Integration

Get Involved. Join the Conversation.

Topic

    Moon Ray Lo
    Oracle ICS: FTP Adapter Connection via SFTP Hangs Up...
    Topic posted June 14, 2018 by Moon Ray LoSilver Medal: 2,000+ Points, tagged Adapters, Connection 
    1381 Views, 29 Comments
    Title:
    Oracle ICS: FTP Adapter Connection via SFTP Hangs Up (Connection Timeout) when Testing
    Summary:
    After providing the SFTP details (host, credentials, etc) and trying to TEST the connection, it hangs up (seems connection timeout), it doesn't give any response at all
    Content:

    Hi,

    Prior creating a connection in ICS, me and my team made sure that the SFTP host is accessible (we used WinSCP) and was able to connect to it by providing only the ff: File Protocol Type (SFTP), Hostname, Port#, Username & Password. We did same when we create connection in ICS, however it's not able to connect.

     

    After providing the SFTP details (host, credentials, etc)  for an FTP Adapter (Creating Connection) and trying to TEST, it hangs up, it doesn't give any response at all. After minutes of waiting, it will just refresh the page and locks the connection. I unlocked and tested again, still same issue is happening. I have tried other SFTP site and was able to get a response (either success or error with the connection) but for this particular one, it's not responding at all, it just hangs up.

     

    Below are the ONLY information provided in the FTP Adapter Connection:

    FTP Server Host Address: ###.###.##.###
    FTP Server Port: 22
    SFTP Connection: Yes


    Security Policy: FTP Server Access Policy
    Username: xxxxxxxxxxx
    Password: ***********

     

    Just some questions that might need to be answered:

    1) When having SFTP connection, is it required to include the Host Key in ICS? In WinSCP, we didn't provide this and was able to connect.

    2) Will 'FTP Server Access Policy' work for SFTP connection? Or 'FTP Public Key Authentication' is also required when establishing SFTP Connection?

     

    Appreciate all your inputs on this.

    Comment

     

    • Dinesh Pant

      Few questions

      1) Is the SFTP server publicly accessible

      2) Is the SFTP Server Oracle provided. If yes, is it white listed.

      Regards,

      Dinesh

      • Moon Ray Lo

        Hi Dinesh,

         

        1) Yes, this is publicly accessible

        2) Yes, this is Oracle Provided SFTP (PaaS) and this is not whitelisted (can be accessed publicly).

         

        Thanks,

        Moon

    • Moon Ray Lo

      Just to update on this, we provided the Host Key to the connection setup, BUT encountered below error in ICS:

       

      Unable to test connection "FTP_POC_ICS". [Cause: CASDK-0004]
      CASDK-0004: Failed to authenticate against the application with the credentials provided
      Host Key Verification Failed. Please check Host Key.

      I already informed the person maintaining our SFTP server on this. But any inputs on this as well? (Like what normally caused this error on Host Key side?)

       

      Thanks ahead!

    • Dinesh Pant

      Hi,

      Host Key is optional.

      Could you try connection without using host key.

      Is the SFTP server provided by Oracle?

       

      Regards,

      Dinesh

      • Moon Ray Lo

        Hello Dinesh,

         

        Yes, that's initially what we did or the initial issue  we have - we didn't provide the Host Key file and when we test the connection, it just hangs up and no response from ICS (it seems a connection timeout issue but ICS is not responding at all)

         

        We provided the IP Address of the server as the Host Server Address.

    • Dinesh Pant

      Hi,

      Is the SFTP server provided by Oracle?

       

      Regards,

      Dinesh

    • Dinesh Pant

      Hi,

      Please file network ticket on your SFTP server for white listing. Oracle SFTP servers require whitelisting.

       

      Regards,

      Dinesh

      • Moon Ray Lo

        Thanks for the inputs Dinesh, I will let them know about this.

         

        With regards to Host Key, it seems to me it is required when I select SFTP Connecton as 'Yes', because if I won't provide any or leave it blank on an SFTP Connection, it would error out as 'Host Key Verification Failed. Please check Host Key'. Can you confirm on this?

         

        Regards,

        Moon

    • Dinesh Pant

      Hi Moon,

      As I have confirmed earlier, host key is optional. The error message is wrong which is fixed in later release.

      You just need to white list the SFTP server IP.

       

      Regards,

      Dinesh

      • Moon Ray Lo

        Thank you, Dinesh. I'll inform my team on this and will update this thread when I get a word from them (test it on my side as well).

         

        Regards,

        Moon

      • Moon Ray Lo

        Hi Dinesh,

         

        This is what my team have responded about whitelisting: "Our SFTP server is already publicly available thus, no need to whitelist it. Can you confirm where to whitelist?"

         

        Would you able to determine where specifically should we whitelist this?

         

        Thanks,

        Moon

    • Dinesh Pant

      Hi Moon,

      I feel you are using ICS not OIC.

