cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HttpException: Peer certificate rejected by ChainVerifier

Go to solution
samiullah_qureshi
Active Contributor

on ‎04-20-2011 11:56 AM

0 Kudos

Hi All,

We have RN scenario and we are facing the following problem in our one of the B2B outbound interface(XI ->Partner System) with one specific partner.

***************************************************************************************************************************

Transmitting the message to endpoint https://<HOST>:<PORT>/b2bi/rosettanet using connection RNIFAdapter failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error transmitting the message over HTTP. Reason: java.lang.RuntimeException: Error while silently connecting: org.w3c.www.protocol.http.HttpException: Peer certificate rejected by ChainVerifier.

***************************************************************************************************************************

We have checked with our partner, they are claiming that message is not hitting to their system. This interface was working fine previously.

Also, this interface is working fine with other partners.

Could you please suggest what is wrong and causing this problem?

Any suggestion and help is welcomed.

Regards,

Samiullah

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-20-2011 12:25 PM
0 Kudos

Hi,

Check for that particular third party, the Security certificates are imported in PI and they have not yet expired.

Refer the below thread:

-Supriya.

Show replies
Show replies
samiullah_qureshi
Active Contributor
‎04-20-2011 12:50 PM
0 Kudos

Hello Supriya,

Thanks for your response.

This interface is outbound to us(XI --> Partner). We are using XI certificate for Authentication(Certificate Logon). I have checked our XI certificate. It is valid till 2027. We are not using partner certificate for this interface.

Also, I found many other threads with exception SSLCertificateException: Peer certificate rejected by ChainVerifier. But we are facing the exception HttpException: Peer certificate rejected by ChainVerifier.

Is it something wrong with certificates or some connection problem(HttpException)?

Regards,

Sami.

Former Member
‎04-20-2011 12:59 PM
0 Kudos

Hi,

If the certificate is for Authentication purpose, then you must have shared the Public key with Third party.

Check with them if the Public key implementaion with the User account has properly been done at their end.

-Supriya.

samiullah_qureshi
Active Contributor
‎04-20-2011 1:08 PM
0 Kudos

Hello Supriya,

Yes, you are right. We have shared our public certificate with the partner.

Exactly, same we proposed to partner to check our public certificate in their server. They all correctly maintained. However, the problem is, at our end(XI) we are getting above mentioned error but the message is not reaching till partner's system.

I am confused whether this exception coming from XI itself or from partner's system?

Regards,

Samiullah

former_member4985
Employee
Employee
‎04-20-2011 2:06 PM
0 Kudos

Hi,

The main reasons for the error to occur are the following:

1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm

2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.

3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct

order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.

As a resource, you may need to create a new SSL Server key.

The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.

In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.

Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.

In any other case the SSL communication will not work.

Regards,

Caio Cagnani

samiullah_qureshi
Active Contributor
‎04-26-2011 4:29 AM
0 Kudos

Hello,

Partner's certificate was expired and new certificates was having a new CA. So, it has to be imported to TrustedCAs in NWA. After importing the partner's certificate in TrustedCA, interface is working fine.

Thanks for all your help.

Regards,

Samiullah

Answers (0)

Ask a Question