Skip to Content

This is a how-to-guide to setup a connection to an external FTPS site using SAP PI 7.10.

This solution was not tested on a higher version of PI.

I have read through so many blogs but couldn’t find an easy step-by-step guide on how to do this. So I decided that this should be common knowledge and should be easy to setup.

So here goes nothing:

My suggestion if you can, build a good relationship for the ftp provider and start off by checking that you can connect to the ftp site without encryption this will sort-out network and firewall issues from the beginning.

Steps

Our network setup is a bit complicated however I have requested that the Firewall specialist open the FTPS IP address and port 21 on all relevant firewalls.

I then requested that the BASIS team install FileZilla client (this works for me!) on the corresponding PI Server (in this case the DEV PI Server). PS. Do not just install any software onto your PI server this may have a damaging effect! Speak to a BASIS person before installing anything.

I then logged onto the DEV PI server and executed the FileZilla Client Software.

What’s important to know: SAP PI does NOT support Implicit Encryption: (See note 1554886), so the FTP provider should configure their FTP Server to allow explicit connections which will automatically requires port 21 to be open. Another setting on the FTP Client software ‘Transfer Mode’ should be ‘Passive’.

Try to connect to your ftp provider:

This is a given: If you get timeout issues or similar issues check with the infrastructure guys that the firewall is open to allow the IP address and port. Ask them to give you a screenshot of the Firewall monitoring tool to show that the traffic is going through. If you still get the same issue connect to the ftps site from outside your network. You can also request that the FTP Provider send you their ftp server logs when connecting to the ftps site.

Make sure that you can connect using the FTP Client software (so you know on OS level everything is OK) if this i failing you will not be able to establish a connection from the JAVA stack either.

If your connection is successful to the ftps site you will get a certificate pop-up message from the FTP Client Software.

This is where the fun starts:

The ftp provider should supply you with the ssl certificate which may include the Private / Public key pair. (they usually encrypt it with a password you need it when you import it into to Netweaver Administrator). Confirm with them if the certificate has a verifying chain, if so they should supply those certificates as well or provide you with a link where you can download it from save it to a *.txt file.

(This is most crucial part of the connection if you do not have your ducks in a row here nothing will work)

If you have all the certificates mentioned above go to your Netweaver Administrator on the PI DEV Server.

http://%3cserver%3e%3cport%3ehttp://<server>:<port>/nwa

Click on Configuration Management -> Certificates and Keys

It will navigate to the Key Store by Default

Select the TrustedCA Keystore view – it will show the Key Storage View Details below.

The next steps would be to import the certificate from the ftp provider

Click on the Import Entry button located in the ‘Key Storage View Details’ area

As soon as you select the Import Entry button it will prompt you to select the Entry type: Depending on how the ftp provider has created the certificates will determine the type. I will try the “PKCS#12” Key Pair first given that you have a password to decrypt the entry.

Browse to the certificate entry and enter the password.

You will see now that it shows the newly imported certificate.

If you have a certificate chain you need to add those certificates to the newly imported certificate by

Clicking on the certificate in the Key Storage View Details’ area and then on the Import CSR Response button.

Browse to the save txt files as mentioned above.

It will have a —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–tag. (See example below)

—–BEGIN CERTIFICATE—–

MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT

MRYwFAYDVQQKEw1HZW9UcnVnmmmnfmnmzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz

YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjM343434jBhMQswCQYDV

—–END CERTIFICATE—–

After the successful certificate import you can now start to config your file adapter.

I presume that you have all the config done regarding the development and config of the interface.

Log-in into the integration Builder navigate to your scenario and then the relevant communication channel

I have configured a Sender FTP communication channel.

On the source tab you will have to complete the relevant information like

Server = Relevant IP Address

Port = 21

Data Connection = Passive

TimeOut (secs) = 10 / 20 /30 /60 (this is up to your specification)

Connection Security = FTPS (FTP Using SSL/TLS) for Control and Data Connection this depends on the PROT command your ftp provider is sending check the command order and value when you connect for the FTP Client software. My understanding PROT P = Control and Data Connection. PROT C only Control connection.