      In ICS, all request go through proxy. Oracle proxy blocks request sent to Oracle SFTP server.

      You need to file network ticket to whitelist SFTP IP address so that proxy connection goes fine.

       

      Regards,

      Dinesh

    • Ankur Jain

      Hi Moon,

      To access Oracle provided SFTP from outside, need to create security rules in which you need to provide ICS IPs as a source to make successful connection.

       

      Regards,

      Ankur 

      • Moon Ray Lo

        Hello Ankur,

         

        Thanks for your input. May I ask where exactly in ICS I can add the IPs? Does it have a frontend UI or need to do it backend (server where ICS resides?)? I just need to know where will I add/manage the IPs on ICS for SFTP connections.

         

        Thanks ahead!

         

        Regards,

        Moon

    • Dinesh Pant

      Hi Moon,

      There is no configuration in ICS. You need to file network SR for whitelisting.

       

      Regards,

      Dinesh

      • Moon Ray Lo

        Hello Dinesh

         

        Thanks for the input. With regards to whitelisting, do we have to raise network SR whenever we have to deal with IP in ICS?

         

        Regards,

        Moon

        • Dinesh Pant

          Yes, but this needs to be done only for SFTP servers provided by Oracle.

          You don't need to do anything if you are connecting outside SFTP servers.

           

          Regards,

          Dinesh

    • Moon Ray Lo

      Hi,

       Just to update this thread. I tried to connect with same SFTP Server from different Domain this time (same setups/info as before, no whitelisting done) and I am now able to connect with it via FTP Connection test.

       It seems the only difference with both domains/environment is the version. Refer to attached photo for the comparison of both. The other one is just Standard Edition (Version 180419.0000.1063) which didn't work, while the working one has identity domain (Version 180512.0812.10140). Does it mean the concern resides with the version, like for security/IP handling?

       

      Thanks,

      Moon

      • Hemanth Lakkaraju

        It is evident from the screenshot that the not working environment is ICS and it needs whitelisting as mentioned by Dinesh. The environment where it is working is OIC which altogether is a different case whe it comes to network rules.

        • Dinesh Pant

          Hi Moon,

          OIC is different topology. 

          In case of ICS you need to whitelist the SFTP IPs.

          Let me know if whitelisting has solved your problem.

           

          Regards,

          Dinesh

          • Moon Ray Lo

            Thank you Hemanth & Dinesh for the clarifications.

            I used to assumed that ICS' security/network rules can be or always same with OIC as well (since ICS is part of OIC).

            I will proceed with the whitelisting process in ICS and update this thread once done.

             

            Regards,

            Moon

    • Moon Ray Lo

      Hi All,

       

      SFTP Connection used to work for the past 2 weeks in OIC without any issue (Integrations were able to execute read/write/list operations), but starting to error out recently with below error:

      Unable to test connection "FTP_TEST_MRL". [Cause: CASDK-0002]
      CASDK-0002 : Unable to access the host 129.158.78.183
      Unable to connect to SFTP server. Please verify host and port details. Response of the command sftp -oPort=22 alvin.j.p.margallo@129.158.78.183 is Connecting to 129.158.78.183... Host key verification failed. Couldn't read packet: Connection reset by peer

       

      I have attached the diagnostics log of this connection error and below is a snippet of the log related to this:


      <Jul 4, 2018, 10:26:12,956 AM UTC> <Error> <oracle.soa.adapter.cloud.ftp> <BEA-000000> <Connection to SFTP server failed. Host 129.158.78.183 Port 22 Proxy Type null Proxy Host null Proxy Port null Reason is Failed to negotiate a transport component [hmac-sha256,hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96,hmac-sha256@ssh.com] [hmac-sha2-512,hmac-sha2-256] [Unknown cause].>

       

      I am not aware of any changes on our OIC side, we are using OIC Version: 18.2.3.0.0 (180426.0419.980). I have also tried to a different OIC Domain Version: 18.2.3.0.0 (180512.0812.10140), and I am getting same issue. I tried to access the SFTP server through an SFTP Client  (WinSCP) and it is acccessible.

       

      Any idea what could have caused this?

       

      Thanks,

      Moon

      • Dinesh Pant

        Hi Moon,

        Seem your SFTP is upgraded to SHA2 algorithm which is not supported currently in OIC.

        We are working on providing SHA2 support. It will available in future releases.

        Till that time you need to use SHA1 algorithm in SFTP server.

         

        Regards,

        Dinesh

         

         

        • Moon Ray Lo

          Hi Dinesh,

           

          That really helped as there were actually changes happened on our SFTP server (which I was not really aware until I got informed on these recently), reverting the algorithm to SHA1. Now the connection is successfully reestablished. :)

           

          Appreciate your immediate response and glad to hear about providing SHA2 support in the future releases, thank you!

           

          Regards,

          Moon