cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSLCertificateException: Peer certificate rejected by ChainVerifier. advise

Former Member

on ‎06-09-2010 5:30 AM

0 Kudos

Dear All Experts,

Need your help to resolve the below issue.

Our Client receiving the below error while sending the data from their Xi server.

"Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier."

Pls find the below few details which will help to analyze the issue.

1> Our XI server is on PI 7.0 and their XI ( Client ) server is on PI 7.1

2> We are able to send the data successfully from our XI server to Client XI server on HTTPS without configuration of any certificates.

3> On the same way client XI server is failed to send the data to our XI server and returning above error.

4> Our XI server is on Windows and Client XI server is on Unix.

5> We are using the SOAP channel to exchange the messages.

Even we have exchanged the certificates to each other and configured the same from both the ends but still issue remains same without any change. Showstopper for us. Kindly advise.

Pls suggest to resolve the issue. Will help if we get any steps on the configuration part for HTTPS connectivity on XI 7.0 as well as on XI 7.1

Thanks & Regards

Machindra Patade

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member4985
Employee
Employee
‎06-09-2010 9:45 PM
0 Kudos

Hi Machindra,

Basically, the main reasons because of which the error mentioned here

are the following:

1. The correct server certificate is not present in the TrustedCA

keystore view of NWA .

Please ensure you have done all the steps described in these two urls:

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi711/helpdata/en/48/d1c7e690d75430e100000

00a42189b/frameset.htm

2. The server certificate chain contains expired certificate. Check for

it (that was the cause for other customers as well) and if it's the case

renew it or extend the validation.

3. Some other customers have reported similar problem and mainly the

problem was that the certificate chain was not in correct

order. Basically the server certificate chain should be in order

Own->Intermedite->Root. To explain in detail, if your server certificate

is A which is issued by an intermediate CA B and then B's certificate is

issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to

have the right order of certificate in the chain. If the order is B

first followed by A followed by C, then the IAIK library used by PI

cannot verify the server as trusted. Please generate the certificate in

the right order and then import this certificate in the TrustedCA

keystore view and try again.

4. If the end point of the SOAP Call(Server) is configured to accept

a client certificate(mandatory), then make sure that it is configured

correctly in the SOAP channel and it is also within validity period.

(This certificate is the one which is sent to Server for Client

authentication)

Last, for the PI 7.1, please check:

#1438515 - Development Configuration Import fails because CMS uses SSL

Hope it helps.

Regards,

Caio Cagnani

Show replies
Show replies
Former Member
‎06-12-2010 6:05 AM
0 Kudos

Dear All,

The issue got resolved after installing the fresh certificates in ABAP ( STRUST ) .

Thanks for your advise.

Regards

Machindra Patade

Ask a Question