cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP PI 7.11 Peer certificate rejected by ChainVerifier

Go to solution
Former Member

on ‎11-23-2010 12:24 PM

0 Kudos

Hi

In SAP PI 7.11 I get an error in my SOAP receiver adapter when I try to send a request to a web service on this url:

https://b2bqa.statoil.com/.

The error is:

SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.

I have done the following:

1) exported both the root and the intermediate certificate from the url (clicked the lock and exported the certificates). I exported them both as type DER and base 64.

2) downloaded root certificates from http://www.verisign.com/support/roots.html

3) went to /nwa and imported the certificates under TrustedCAs as X.509 certificate

4) resent the erronous message in message monitor

5) pulled my already scarce hair when I realized, that I still get the error

What can I do, to get this working?

BR Mikael

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-24-2010 6:59 AM
0 Kudos

Hi Mikael,

I don't think that this is related to a firewall issue (client and server could at least exchange certificates so it should be no firewall)

I would suggest the things that you already did, but you might try the following:

1) Are you using decentral and central Adapter engine? If yes, please remember that you need to instal the certificate in the "correct" NWA as each engine has its own key store.

2) Try to open the called URL with a regular webbrowser. If the browser does not complain, you can be quite sure that the problem is not related to your trading partners setup of the webserver. If the browser does complain, there is something wrong (either wrong certificate chain or expired certificates)

Hope this was helpful.

Best regards,

Markus

Show replies
Show replies

Answers (3)

Answers (3)

Former Member
‎11-24-2010 8:01 AM
0 Kudos

hi mikael

chekc in tcode SLG1 for the loge generated for your user.

after that goto SMICM and goto->trace file->displayall

there you wil get exact error.

if your trace level is low then increase trace level. if you cant do this ask to your basis guy to do this for you.

--sandeep

Show replies
Show replies
former_member4985
Employee
Employee
‎11-23-2010 4:33 PM
0 Kudos

Hi,

The main reasons for this error could be checked in the steps below:

1. The correct server certificate could not be present in the TrustedCA

keystore view of NWA. Please ensure you have done all the steps described in these two URLs:

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm

2. The server certificate chain contains expired certificate. Check for

it (that was the cause for other customers as well) and if it's the case

renew it or extend the validation.

3. Some other customers have reported similar problem and mainly the

problem was that the certificate chain was not in correct order. Basically the server certificate chain should be in order

Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI

cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.

As a resource, you may need to create a new SSL Server key.

The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.

In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.

Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.

In any other case the SSL communication will not work.

Hope the information help!

Regards,

Caio Cagnani

Show replies
Show replies
Former Member
‎11-24-2010 12:02 PM
0 Kudos

A java restart did the trick

Former Member
‎11-28-2011 5:40 PM
0 Kudos

Hi Guys>

At this moment we are facing up an issue related to the same>

2011-11-28 12:19:41 Information SOAP: sent a delivery error ack

2011-11-28 12:19:41 Error SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

2011-11-28 12:19:41 Error Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

2011-11-28 12:19:41 Error Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.

Any aid I will appreciated it.

prasad_ulagappan2
Contributor
‎11-23-2010 12:28 PM
0 Kudos

We have also encountered the same issue in my earlier project. This is not the issue with PI, its the issue with firewall, try to check with network guys whether the firewall is opened enough to communicate the receiver with PI.

Show replies
Show replies
Former Member
‎11-23-2010 1:18 PM
0 Kudos

Hi Prasad

The firewall guys, both our guys and the customers firewall guys, say, that there is opened for our request in the firewalls. Do you have any other suggestions?

Mikael

prasad_ulagappan2
Contributor
‎11-23-2010 1:30 PM
0 Kudos

This is more related to customer firewall. There will be log on firewall where they can see how the messages are floating between the firewall, please ask them to check it out. They need to configure few settings over there to accept the certificate. Sorry abt not to tell you the exact settings as I was not involved in firewall stuffs, however pretty much happy to help you out to narrow down this..

Ask a Question