cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOAP RECEIVER SSL Problems

socrates_socratous2
Explorer

on ‎07-20-2010 10:24 AM

0 Kudos

Dear Community,

I have configured a SOAP Receiver to an external web service (https://server:7002/service). I have use IE to get the certificate of the server and have imported it into the keystore of the j2ee (using VA). I have imported it to the all current views available. We have SAP PI 7.0 SP18. The problem is that the SSL handshaking is not performed correctly. I have placed a tcp gateway monitor tool to see the messages pass through. As soon as the first message is send to the above URL and a response is received, I get a XIAdapter/HTTP/ADAPTER.HTTP_EXCEPTION - HTTP 500 Internal Server Error. Also, in the default trace log I get a no private key found.... Do I need extra steps to configure SSL in the SOAP Receiver? The service does not required a Client authentication certificate and has a certificate with o CA root certificate (since this is only a test system and has issued its own certificate). Any ideas? Any help will be appreciated.

Regards,

S.Socratous

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

socrates_socratous2
Explorer
‎07-22-2010 7:53 AM
0 Kudos

I use the SOAP Module parameter XMBWS.NoSOAPIgnoreStatusCode = true in order to see the response. The SSL handshake was ok after importing the CA root certificate. Now the problem is internal to the web service. Thanks all for the advice.

Show replies
Show replies
former_member4985
Employee
Employee
‎07-20-2010 1:54 PM
0 Kudos

Hello,

Generally it's a connectivity behaviour. Check if you have setup the connection to

the receiver and also check the explanation regarding 500 Internal Server Errors:

*Description: The server encountered an unexpected condition which prevented it from fulfilling the request.

Possible Tips: Have a look into SAP Notes u2013 804124, 807000*

It may be also a problem with the SSL certificate. So, check if it's not expired;

The correct server certificate may be not present in the TrustedCA keystore view of NWA .

Please ensure you have done all the steps described in these url (this is for 7.11):

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi711/helpdata/en/48/d1c7e690d75430e100000

00a42189b/frameset.htm

You may have not imported the certificate chain in the correct order (Own -> Intermediate -> Root);

Last, if the end point of the SOAP Call(Server) is configured to accept

a client certificate(mandatory), then make sure that it is configured

correctly in the SOAP channel and it is also within validity period.

(This certificate is the one which is sent to Server for Client

authentication)

Hope that helps.

With regards,

Caio Cagnani

Show replies
Show replies
socrates_socratous2
Explorer
‎07-20-2010 2:44 PM
0 Kudos

Hi,

thanks for the answer. I have check the notes that you have mention and all relative setups. The steps I did were:

  • import the certificate of the server(web service) I am calling in the TrustedCA keystore View *Note: this is a test cetrificate *

  • check the ssl-credentials (not expired)

What happens is that during SSL handshake as soon as the first response comes from the web service.. in SAP XI I get an HTTP 500 . I was able to put a tcpgateway in between, so I can see that i am reaching the web service is sending something back encrypted and in SAP XI I get HTTP 500????. The problem is that I can not see what exactly goes wrong during SSL handshake. Does the certificate of the web service must be a valid Certificate??? Or can SAP XI work with a certificate issue by the web service itself...(as long as I have imported it in the TrustedCA view)??

Please advice.

Former Member
‎07-20-2010 1:53 PM
0 Kudos

Hi Socratous,

If the webserver is accepting only https requests, then we can configure the SOAP reciever to send the requests through SSL by using the installed certificates.

While configuring the SOAP receiver channel, you need to check 'Configure certificate authentication' and select the appropriate keystore entry.

See if you are able to send the request without error now.

Show replies
Show replies
socrates_socratous2
Explorer
‎07-20-2010 2:47 PM
0 Kudos

Hi,

if i chose a cetrificate authentication or not it has the same result. The client certificate authorization is nopt required.

All I need is to be able to open a SSL connection (like a browser will do) and send data to the web service.

Thanks.

former_member4985
Employee
Employee
‎07-20-2010 3:27 PM
0 Kudos

Hi,

Seems that the certificate is not recognized as a Trusted CA.

Anyway, check this link and its associations:

http://help.sap.com/saphelp_nw70/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/frameset.htm

The error 500 could also means that you have not configured properly the service

which you're trying to call and so it's being raised.

As an other suggestion, you may search for this specific error "ADAPTER.HTTP_EXCEPTION"

on SDN, since I believe we have already had similar behaviours like this before.

Don't forget to point if the answers are helpful.

With regards,

Caio Cagnani

Former Member
‎07-21-2010 9:38 AM
0 Kudos

See the exact error from the trace or from the Communication channel monitoring, when you are selecting the 'certificate authentication'. Is it still same as the one you get when you did not select this option?

You may get this error if the webserver is not accepting your request.

This could be due to any of these reasons.

- The server is down.

- The certificate may not be from a Trusted CA.

- The SOAP action might be wrong

- The request did not match the security profile of the webserver

The error message in the trace may contain what went wrong exactly. Then it would be easier to find the cause.

socrates_socratous2
Explorer
‎07-21-2010 9:56 AM
0 Kudos

Hi,

based on the upto now analysis the problem is during SSL handshaking. A request is send to the web service(external) from SAP XI (through https), the web service send a response back, and internally we get the HTTP 500 error. In VA keystore I have imported the certificate of the web service in the trustedCA but i do not have the root certificate.. The certificate that I obtained using firefox(mozilla) and then view and export certificate has an owner = CN=yoda.athens.intrasoft-intl.private, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, SP=MyState, C=US

and Issuer = CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, SP=MyState, C=US.

Do I need to have also a root certificate for CN=CertGenCAB ??? because I believe that this is the reason the SSL handshake fails. Also, is there a way to debug SSL handshake and see the actual steps? I have set several option in VA log configuration but I did not see anywhere such info. Thanks.

former_member4985
Employee
Employee
‎07-21-2010 6:44 PM
0 Kudos

Hi,

First, the CN = Full name of the host or IP address of the server.

Second, to debug the SSL you may refer to note:

#1019634 - Troubleshooting SSL problems

And last check again if the certificate is a TrustedCA.

If rejected, the cause could be that.

Regards,

Caio Cagnani

Ask a Question