😟😟😟Background of Actual problem :
I am working for Banking client who is doing business with their partners by sending payment files using different communication channels like SFTP , HTTP , API etc. For first time one partner come up with integration requirement by using FTPS communication which is new to our banking client. My client using IBM Sterling Integrator as B2B/EDI tool to do integration with partners and this is the first partner using FTPS connectivity. While implementing and getting connectivity established with partner , we encountered many issues with their FTPs Server.
😮😮😮Problem Statement :
When we trying to connect and to do list out the files which are available in their remote directory , initially we are getting handshake failure and cannot move forward to do list files operation. We have already opened outbound ports at bank firewall and customer are also opened bank ports at their side. As part of analysis we have asked partner to provide acceptable ciphers at their side and compare with ciphers which are configured at Bank side.while initial analysis we found that there is Ciphers mismatch at handshake and it causes the issue.
😲😲😲Suggestion :
To resolve this issue, we have conducted multiple debugging sessions with all the stakeholders partner , Bank's team (myself) , Network team , operating system admin and B2B application vendor etc. In each session we have implemented below suggestions/changes mentioned at B2B server level by B2B vendor team and did the testing in meeting when all the stake holders are present and do the monitoring the traffic.Initially we asked to do below mentioned changes at their FTPS server side and they didn't aggree to do changes. Partner side they cannot make necessary changes to accepts ciphers which are configured at bank because already they are integrated with their partners and they dont want to expect any issues with their partners by cipher changes.
- SNI need to be disabled
- TLS 1.3 version need to disabled if it is enabled already and TLS1.2 version should be default
Next trouble shooting session we have verified all the settings , logs and configurations with help of IBM vendor. We have found issue with certificates (Intermediate , Root and Leaf) and while importing
certificates it is giving error as "Auth chain is incomplete". To resolve this issue, we have directly
downloaded the certificates from their server using certificate grabber utility in Sterling B2B integrator
and imported into B2B server. Then it resolves the certificates issue. Now we tried to post file but
it is not successful. at this time we enabled trace at both Network level and OS level. In trace root
we saw as B2B server sending packets but we are not receiving client hello packets back.
When customer did the CA certificates validity check using openssl it is giving result as OK , but there can still be some problems with the way SI checks additional points in validity beyond whether certificate is expired or properly chained.
To resolve this issue we have conducted multiple trouble shooting sessions with all the integration stake holders. As part these meeting IBM vendor suggested server level changes and we have done those changes and restarted the IBM SI server and verified the connectivity.
Suggestion 1 :
Change the order of security providers in Java security file in SIB2BInstallationPath/jdk/jre/lib/security/java.security
Existing
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.4=com.certicom.ecc.jcae.Certicom
security.provider.5=com.sterlingcommerce.security.jcae.STERCOMM
security.provider.6=com.ibm.jsse2.IBMJSSEProvider2
security.provider.7=com.ibm.security.jgss.IBMJGSSProvider
Change it to
security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
And restart the SIB2B server.
Suggestion 2 :
In Properties folder in installation path
Set FIPSMode=true in security.properties
And restart the server
Suggestion 3 :
You can try putting in customer_overrides.properties: in SIB2B installation path
security.FactoryTrustManagerAlgorithm=IbmPKIX
This trust manager is more lenient than default IbmX509, if you manage to connect with it might give us additional clue. You need to do this on both nodes.
And restart the SIB2B server.
Finally we are able to connect out client FTP server using security certificate.
Suggestion 4 :
After that we faced files posting issue after connecting their server. To resolve this issue
we have added new configuration in customer_overrides.properties: in SIB2B installation path
ps_ftpclient.honourPASV=false
After changing all these configurations then we (Bank) are able to connect their partner FTPS server and post files successfully.
<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-3718162507869387"
crossorigin="anonymous"></script>
<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-3718162507869387"
crossorigin="anonymous"></script>
<!-- MySquareAd -->
<ins class="adsbygoogle"
style="display:block"
data-ad-client="ca-pub-3718162507869387"
data-ad-slot="5896879220"
data-ad-format="auto"
data-full-width-responsive="true"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
**********************************************************************