How do we resolved first time FTPS connectivity issue with partner using IBM B2B Sterling Integrator

😟😟😟Background of Actual problem :

            I am working for Banking client who is doing business with their partners by sending payment files using different communication channels like SFTP , HTTP , API etc. For first time one partner come up with integration requirement by using FTPS communication which is new to our banking client. My client using IBM Sterling Integrator as B2B/EDI tool to do integration with partners and this is the first partner using FTPS connectivity. While implementing and getting connectivity established with partner , we encountered many issues with their FTPs Server.

😮😮😮Problem Statement :

           When we trying to connect and to do list out the files which are available in their remote directory , initially we are getting handshake failure and cannot move forward to do list files operation. We have already opened outbound ports at bank firewall and customer are  also opened bank ports at their side. As part of analysis we have asked partner to provide acceptable ciphers at their side and compare with ciphers which are configured at Bank side.while initial analysis we found that there is Ciphers mismatch at handshake and it causes the issue.

😲😲😲Suggestion : 

           To resolve this issue, we have conducted multiple debugging sessions with all the stakeholders  partner , Bank's team (myself) , Network team , operating system admin and B2B application vendor etc. In each session we have implemented below suggestions/changes mentioned at B2B server level by B2B vendor team and did the testing in meeting when all the stake holders are present and do the monitoring the traffic.Initially we asked to do below mentioned changes at their FTPS server side and they didn't aggree to do changes. Partner side they cannot make necessary changes to accepts ciphers which are configured at bank because already they are integrated with their partners and they dont want to expect any issues with their partners by cipher changes.

• SNI need to be disabled
• TLS 1.3 version need to disabled if it is enabled already and TLS1.2 version should be default

 Next trouble shooting session we have verified all the settings , logs and configurations with help of IBM vendor. We have found issue with certificates (Intermediate , Root and Leaf) and while importing 

 certificates it is giving error as "Auth chain is incomplete". To resolve this issue, we have directly

 downloaded the certificates from their server using certificate grabber utility in Sterling B2B integrator

and imported into B2B server. Then it resolves the certificates issue. Now we tried to post file but

 it is not successful. at this time we enabled trace at both Network level and OS level. In trace root

 we saw as B2B server sending packets but we are not receiving client hello packets back.

When customer did the CA certificates validity check using openssl it is giving result as OK , but there can still be some problems with the way SI checks additional points in validity beyond whether certificate is expired or properly chained.

To resolve this issue we have conducted multiple trouble shooting sessions with all the integration stake holders. As part these meeting IBM vendor suggested server level changes and we have done those changes and restarted the IBM SI server and verified the connectivity.

Suggestion 1 :

   Change the order of security providers in Java security file in SIB2BInstallationPath/jdk/jre/lib/security/java.security

Existing

#

# List of providers and their preference orders (see above):

#

security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS

security.provider.2=com.ibm.crypto.provider.IBMJCE

security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.4=com.certicom.ecc.jcae.Certicom

security.provider.5=com.sterlingcommerce.security.jcae.STERCOMM

security.provider.6=com.ibm.jsse2.IBMJSSEProvider2

security.provider.7=com.ibm.security.jgss.IBMJGSSProvider

 

Change it to

 

security.provider.1=com.ibm.crypto.provider.IBMJCE

security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS

 

And restart the SIB2B server.

Suggestion  2 :

In Properties folder in installation path

Set FIPSMode=true in security.properties

And restart the server

Suggestion 3 : 

You can try putting in customer_overrides.properties: in SIB2B installation path

    security.FactoryTrustManagerAlgorithm=IbmPKIX

This trust manager is more lenient than default IbmX509, if you manage to connect with it might give us additional clue. You need to do this on both nodes.

And restart the SIB2B server.

Finally we are able to connect out client FTP server using security certificate.

Suggestion 4 :

After that we faced files posting issue after connecting their server. To resolve this issue

we have added new configuration in customer_overrides.properties: in SIB2B installation path

 ps_ftpclient.honourPASV=false

 After changing all these configurations then we (Bank) are able to connect their partner FTPS server and post files successfully.  

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-3718162507869387"
     crossorigin="anonymous"></script>

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-3718162507869387"
     crossorigin="anonymous"></script>
<!-- MySquareAd -->
<ins class="adsbygoogle"
     style="display:block"
     data-ad-client="ca-pub-3718162507869387"
     data-ad-slot="5896879220"
     data-ad-format="auto"
     data-full-width-responsive="true"></ins>
<script>
     (adsbygoogle = window.adsbygoogle || []).push({});
</script>

             **********************************************************************

Amazon Payee Central integration with OMS application running on AWS cloud using Opensource Tools

 Amazon payee Central integration with OMS application running on AWS cloud using Opensource Tools

   

   Recently I had opportunity to work on integration between Amazon Payee Central and OMS running on AWS cloud. 

   Initially we have implemented the Invoice Payment message integration as part of this project. In this 

   implementation there are multiple applications involved to archive the required integration requirement.

   

To implement this integration below mentioned tasks are performed

   

   Pre requisites information for this implementation has been provided to customer .

   

   1. Having Amazon payee central account for generating invoices

   2. Having personal/Business Website with own web space and domain name for your website and Email account if notification are required

       3. Having any commercial Order Management System or own OMS application or any Database with Order Management schemas and tables.

       

       Implementing actual high level integration steps which I have followed    

   1. EDI setup in Amazon payee Central for exchanging EDi files over AS2

   2. Create our own self-signed or CA certified AS2 certificates for our company / business

   3. Create AS2 http/https url (resource) for receiving or sending files to/from Amazon 

   4. Configure our company / business certificates and Website AS2 resource URL in Amazon payee central

   5. Install opensource AS2 software application running on on-premise or on cloud (AWS or Azure or IBM cloud or google cloud)

   6. Configure our company certificates and Amazon AS2 certificates in our AS2 application

   7. Now coming to Translation, we need to use either opensource EDI translator or any coding language like java, .Net , Python or PHP etc. to do the translation from OMS format to corresponding transaction EDI format.

   8. In our case, as requested by customer I have used PHP script to do the translation and after successful translation file will be written some folder on AWS cloud

   9. Internal OMS application will generate some invoice file in application format (Ex. Flatfile , CSV or Database) and written to some folder on AWS

   10. From that folder translation program will pick and do the translation. After successful translation , files written to another folder where AS2 program can pick and push the file to Amazon.

   11. Initially Amazon wont receive the files until we activate the EDI connection in Amazon Payee central

       12. To activate the AS2 connection , we need to upload 3 EDI formatted Invoice files successfully in the Amazon payee central dashboard by licking connections tab.

       13. Once EDI invoice files successfully validated then the AS2 connection will be changed to Active status. 

       14. Once connection is activated then only Amazon can receive files from us and files can be tracked/showed in search results whether the files are processes or failed.     

   

Just for reference, here is the list of available OMS software's with commercial license

         1. Quickbooks Commerce                https://quickbooks.intuit.com/quickbooks-commerce/

         2. Brightpearl                        https://www.brightpearl.com/

         3. Skubana                            https://www.skubana.com/

4. Freestyle Solutions                https://www.freestylesolutions.com/

5. Odoo — Best Open Source OMS        https://www.odoo.com/

6. Brightpearl                        https://www.brightpearl.com/order-management

7. Veeqo                              https://www.veeqo.com/order-management-system

         8. Magento                            https://www.magestore.com/features/magento-order-management/

https://www.softwaretestinghelp.com/order-management-system/