on 10-28-2010 3:13 AM
Hi,
This scenario is a File to File - Outbound Async Interface. Receiver is configured FTPS with mostly the default parameters.
However FTPS again haunted us with "Peer Certificate Rejected by Chain Verifier " error. We have configured one communication channel with FTPS and tested in DEV, QA clients and moved to production. The weird behavior is it works only certain time. Overall it works 50% of time ok and 50% of time failed with the above error.
We kept opened all ports on the firewall for outgoing messages.
We cannot understand the dual behavior. Appreciate any help to resolve this issue.
Dharmasiri Amith
Hi Amith,
The main reasons for this error follows:
1. The correct server certificate could not be present in the TrustedCA
keystore view of NWA. Please ensure you have done all the steps
described in these two URLs:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
0a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for
it (that was the cause for other customers as well) and if it's the case
renew it or extend the validation.
3. Some other customers have reported similar problem and mainly the
problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate
is A which is issued by an intermediate CA B and then B's certificate is
issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to
have the right order of certificate in the chain. If the order is B
first followed by A followed by C, then the IAIK library used by PI
cannot verify the server as trusted. Please generate the certificate in
the right order and then import this certificate in the TrustedCA
keystore view and try again. Please take this third steps as the
principal one.
As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has
to have certificate with CN equal to the requested site. I mean if I
request URL X then the CN must be CN=X.
In other words, the CN of the certificate has to be equal to the URL in
the ftp request. This can be the IP address or the full name of the
host.
Request the url with the IP of the SSL Server and the certificate to be
with CN = IP of the server.
In any other case the SSL communication will not work.
Regards,
Caio Cagnani
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
You need to check the expiry date of SSL CERTIFICATE..
Rgds
veeru
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I am not quite sure why it sometimes work and sometimes not.
I suggest to check the SSL certificate of the FTPS. Look at the certificate and make sure that the CA that issued that certificate is imported in the trusted ca keystore.
In addition, set the debug level of the File Adapter to debug. You should then get more information on the certificates that are causing the information.
Best regards,
markus
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.