FTPS error

[Shibu Mathew]

Hi All,

I am trying to ftp a file to United Healthcare using FTPS, but it does not seem to be working. The Connectivity Director document says to set the port range in between 50,000 – 50,200, and mode to “PASSIVE”. I cannot find any parameter setting in Cloverleaf FTPS config for “MODE” or “Port”. I’ve set the port in the windows services file (ftps 21/tcp   and  ftps-data          50005/tcp). I am still getting the error, ” 500 RFC 2228 not permitted through gateway” . Does anyone know what this error means or how to make the FTPS work ? Also, how can I set the mode to “PASV” ? I have FTPS Encryption set to “Explicit”. Does this mean the mode will be PASV ?

We are on Cloverleaf 5.7 Rev 2, and do have the license for Secure Messenger.

Thanks in advance,

Shibu Mathew

---

[pd  :thrd:INFO/0: t_to_uhc_x12:07/29/2010 13:41:10] Processing OB-Data message queue

[pd  :pdtd:INFO/0: t_to_uhc_x12:07/29/2010 13:41:10] [0.0.12903054] Writing message to Protocol Driver fileset-ftps

[fset:wrte:INFO/1: t_to_uhc_x12:07/29/2010 13:41:10] Parsing control string ‘{OBFILE N_278NB_000000001__adt}’

[fset:init:DBUG/0: t_to_uhc_x12:07/29/2010 13:41:10] SSL_PROTOCOL: 0

[fset:init:DBUG/0: t_to_uhc_x12:07/29/2010 13:41:10] fcDoNetworkStuff:  mode=5

* About to connect() to 209.235.12.148 port 21 (#0)

*   Trying 209.235.12.148… * connected

* Connected to 209.235.12.148 (209.235.12.148) port 21 (#0)

< 220-Connectivedi FTP(S) server. Please use SSL to upload non-encrypted files. Non-SSL uploaded files that are not PGP encrypted will be deleted immediately upon arrival. You can upload files and download files and get a directory listing. All other data commands have been disabled, including changing directories. < 220 > AUTH SSL

< 500 RFC 2228 not permitted through gateway > AUTH TLS

< 500 RFC 2228 not permitted through gateway

* Closing connection #0

* Requested SSL level failed

Topic

[Jim Kosloskey]

Shibu,

On the FTP Options Tab of the thread configuration (Fileset/ftp protocol) if you do NOT check the Active box it is PASV.

In the same Tab in the FTP Host Information container, there is a place for enering the port. My connection to UHC was to pickup delayed responses and I just used the default port ‘ftp’ perhaps for sending to them they want something different but I doubt it. Have you tried using ftp as the port?

For the SSL settings I used Explicit and ClientAnon and SSL Protocol All.

One thing that can cause you grief is if you fill out the ‘Host name or IP Address’ entry of the FTP Options Container in the FTP Options Tab. That will definitely hose you up so if you have an entry in there, remove it. Instead that information should be in the ‘FTP Host Information container of the FTP Options Tab.

As you are probably finding out – they (UHC) are of no help at all.

Email me if you want to discuss further off line.

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[Shibu Mathew]

Hi Jim,

I do not have the ACTIVE mode checked. I also do not have the ‘Host name or IP Address’ entry of the FTP Options filled. I have the ip address in FTP Host information. In ports, I have selected “ftps”, I will change it to “ftp” and see if that makes any difference. I will let you know how it goes.

Thank you so much !

Shibu

[Jim Kosloskey]

Shibu,

It looks like you are getting connected but being rejected at the SSL certification.

Make sure whether they are actually checking the certificate or not.

We shut down our UHC interaction some time ago. When it was functioning, the SSL settings I gave you worked for getting via FTP (we were using HTTPS not FTPS for sending the 278) but they may have tightened up their security such that they now require a valid certificate.

You can try asking their support what they want and ask for assistance but based on my experience I would suspect they won’t be much help.

Are you trying to communicatr with their ‘test’ environment or their production environment? I seem to recall their ‘test’ environment does not mimic what they have documented.

I know there are others who are using FTP for UHC but I don’t know if they are doing that via Cloverleaf.

If you want to discuss using HTTPS (which is what I set up here) let me know.

