2
I came across a Customer issue, where the Customer is on Sterling Integrator(SI) instance version 5.2.4. SI is a cluster with 2 nodes but only 1 node is active now. He is using FTPS with SI as client and FTPS server is Microsoft IIS. The setup was working fine till they changed the FTPS server. The certificates are same. They are able to connect to FTPS server using other clients like WinSCP. However, SI FTPS BP client is failing with below error : 530 User cannot login in. They validated that TLS 1.0, 1.1 and 1.2 are enabled on FTPS server side and SI client by default use TLSv 1.0. They are on 5.2.4.0, so they do not have the SSLHello in the security or customer_overrides.
This is the failing BP error :
The network traces(wireshark) indicate that the SI client is failing with TLSv1 Record Layer: Encrypted Alert during SSL handshake. We suspect that SSL handshaking is the problem. We asked Customer turn on ssl logging to see what the problem is. Here is the instruction to enable SSL traces :
http://www-01.ibm.com/support/docview.wss?uid=swg21684974
Before the customer collect the ssl logs, he found that the issue is with Microsoft IIS FTPS Server. The security settings were corrected and that resolved the issue. The wireshark traces mislead that the issue is with SI client.
You can see the below technote from Microsoft regarding the 530 user cannot login issue :
Later, the customer faced FTPS client receives error 530 after sending password and username to remote IIS server. The user account was getting locked every few minutes. The BPs were having the right password . Later, we found that the reason for the 530 was a wrong password configured in Obscure Service. You can find more about Obscure services here :
https://www.ibm.com/support/knowledgecenter/SS3JSW_5.2.0/com.ibm.help.svcs_adpts_m_z.doc/Obscure_Process_Data_Values_svc.html
The passwords were wrong in different versions of BP. After fixing them and after updating obscure service, it worked.