Command Order = Take the first one in the list however it depends on how the ftp provide has set this up again check the command order as mentioned above to make double sure.

Under command Order there is a Use x.509 Certificate for Client Authentication tick box. (select that on)

Keystore = TrustedCAs (select this from the value list)

x.509 Certificate and private key = TrustedCAs – Newly Imported Certificate

Username = provided by ftp provider

Password = provided by ftp provider

Connection Mode =per file Transfer

Transfer Mode = Binary (check settings with FTP Provider)

Ok go now to the Run-time Workbench – Communication Channel Monitoring…

Enter your communication channel name

Look at the status of you channel hopefully it’s connecting (Wishfully thinking)

In my case I had a very strange communication channel the status was on “processing started” and it was saying this for days and days however according to the channel is was functioning (green).

This is where my month of struggle started.

Here are the things that I have tried to solve my issue which may help you.

In the TrustedCA keystore I have played around with SAP’ signed certificates www.service.sap.com/tcsSSL Test Server Certificates and then import the Request.

TrustedCA changed the certificate that it’s the same as the IP address I’m connection to.

Changed on the command Order on the File Adapter

Ask BASIS to check the server_0 logs and check if they can see anything. It showed errors however it was very cryptic

Check the JAVA logs

Eventually I logged a CSS Message with SAP

1st Time round they requested that I apply note: #1514898 ‘Diagtool for troubleshooting XI’ XPI Inspector – Best Tool ever. It give you the ability to export the trace into a ZIP file and then you can attach it to the CSS Message.

Executed the utility on Example 50 (XI Channel)  – Selected the FTPS channel into the list.

I had an issue with the Verification (Certificate Chain). Contacted the ftp provider and requested new certificates

2nd time round same thing executed the XPI Inspector and then again attached the zip file

Solution to apply note #1591971

This solved my issue my FTPS communication channel was connecting.

If you get stuck with this ftps CC log a call with SAP they usually help you within a day.
To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Alice Rebecca

    Hi Merylene,

    Its very useful blog and a result of your hard work in troubleshooting the issue.

    I am also stucked with the same issue and want to know the “Command Order” and “Connection Security” to be configured in the Receiver File adapter done for a FTPs Server.

    Heres the succesful login trace done from a FILEZILLA client tool.

    Status: Resolving address of fileserver.com
    Status: Connecting to 85.229.4.179:990…
    Status: Connection established, initializing TLS…
    Status: Verifying certificate…
    Error: Could not connect to server
    Status: Waiting to retry…
    Status: Resolving address of fileserver.com
    Status: Connecting to 85.229.4.179:990…
    Status: Connection established, initializing TLS…
    Status: Verifying certificate…
    Status: TLS/SSL connection established, waiting for welcome message…
    Response: 220 Microsoft FTP Service
    Command: USER ftpuser
    Response: 331 Password required for ftpuser.
    Command: PASS *******
    Response: 230 User logged in.
    Command: SYST
    Response: 215 Windows_NT
    Command: FEAT
    Response: 211-Extended features supported:
    Response: LANG EN*
    Response: UTF8
    Response: AUTH TLS;TLS-C;SSL;TLS-P;
    Response: PBSZ
    Response: PROT C;P;
    Response: CCC
    Response: HOST
    Response: SIZE
    Response: MDTM
    Response: REST STREAM
    Response: 211 END
    Command: OPTS UTF8 ON
    Response: 200 OPTS UTF8 command successful – UTF8 encoding now ON.
    Command: PBSZ 0
    Response: 200 PBSZ command successful.
    Command: PROT P
    Response: 200 PROT command successful.
    Status: Connected
    Status: Retrieving directory listing…
    Command: CWD /folder
    Response: 250 CWD command successful.
    Command: PWD
    Response: 257 “/folder” is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PASV
    Response: 227 Entering Passive Mode (10,200,36,65,19,163).
    Status: Server sent passive reply with unroutable address. Using server address instead.
    Command: LIST
    Response: 150 Opening BINARY mode data connection.
    Response: 226 Transfer complete.
    Status: Directory listing successful

    Thanks

    Alice

    (0) 

Leave a Reply