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[Shibu Mathew]

Jim,

As you mentioned correctly, changing ftps to ftp did not do anything. I am connecting to http://ftp.unitedhealthcarecd.com, which I beleive is their production site (I will confirm with them). They told me to ensure that the high range ports are open from the ftp client for file transfers (50,000 – 50,200). So, I set  “ftps-data” in windows services to 50005, but I don’t see any activity on this port 50005 in the logs.  Error 500 on AUTH (Authentication/Security Mechanism) means “unrecognized command” , and I can’t figure what command, sent by cloverleaf, the UHC server could not recognize. I have asked UHC support to tell me more about this error.

I will get in touch with you regarding setting up HTTPS connectivity if this does not work.

Thanks,

Shibu

[Jim Kosloskey]

Shibu,

This:

< 500 RFC 2228 not permitted through gateway

* Closing connection #0

* Requested SSL level failed

tells me you are being rejected for security reasons.

Besides explicit in the SSL settings on the thread, what other settings in the SSL section did you use?

I did not need to change anything in my ports settings on the O/S (AIX not Windows).

This:

* About to connect() to 209.235.12.148 port 21 (#0)

*   Trying 209.235.12.148… * connected

* Connected to 209.235.12.148 (209.235.12.148) port 21 (#0)

< 220-Connectivedi FTP(S) server. Please use SSL to upload non-encrypted files. Non-SSL uploaded files that are not PGP encrypted will be deleted immediately upon arrival. You can upload files and download files and get a directory listing. All other data commands have been disabled, including changing directories.

< 220

> AUTH SSL

Tells me you got connected to the first layer UHC has (Connectivity Director) and it was at the point of validating your certificate when problems occurred. So I think aqll of your communication settings are good but it is the Security that is askew.

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[Shibu Mathew]

Jim,

The rest I have left as default .. Mode is “ClientAnon” and SSL Protocol  is set to “All”

Thanks,

Shibu

[Shibu Mathew]

Jim,

I have sent an email to UHC, to see if I need to install any certificates.

Thanks again,

Shibu

[Bob Richardson]

Greetings,

One and All, I have spent a considerable amount of time trying to get any useful help out of UHC in configuring an SSL connection.  We are using a new platform on (ugh!) a windows server known as GlobalScape.  The response from UHC for debugging their SSL was “read our doco on our web page for guidance”.  Couldn’t even get a 10 minute conference call between our GlobalScape tech support and their (UHC) tech support.  Not allowed.  UHC refused to answer our tech’s questions.

So… went back to the old FTP option.  To make a long story short we had to turn off the SIZE request which issues a CWD (change directory) request that is verboten at UHC.  By not CWD’ing via the SIZE request, we now can FTP PGP encrypted files (we gave them our public key awhile back – they accepted it).

So… I would ask them for their discrete list of what FTP features are supported and consider doing PGP (or freeware GPG) encryption transfers with them.

We tried in vain to do SSL – our GlobalScape tech figures their SSL libraries are out of date and thus there was a compatibility issue between GlobalScape SSL libraries and their SSL libraries.  But then without any logs from them (we asked for those too – not available), it is all a guessing game.

Our long term plan is to figure out a solution that does not involve them.

Good luck… find something to punch to discharge your frustration when working with them again.

[David Barr]

Shibu Mathew wrote:

< 500 RFC 2228 not permitted through gateway

This error is not coming from their FTPS server.  It is coming from a firewall or gateway that is between Cloverleaf and the FTP server.  I’d talk to your network administrators and see if they have to do anything special to allow secure FTP connections to this remote host.

I know that this is a problem on your network and not with the FTP server because I was able to get past the AUTH TLS step using a client from my network.

[Jim Kosloskey]

Shibu,

Dave may be on to something here.

We did not have anyone bwtween us and UHC (as far as I know) and we connected fine (for getting from their server, we used https to put on their server).

So if this is the case, using https won’t help you until you get this issue resolved because you still need to use ftps to get delayed responses.

Bob – we used Cloverleaf ftp with SSL (5.6) and all worked fine. I needed to specify the directory as something like the home directory so it would not think I was trying to switch to another directory. I seem to recall the CWD is not rejected just the attempt to CWD to anything other than the home directory.

Shibu-

UHC is very frustrating to deal with. Even after you get things ‘working’, you will have issues like unannounced or poorly announced down times. Changes they make that affect you and they are not either documented or even admitted to – just you need to make changes on your side. I am not saying this happened every day but during our trial period (a few months) it happened sufficiently to cause us concern. Regression testing seems to be an advanced topic to them.

