-04-07 20:01:42 65.38.221.226 11286 - - 21 ControlChannelOpened - 0 - -
2010-04-07 20:01:42 65.38.221.226 11286 - - 21 USER 331 0 - -
2010-04-07 20:01:42 65.38.221.226 11286 TWIN\xxxuser - 21 PASS 230 0 / -
2010-04-07 20:01:42 65.38.221.226 11286 TWIN\xxxuser - 21 TYPE 200 0 - -
2010-04-07 20:01:42 65.38.221.226 11286 TWIN\xxxuser - 21 CWD 250 0 / -
2010-04-07 20:01:42 65.38.221.226 11286 TWIN\xxxuser - 21 PASV 227 0 - -
2010-04-07 20:01:43 65.38.221.226 11287 TWIN\xxxuser - 3001 DataChannelOpened - 0 - -
2010-04-07 20:01:43 65.38.221.226 11287 TWIN\xxxuser - 3001 DataChannelClosed - 0 - -
2010-04-07 20:01:43 65.38.221.226 11286 TWIN\xxxuser - 21 NLST 226 0 / -
2010-04-07 20:01:43 65.38.221.226 11286 TWIN\xxxuser - 21 QUIT 221 0 - -
2010-04-07 20:01:43 65.38.221.226 11286 TWIN\xxxuser - 21 ControlChannelClosed - 0 - -
***********************************************************************

Maybe this detail will help find a solution


The p7b file contains only the public certificates, used mostly for signing messages http://en.wikipedia.org/wiki/PKCS7

Now remote FTP server is configured for accepting only SSL connections, so you need to get remote server certificate added to your trusted store if it is self-signed and not a valid certificate signed by a valid CA. The best way to achieve this is by running command:

openssl s_client -connect serverip:port -showcerts (The -showcerts will show all certificates in the chain)

The output of this command will print in your screen the certificates, so copy from
-----BEGIN CERTIFICATE-----
Until…
-----END CERTIFICATE-----

Paste from clipboard to a txt file, and name it cert1.der

Do the same for all the certificates shown.

After you get all the certificates copied to /opt/webMethods712/IntegrationServer/config/Certificados restart IS and try to connect.

Ensure you have set on the step pub.client:ftp the “secure” option to AUTH SSL or TLS and “securedata” depending your needs.

Now if the remote FTP server, not only accepts SSL connections, but also REQUIRES client certificates, follow the Built-in services guide to set the proper Cert to authenticate (But I guess this is not your case).

I would suggest raising a support request if you still get problems. SSL is sometimes a pitty and support will guide you quickly to resolve this.