cancel
Showing results for 
Search instead for 
Did you mean: 

SOAP(HTTPS) receiver error

Former Member
0 Kudos

Hi,

I am working on RFC to SOAP(HTTPS) configuration, the cert we have received and deplyed through NWA to Certificates and Keys. I have configured the SOAP https receiver while i am trying to test the scenario getting the following error:

Error in processing caused by: com.sap.aii.af.lib.mp.module.ModuleException: call to messaging system failed: com.sap.engine.interfaces.messaging.api.exception.MessagingException: XIAdapterFramework:GENERAL:com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Can you please suggest me where i am doing wrong.

Thanks in advance,

Venkat

Accepted Solutions (0)

Answers (3)

Answers (3)

0 Kudos

Hi,

The main reasons for this error can be checked below:

1. The correct server certificate could not be present in the TrustedCA

keystore view of NWA. Please ensure you have done all the steps

described in the URL below:

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000

0a1550b0/frameset.htm

2. The server certificate chain contains expired certificate. Check for

it (that was the cause for other customers as well) and if it's the case

renew it or extend the validation.

3. Some other customers have reported similar problem and mainly the

problem was that the certificate chain was not in correct

order. Basically the server certificate chain should be in order

Own->Intermedite->Root. To explain in detail, if your server certificate

is A which is issued by an intermediate CA B and then B's certificate is

issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to

have the right order of certificate in the chain. If the order is B

first followed by A followed by C, then the IAIK library used by PI

cannot verify the server as trusted. Please generate the certificate in

the right order and then import this certificate in the TrustedCA

keystore view and try again. Please take this third steps as the

principal one.

4. If the end point of the SOAP Call(Server) is configured to accept

a client certificate(mandatory), then make sure that it is configured

correctly in the SOAP channel and it is also within validity period.

(This certificate is the one which is sent to Server for Client

authentication)

As a resource, you may need to create a new SSL Server key.

The requirement from SAP SSL client side is that the requested site has

to have certificate with CN equal to the requested site. I mean if I

request URL X then the CN must be CN=X.

In other words, the CN of the certificate has to be equal to the URL in

the ftp request. This can be the IP address or the full name of the

host.

Request the url with the IP of the SSL Server and the certificate to be

with CN = IP of the server.

In any other case the SSL communication will not work.

Regards,

Caio Cagnani

Former Member
0 Kudos

Hi,

just check whether the certificates are updated by the 3rd party system or the certificates r not expired........if certificates are updated, then reload then in NWA........then rerun ur scenario.........

Shabarish_Nair
Active Contributor
0 Kudos

please check this conversation -

try to follow the note 694290