Hi, I’m trying to use the Integration Server as a FTPS client. The Integration Server Administrator Guide is very clear on chapter 11 that it can be use either as a server or a client. The guide also indicates the following: If the Integration Server will act as an SSL client, obtain the digital certificates of the certificate authorities that signed the certificates for the Internet resources that you will connect to. Place each certificate in a separate file. Place the files in the directory you use to store digital certificates of certificate authorities. So I contacted the IT department of the company I’m going to connect to and asked for the certificate. They sent me the following:
A File with an extension “p7b” (gd_iis_intermediates.p7b)
So, I went an created a folder inside the Integration Server config directory called ‘Certificados” (/opt/webMethods712/IntegrationServer/config/Certificados) and copied the “p7b” file on that folder Then I went to the section “Security > Certificates” on the IS admin page and configure the CA Cerificate Directory equal to “config/Certificados” on the “Trusted Certificates” area. Finally, then I restarted the IS and tried to connect to the FTPS without success. The IS flow (pub.client.ftp) doesn’t throw an error, but it doesn’t connect either. The flow just doesn’t respond back. The admin guide specified many more configuration for SSL, but it does not specified clearly which configurations are needed when we want to use the IS only as client. Any idea what could be wrong?
Hi Pereira,
As per my knowledge ‘.p7b’ is the extension of a signature file not the public key and as per my knowledge webMethods supports only ‘.DER’ extension. So you should get the proper public key either in .der format or convert it to .der format then use.
So this is what I have done trying to connect to the FTPS using the webMethods 7.1.2 pub.client:ftp flow service
Generated our own keypairs (private and public keys). To run this command you have to be positioned on the bin folder of the JAVA _HOME of the Integration Server.
Run again the service setting before the Integration Server logging level to trace.
Once I run the flow the server.log shows:
FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:01:07 AST TRACE: Invoking service mpCfmMapfreFinance.flujos:testCFMFtp[/font] FONT=Times New Roman [ISC.0049.49.5] 2010-04-07 08:01:07 AST DEBUG: Invoke : index=1 depth=1[/font] FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:01:07 AST TRACE: Invoking service pub.client:ftp[/font] FONT=Times New Roman [ISC.0049.49.5] 2010-04-07 08:01:07 AST DEBUG: Invoke : index=1 depth=1[/font] FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:01:07 AST TRACE: Invoking service pub.client.ftp:login[/font] FONT=Times New Roman [ISC.0064.64.20] 2010-04-07 08:01:07 AST TRACE: host: XX.XXX.65.173 port: 990 User ID: XXXX[/font] FONT=Times New Roman [ISC.0009.9.6] 2010-04-07 08:01:08 AST DEBUG: Error encountered loading certificate /opt/webMethods712/IntegrationServer/config/Certificados/gd_iis_intermediates.cer: iaik.asn1.CodingException: ASN.1 creation error:Length: Too large ASN.1 object: 102[/font] FONT=Times New Roman [ISC.0064.64.21] 2010-04-07 08:01:08 AST TRACE: Successfully connected to host: XX.XXX.65.173 port: 990[/font]
Change the PEM Certificate TO DER format, restarted the IS, run it once again , then the log throw the following
FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:29:09 AST TRACE: Invoking service mpCfmMapfreFinance.flujos:testCFMFtp[/font] FONT=Times New Roman [ISC.0049.49.5] 2010-04-07 08:29:09 AST DEBUG: Invoke : index=1 depth=1[/font] FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:29:09 AST TRACE: Invoking service pub.client:ftp[/font] FONT=Times New Roman [ISC.0049.49.5] 2010-04-07 08:29:09 AST DEBUG: Invoke : index=1 depth=1[/font] FONT=Times New Roman [ISS.0014.14.16] 2010-04-07 08:29:09 AST TRACE: Invoking service pub.client.ftp:login[/font] FONT=Times New Roman [ISC.0064.64.20] 2010-04-07 08:29:09 AST TRACE: host: XX.XXX.65.173 port: 990 User ID: XXXX[/font] FONT=Times New Roman [ISC.0064.64.21] 2010-04-07 08:29:09 AST TRACE: Successfully connected to host: XX.XXX.65.173 port: 990[/font]
Now it doesn’t throw the Certificate error, but the flow service never respond back as always …
Now remote FTP server is configured for accepting only SSL connections, so you need to get remote server certificate added to your trusted store if it is self-signed and not a valid certificate signed by a valid CA. The best way to achieve this is by running command:
openssl s_client -connect serverip:port -showcerts (The -showcerts will show all certificates in the chain)
The output of this command will print in your screen the certificates, so copy from
-----BEGIN CERTIFICATE-----
Until…
-----END CERTIFICATE-----
Paste from clipboard to a txt file, and name it cert1.der
Do the same for all the certificates shown.
After you get all the certificates copied to /opt/webMethods712/IntegrationServer/config/Certificados restart IS and try to connect.
Ensure you have set on the step pub.client:ftp the “secure” option to AUTH SSL or TLS and “securedata” depending your needs.
Now if the remote FTP server, not only accepts SSL connections, but also REQUIRES client certificates, follow the Built-in services guide to set the proper Cert to authenticate (But I guess this is not your case).
I would suggest raising a support request if you still get problems. SSL is sometimes a pitty and support will guide you quickly to resolve this.