on 04-20-2011 11:56 AM
Hi All,
We have RN scenario and we are facing the following problem in our one of the B2B outbound interface(XI ->Partner System) with one specific partner.
***************************************************************************************************************************
Transmitting the message to endpoint https://<HOST>:<PORT>/b2bi/rosettanet using connection RNIFAdapter failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error transmitting the message over HTTP. Reason: java.lang.RuntimeException: Error while silently connecting: org.w3c.www.protocol.http.HttpException: Peer certificate rejected by ChainVerifier.
***************************************************************************************************************************
We have checked with our partner, they are claiming that message is not hitting to their system. This interface was working fine previously.
Also, this interface is working fine with other partners.
Could you please suggest what is wrong and causing this problem?
Any suggestion and help is welcomed.
Regards,
Samiullah
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Supriya,
Thanks for your response.
This interface is outbound to us(XI --> Partner). We are using XI certificate for Authentication(Certificate Logon). I have checked our XI certificate. It is valid till 2027. We are not using partner certificate for this interface.
Also, I found many other threads with exception SSLCertificateException: Peer certificate rejected by ChainVerifier. But we are facing the exception HttpException: Peer certificate rejected by ChainVerifier.
Is it something wrong with certificates or some connection problem(HttpException)?
Regards,
Sami.
Hello Supriya,
Yes, you are right. We have shared our public certificate with the partner.
Exactly, same we proposed to partner to check our public certificate in their server. They all correctly maintained. However, the problem is, at our end(XI) we are getting above mentioned error but the message is not reaching till partner's system.
I am confused whether this exception coming from XI itself or from partner's system?
Regards,
Samiullah
Hi,
The main reasons for the error to occur are the following:
1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.
In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
In any other case the SSL communication will not work.
Regards,
Caio Cagnani
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.