I sent emails that took months to be responed to and frequently the response was as Bob indicated – read the doc.

One thing to keep in mind is you will need a method to track the 278s you send and the 278s you receive because there is NO guarantee from UHC that you will receive a 997 or 278 for a 278 you send them. It is up to you to catch that you never received any response for the 278 you sent.

Moreover, you will need some method to modify the 278 if UHC detects an error and then resubmit.

We did some ragther slick stuff where we managed a DB2 DB via Cloverleaf and some application code that exposed the original request (278) and the response (either 997 or 278) along with a literal explaining the issue UHC reported. The user then could correct the request in their data elements and we would convert that to a 278 and resubmit.

You also need to know UHC reports the first error they detect (that is not what one expects with X12) such that if a request has multiple errors that could easily be detected, they stop checking once they find the first error. Thus it can take many submissions before an acceptable 278 is sent to UHC. Also many of their error codes are in sore need of clarification and (at least when we were doing this) some were missing or even just incorrect.

Even though we shut the whole thing down, I am glad we chose https over ftps because it appeared it could take many exchanges to get a correct 278 and I think it could be difficult to hit the 24 hour window with timed FTP ( some folks were thinking of getting by with once or even twice a day FTP). So keep that in mind as well. You might have to set up your FTP to just keep checking to see if there is anything to send.

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[Shibu Mathew]

Jim and All,

Thank you so much for all your input. You guys are amazing ! I have requested our network folks to see if the ports in the range 50000 – 50200 (which is what UHC has requested for data transfer), is open on the firewall . Right when I thought I was getting close to the finish line, I find that I am only half way through.

I asked UHC support if I would be needing Certificate and below is  their reply …. I think this usergroup can provide UHC a better support from all the experiences they have gained trying to get 278 N working.. 🙂

For your question “Do I need any kind of certificates for authentication ?”  You can find the information you need when you go to our website at https://www.unitedhealthcarecd.com on the right side of the page open the Connectivity DirectorSM EDI Connection System User Guide Version 2.0.7.3 June 2010.  See section 4.4 Programmatically Uploading and Retrieving Data To and From Connectivity Director.    Thank you.

[Bob Richardson]

Greetings,

Ok… just a note on the CWD (change directory) command at UHC via standard FTP:  they do not allow CWD even into your own home directory.

This is what blew away our standard FTP configuration using GlobalScape.

Management has directed us to use a File Transfer Management package to handle our FTP load rather than create custom coded Curl drivers on Cloverleaf.

Sometimes you just march and die…

Have a great day everyone!

[Jim Kosloskey]

Shibu,

THAT is the UHC I grew to know and love (can’t say I am unhappy we canned that integration all together).

I looked at the section to which they refer just for grins and it appears to me with just a casual reading the certificate information is aimed towards https. However, I can tell you I did not use a certificate with https when we connected to them.

I hope you find out there is a gateway or some other issue in your network befause even though most network folks are difficult to communicate with, UHC is impossible.

I know there are other Cloverleaf users out there who have used FTP. I don’t know that many of them have used ftps or even Cloverleaf.

You might want to re-post here: https://usspvlclovertch2.infor.com/viewtopic.php?t=2360&highlight=278

That is the original discussion thread that had a lot of talk about this and maybe there are some contacts there or those folks might be paying closer attention to the 278 than ftps.

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[Jim Kosloskey]

Bob,

I guess they changed their handling since we were connected.

I am not surprised since it seems like every time I turned around they changed something that worked to something that did not.

As I said, I am glad the powers that be decided not to have ANY programmatic integration with UHC for the 278.

We have NO mechanism for programmatically notifying UHC via 278s.

That removed an awful lot of wasted time.

email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.

[Bob Richardson]

Jim,

UHC did an unannounced upgrade to their application over the weekend and then our process failed.  They directed us to their website and that is where I found the disabling of the CWD feature.  Their other response was “you fix your code to play with our code”.

Enough said…

BobR

[David Barr]

Shibu Mathew wrote:

Jim and All,

Thank you so much for all your input. You guys are amazing ! I have requested our network folks to see if the ports in the range 50000 – 50200 (which is what UHC has requested for data transfer), is open on the firewall .

Checking the port range is a good and necessary thing, but your transfer is being blocked before that point.  You need to ask the network folks to allow the FTPS protocol between Cloverleaf and the FTPS server.

[Author]

Replies