webMethods Integration Server Details: com.jcraft.jsch.JSchException: connection is closed by foreign host

Encountered an error below when creating SFTP Server Alias in webMethods IS.

Does anyone encountered below error?

Cannot get host key from server [sftp-hostname]:22. Details: com.jcraft.jsch.JSchException: connection is closed by foreign host

IS version: 9.8

There might be network issue or might be there are handshake errors…
Can you enable JSch handshake logs and post here? To enable handshake logs you have to set server property watt.ssh.jsch.logging = true.
The logs will be there in wrapper.log file.

2 Likes

INFO: Connecting to hostname.com port 22
INFO: Connection established
ssl_debug(71570): Starting handshake (iSaSiLk 3.03)…
ssl_debug(71570): IOException while handshaking: Connection closed by remote host.
ssl_debug(71570): Sending alert: Alert Fatal: handshake failure
ssl_debug(71570): Shutting down SSL layer…
ssl_debug(71570): Closing transport…
ssl_debug(71570): Closing transport…
……
……
….
ssl_debug(71593): Starting handshake (iSaSiLk 3.03)…
ssl_debug(71593): IOException while handshaking: Connection closed by remote host.
ssl_debug(71593): Sending alert: Alert Fatal: handshake failure
ssl_debug(71593): Shutting down SSL layer…
ssl_debug(71593): Closing transport…
ssl_debug(71593): Closing transport…
INFO: Disconnecting from hostname.com port 22

Hi,

are there any Fixes applied to your IS 9.8?
AFAIK there were some issues with the SFTP feature which were solved with some IS_Core and/or ThirdParty Fixes provided by SAG.

Can you try to connect to the SFTP server by using the following command to check its SSL/TLS status:
openssl s_client -showcerts -connect host:22

Might be an issue with some SSL related extended settings in your IS and/or key length or algorithm of the remote servers host key.

Regards,
Holger

1 Like

Thank you Holger for your response.

openssl s_client -showcerts -connect hostname:22
CONNECTED(00000003)
2004766116:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 296 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

In this case I would assume an issue with the SSHD config on the remote server.

You should check this with OS Admin of the remote server.

Eventually there might be an issue with the Java version used by your wM 9.8 installation not supporting the cipher specs your partner is requiring.
In this case it is recommended to update your environments to a more recent version of wM (I suggest wM 9.12 as minimum version, from where you can migrate to the wM 10.x stream later on.).

Regards,
Holger

1 Like

Update…

Was able to create a connection in IS SFTP Server and User Alias but when Test button is clicked still encountered errors below which were taken from Error Logs.

ERRORMESSAGE

[ISS.0147.9011] Test of SFTP user alias UserAliasSFTP failed. Details: connection is closed by foreign host
Caused by: com.wm.app.b2b.server.sftp.client.SFTPClientException:
[ISS.0147.9011] Test of SFTP user alias UserAliasSFTP failed. Details: connection is closed by foreign host
Caused by: com.jcraft.jsch.JSchException: connection is closed by foreign host’

ERRSTACKTRACE

com.jcraft.jsch.JSchException: connection is closed by foreign host
at com.jcraft.jsch.Session.connect(Session.java:269)
at com.wm.app.b2b.server.sftp.client.SFTPClientManager.jschConnect(SFTPClientManager.java:837)
at com.wm.app.b2b.server.sftp.client.SFTPClientManager.connectWithoutProxy(SFTPClientManager.java:826)
at com.wm.app.b2b.server.sftp.client.SFTPClientManager.connect(SFTPClientManager.java:734)
at com.wm.app.b2b.server.sftp.client.SFTPClientManager.login(SFTPClientManager.java:598)
at com.wm.app.b2b.server.sftp.client.SFTPClientManager.testConnection(SFTPClientManager.java:648)
at wm.server.sftpclient.testConnection(sftpclient.java:361)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.wm.app.b2b.server.JavaService.baseInvoke(JavaService.java:441)
at com.wm.app.b2b.server.invoke.InvokeManager.process(InvokeManager.java:649)
at com.wm.app.b2b.server.util.tspace.ReservationProcessor.process(ReservationProcessor.java:39)
at com.wm.app.b2b.server.invoke.StatisticsProcessor.process(StatisticsProcessor.java:53)
at com.wm.app.b2b.server.invoke.ServiceCompletionImpl.process(ServiceCompletionImpl.java:243)
at com.wm.app.b2b.server.invoke.ValidateProcessor.process(ValidateProcessor.java:49)
at com.wm.app.b2b.server.invoke.PipelineProcessor.process(PipelineProcessor.java:171)
at com.wm.app.b2b.server.ACLManager.process(ACLManager.java:303)
at com.wm.app.b2b.server.invoke.DispatchProcessor.process(DispatchProcessor.java:34)
at com.wm.app.b2b.server.AuditLogManager.process(AuditLogManager.java:370)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:548)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:386)
at com.wm.app.b2b.server.ServiceManager.inv…<truncated

In this case you will have to contact the Admin of the SFTP-Server, if they have any informations for you from the SSHD-Log.

I would assume an handshaking issue due mismatch in TLS protocol versions supported by your JVM compared to those allowed by the SSH/SFTP-Server.

Regards,
Holger

1 Like

Hi LL,

Apparently this is a clear issue of SSL handshake failure, and the client server failed to reach a mutually agreed protocol to use for the SFTP connection. If it’s possible for you to actually enable more detail debug logs like telling what are the SSL protocol negotiated between the client and the server, it would also help to understand more. Also getting info from the log of SFTP server side will help to unearth more details. I assumed this likely to be a configuration issue than an actual product defect.

I would also suggest to get this book if possible, as it’s quite handy to understand SSL/TLS related matters in details.
https://www.amazon.com/Bulletproof-SSL-TLS-Understanding-Applications/dp/1907117040/ref=cm_cr_arp_d_product_top?ie=UTF8

1 Like

Thank you all for your responses.

Below actions were performed for our investigation on this incident.

  1. Out trading partner informed us that the new sftp server is currently in AWS and that sshd_config is not available.
  2. Confirmed with our Network and Firewall team that the IPs of the SFTP server have been whitelisted.
  3. Trading partner created a new username on the server and provided us ppk and pem formats to try outside company’s network and it worked through FileZilla.
  4. The connection did not worked inside company’s network

Hi Leroux,

can you share some more details about your SFTP-User-Alias Config please?

As the error message indicates that you are able to reach out to the SFTP-Server but it is rejecting your connection attempt.
So there should be anything in the ssh logs on the AWS plattform for this server.
Can you check this with your TradingPartner?

Regards,
Holger

1 Like

In my first comment I have requested to enable jsch logs and share same but it seems you shared ssl logs which are not useful. Please enable jsch logging by setting the server property "watt.ssh.jsch.logging=true.

The logs will be found in wrapper logs.