AFT--> New Account creation Problem

[rajesekhar]

Hi,
I have to create a new account to transfer files from one server to another server.
The destination remote server is a standard FTP
But the source remote host server is an FTP over SSL.
How should I make the settings?
What all information do I need for the host1?

I have the ftp address,username,password and SSL_Public_Key.crt file.
Are they enough?

Please guide me further.

Thanks,
Rajesekhar

[gglau]

When an account is defined in AFT, FTP protocols for the source and for destination are defined separately. You have enough information to proceed.

[rajesekhar]

I have defined the two hosts separately.
But host1(FTP over SSL) is not working when I tried to validate that.
When I tried to import the certificate through sslcmd utility, its throwing an error saying, ADD CA command failed.

[rajesekhar]

I am still stuck at this.

I dont know why Host1(FTP over SSL) is not working.
I even tried SFTP(SSH) but didnt worked. What all we need to set up SFTP for a host?

[mauriziog]

I have configured some of this kind of accounts but i difficult to guide you from outside.
The first information I need are:
1) version of controlm agent and of the CM for aft installed
2) so: windows or unix?
3) server ftp windows or unix?
4) language of the server

The true test is to run a job that use this account, the validate option works if the user that define the account has true rights.

[rajesekhar]

I have configured some of this kind of accounts but i difficult to guide you from outside.
The first information I need are:
1) version of controlm agent and of the CM for aft installed
2) so: windows or unix?
3) server ftp windows or unix?
4) language of the server

The true test is to run a job that use this account, the validate option works if the user that define the account has true rights.

1)6.2.01 and 6.2.02 respectively
2)windows
3)server ftp unix
4)I dont understand this, hmmmmmm......

well, we have some software "WS_FTP Pro" through which I am able to login to the ftp server and able to download the files from it. so, for the time being I ran a script which runs this "WS_FTP Pro" and access the ftp server.
And I am running that script from Control-M(atleast I can say Control-M is involved somehow)

But I am not able to set up that in CM for AFT. when it works in "WS_FTP Pro" then theres some problem with me in setting up the account but not the server.

Raj

[rajesekhar]

From the FTP server, I have both the FTP over SSL and SFTP(SSH) certificates and the username/password to enter the FTP site.

Raj

[mauriziog]

well, we have some software "WS_FTP Pro" through which I am able to login to the ftp server and able to download the files from it.

Ok rajesekhar, this is important: from one client on the same server the connection works. Fine.
When you use "WS_FTP Pro" automatically open a window that save the certificate the first time, isnt it?

Well: step TWO

The certificate you have must be "X.509 PEM (Privacy-Enhanced Mail) format to import certificates".

You have? YES? Well step 3:
You must "specify your security level" on Windows:
in the path:
<CONTROL>/cm/AFT/data/SSL/cert
there is a .reg file: "aft_security_level.reg"
3.1 Make a backup of this file
3.2 edit it with text editor
3.3 change/control the value of "Security_Level"

Set it = 3 (server authentication)
Is the must common setting.
Save the file

3.4 Run it (double click)
3.5 run\regedit and control that the values are correctly set
3.6 restart agent services

When done this we continue.

[rajesekhar]

Yes, when I was using WS_FTP Pro, it automatically opened a window to install the certificate and so it ran.

The certificate which I have is with .crt extension but not PEM?
.crt doesnt work?
can I change .crt to PEM?
If so, how?

[mauriziog]

The certificate which I have is with .crt extension but not PEM?
.crt doesnt work? can I change .crt to PEM?
If so, how?

Change the certificate format.
There is a program freewere that consent to convert the certificate format.
I have used "openssl".

Or you can ask to the server ftp administrator to send you the certificate in this format.

[rajesekhar]

Hey,
Where can we get this openssl?
Does it come with the OS?
I searched for openssl in my comp and I found " C:\Program Files\Intel\AMT" which contains openSSL_license.txt
And in the network also, I found openssl.exe, When I double clicked that openssl.exe file, it opened a dos prompt window like:

OpenSSL >

But I don’t know which commands to use to convert my .crt to PEM certificate. I searched on goole and I got hell lot of things and I got confused.
Can you tell me the exact command line syntax to do the needful?

Thanks,
Raj

[mauriziog]

I don’t know which commands to use to convert my .crt to PEM certificate. I searched on goole and I got hell lot of things and I got confused.

The syntax of my version, for converting fron crt to pem is:

1) convert a certificate from PEM to DER:
x509 –in input.crt –inform PEM –out output.crt –outform DER

2) convert the certificate obtained from 1) to PEM:
convert a certificate from DER to PEM:
x509 –in input.crt –inform DER –out output.crt –outform PEM

[rajesekhar]

Failed (

When I tried using your syntax, I got the following error:

//
unable to load certificate
3292:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:crypto/asn1
/tasn_dec.c:946:
3292:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:cr
ypto/asn1/tasn_dec.c:304:Type=X509
error in x509
//

I have no clue what's that.

[rajesekhar]

Btw, what's DER?
I used the second command. I assumed my crt as DER and tried to convert it to PEM.

[rajesekhar]

I tried it again, it worked fine.
They have given two accounts, testing one and the other prodcution.
I was trying the testing one, it was not working.
when I changed to production one, it was working
Thanks a lot all