This is a how-to-guide to setup a connection to an external FTPS site using SAP PI 7.10.
This solution was not tested on a higher version of PI.
I have read through so many blogs but couldn’t find an easy step-by-step guide on how to do this. So I decided that this should be common knowledge and should be easy to setup.
So here goes nothing:
My suggestion if you can, build a good relationship for the ftp provider and start off by checking that you can connect to the ftp site without encryption this will sort-out network and firewall issues from the beginning.
Our network setup is a bit complicated however I have requested that the Firewall specialist open the FTPS IP address and port 21 on all relevant firewalls.
I then requested that the BASIS team install FileZilla client (this works for me!) on the corresponding PI Server (in this case the DEV PI Server). PS. Do not just install any software onto your PI server this may have a damaging effect! Speak to a BASIS person before installing anything.
I then logged onto the DEV PI server and executed the FileZilla Client Software.
What’s important to know: SAP PI does NOT support Implicit Encryption: (See note 1554886), so the FTP provider should configure their FTP Server to allow explicit connections which will automatically requires port 21 to be open. Another setting on the FTP Client software ‘Transfer Mode’ should be ‘Passive’.
Try to connect to your ftp provider:
This is a given: If you get timeout issues or similar issues check with the infrastructure guys that the firewall is open to allow the IP address and port. Ask them to give you a screenshot of the Firewall monitoring tool to show that the traffic is going through. If you still get the same issue connect to the ftps site from outside your network. You can also request that the FTP Provider send you their ftp server logs when connecting to the ftps site.
Make sure that you can connect using the FTP Client software (so you know on OS level everything is OK) if this i failing you will not be able to establish a connection from the JAVA stack either.
If your connection is successful to the ftps site you will get a certificate pop-up message from the FTP Client Software.
This is where the fun starts:
The ftp provider should supply you with the ssl certificate which may include the Private / Public key pair. (they usually encrypt it with a password you need it when you import it into to Netweaver Administrator). Confirm with them if the certificate has a verifying chain, if so they should supply those certificates as well or provide you with a link where you can download it from save it to a *.txt file.
(This is most crucial part of the connection if you do not have your ducks in a row here nothing will work)
If you have all the certificates mentioned above go to your Netweaver Administrator on the PI DEV Server.
Click on Configuration Management -> Certificates and Keys
It will navigate to the Key Store by Default
Select the TrustedCA Keystore view – it will show the Key Storage View Details below.
The next steps would be to import the certificate from the ftp provider
Click on the Import Entry button located in the ‘Key Storage View Details’ area
As soon as you select the Import Entry button it will prompt you to select the Entry type: Depending on how the ftp provider has created the certificates will determine the type. I will try the “PKCS#12” Key Pair first given that you have a password to decrypt the entry.
Browse to the certificate entry and enter the password.
You will see now that it shows the newly imported certificate.
If you have a certificate chain you need to add those certificates to the newly imported certificate by
Clicking on the certificate in the Key Storage View Details’ area and then on the Import CSR Response button.
Browse to the save txt files as mentioned above.
It will have a —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–tag. (See example below)
After the successful certificate import you can now start to config your file adapter.
I presume that you have all the config done regarding the development and config of the interface.
Log-in into the integration Builder navigate to your scenario and then the relevant communication channel
I have configured a Sender FTP communication channel.
On the source tab you will have to complete the relevant information like
Server = Relevant IP Address
Port = 21
Data Connection = Passive
TimeOut (secs) = 10 / 20 /30 /60 (this is up to your specification)
Connection Security = FTPS (FTP Using SSL/TLS) for Control and Data Connection this depends on the PROT command your ftp provider is sending check the command order and value when you connect for the FTP Client software. My understanding PROT P = Control and Data Connection. PROT C only Control connection.
Command Order = Take the first one in the list however it depends on how the ftp provide has set this up again check the command order as mentioned above to make double sure.
Under command Order there is a Use x.509 Certificate for Client Authentication tick box. (select that on)
Keystore = TrustedCAs (select this from the value list)
x.509 Certificate and private key = TrustedCAs – Newly Imported Certificate
Username = provided by ftp provider
Password = provided by ftp provider
Connection Mode =per file Transfer
Transfer Mode = Binary (check settings with FTP Provider)
Ok go now to the Run-time Workbench – Communication Channel Monitoring…
Enter your communication channel name
Look at the status of you channel hopefully it’s connecting (Wishfully thinking)
In my case I had a very strange communication channel the status was on “processing started” and it was saying this for days and days however according to the channel is was functioning (green).
This is where my month of struggle started.
Here are the things that I have tried to solve my issue which may help you.
TrustedCA changed the certificate that it’s the same as the IP address I’m connection to.
Changed on the command Order on the File Adapter
Ask BASIS to check the server_0 logs and check if they can see anything. It showed errors however it was very cryptic
Check the JAVA logs
Eventually I logged a CSS Message with SAP
1st Time round they requested that I apply note: #1514898 ‘Diagtool for troubleshooting XI’ XPI Inspector – Best Tool ever. It give you the ability to export the trace into a ZIP file and then you can attach it to the CSS Message.
Executed the utility on Example 50 (XI Channel) – Selected the FTPS channel into the list.
I had an issue with the Verification (Certificate Chain). Contacted the ftp provider and requested new certificates
2nd time round same thing executed the XPI Inspector and then again attached the zip file
Solution to apply note #1591971
This solved my issue my FTPS communication channel was connecting.
|If you get stuck with this ftps CC log a call with SAP they usually help you within a day.|