Thursday, August 4, 2022

How do we resolved first time FTPS connectivity issue with partner using IBM B2B Sterling Integrator

😟😟😟Background of Actual problem :

            I am working for Banking client who is doing business with their partners by sending payment files using different communication channels like SFTP , HTTP , API etc. For first time one partner come up with integration requirement by using FTPS communication which is new to our banking client. My client using IBM Sterling Integrator as B2B/EDI tool to do integration with partners and this is the first partner using FTPS connectivity. While implementing and getting connectivity established with partner , we encountered many issues with their FTPs Server.

😮😮😮Problem Statement :

           When we trying to connect and to do list out the files which are available in their remote directory , initially we are getting handshake failure and cannot move forward to do list files operation. We have already opened outbound ports at bank firewall and customer are  also opened bank ports at their side. As part of analysis we have asked partner to provide acceptable ciphers at their side and compare with ciphers which are configured at Bank side.while initial analysis we found that there is Ciphers mismatch at handshake and it causes the issue.

😲😲😲Suggestion : 

           To resolve this issue, we have conducted multiple debugging sessions with all the stakeholders  partner , Bank's team (myself) , Network team , operating system admin and B2B application vendor etc. In each session we have implemented below suggestions/changes mentioned at B2B server level by B2B vendor team and did the testing in meeting when all the stake holders are present and do the monitoring the traffic.Initially we asked to do below mentioned changes at their FTPS server side and they didn't aggree to do changes. Partner side they cannot make necessary changes to accepts ciphers which are configured at bank because already they are integrated with their partners and they dont want to expect any issues with their partners by cipher changes.

  • SNI need to be disabled
  • TLS 1.3 version need to disabled if it is enabled already and TLS1.2 version should be default


 Next trouble shooting session we have verified all the settings , logs and configurations with help of IBM vendor. We have found issue with certificates (Intermediate , Root and Leaf) and while importing 
 certificates it is giving error as "Auth chain is incomplete". To resolve this issue, we have directly
 downloaded the certificates from their server using certificate grabber utility in Sterling B2B integrator
and imported into B2B server. Then it resolves the certificates issue. Now we tried to post file but
 it is not successful. at this time we enabled trace at both Network level and OS level. In trace root
 we saw as B2B server sending packets but we are not receiving client hello packets back.

When customer did the CA certificates validity check using openssl it is giving result as OK , but there can still be some problems with the way SI checks additional points in validity beyond whether certificate is expired or properly chained.

To resolve this issue we have conducted multiple trouble shooting sessions with all the integration stake holders. As part these meeting IBM vendor suggested server level changes and we have done those changes and restarted the IBM SI server and verified the connectivity.

Suggestion 1 :

   Change the order of security providers in Java security file in SIB2BInstallationPath/jdk/jre/lib/security/java.security

Existing

#

# List of providers and their preference orders (see above):

#

security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS

security.provider.2=com.ibm.crypto.provider.IBMJCE

security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.4=com.certicom.ecc.jcae.Certicom

security.provider.5=com.sterlingcommerce.security.jcae.STERCOMM

security.provider.6=com.ibm.jsse2.IBMJSSEProvider2

security.provider.7=com.ibm.security.jgss.IBMJGSSProvider

 
Change it to

 
security.provider.1=com.ibm.crypto.provider.IBMJCE

security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS

 
And restart the SIB2B server.


Suggestion  2 :

In Properties folder in installation path

Set FIPSMode=true in security.properties


And restart the server


Suggestion 3 : 

You can try putting in customer_overrides.properties: in SIB2B installation path

    security.FactoryTrustManagerAlgorithm=IbmPKIX

This trust manager is more lenient than default IbmX509, if you manage to connect with it might give us additional clue. You need to do this on both nodes.

And restart the SIB2B server.


Finally we are able to connect out client FTP server using security certificate.


Suggestion 4 :

After that we faced files posting issue after connecting their server. To resolve this issue

we have added new configuration in customer_overrides.properties: in SIB2B installation path

 ps_ftpclient.honourPASV=false

 After changing all these configurations then we (Bank) are able to connect their partner FTPS server and post files successfully.  

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-3718162507869387"
     crossorigin="anonymous"></script>

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-3718162507869387"
     crossorigin="anonymous"></script>
<!-- MySquareAd -->
<ins class="adsbygoogle"
     style="display:block"
     data-ad-client="ca-pub-3718162507869387"
     data-ad-slot="5896879220"
     data-ad-format="auto"
     data-full-width-responsive="true"></ins>
<script>
     (adsbygoogle = window.adsbygoogle || []).push({});
</script>
             **********************************************************************





Generate your dummy CRT , PEM and P12 security files for internal testing purpose

Self-Signed Certificate and Keystore Generator Certificate and Keystore Generator ...