on 10-14-2011 2:56 PM
Hi,
I am getting error com.sap.engine.interfaces.messaging.api.exception.MessagingException:
iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
When i test for digital signing and encryption using soap receiver CC
we passed all the values for soap CC
Created key store view and in that view I have generated private certificate and generated CSR using SAP CA(test ssl for 8 weeks) for the private key and also imported public key for encryption given by reciver
When i test i get the error message
I check certificates validity dates
I restarted java engine and ICM
I added the public key in trusted CA in NWA
I re created the view and added the certifcates
still the same error
how and where to check to check IAIK in NWA and how to deploy it in java engine using NWA, we are using PI7.11 (no VA)
any suggestions?
I think you do need to care about the iaik library, it is just the a basis security library used for any encryption or digital signature application. You just need to make sure all the issuer's certificate, inlcude the ROOT certficate have been import into the trust store on the "Key Store" view.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
iaik files can be checked at /usr/sap/<SID>/DVEBMGS00/j2ee/cluster/server0/bin/ext/tcsecssl
Check all the reasons posted here: http://sapnwnewbie.blogspot.com/2011/06/sslexception-while-handshaking.html
The problem occurs if a cert in the chain (root, intermediate or base) is invalid. You have to check all of them.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Check the date validity of certificate, See your certificate import is successful once again , Also as Spontaneoni said, certificate should match server name details of the other system. If there is conflict, the certificate adding is not useful. Are u deploying in java stack using NWA or Abap stack using STRUST.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Make sure that the common name in the certificate and the SOAP URL are the same.
Did you try to hit the SOAP URL in a browser? Did it prompt for the certificate considering its a self signed cert?
I have an issue with private certificate for digital signing,public certificate is ok encryption
Now,i am not understanding why the CN should and soap url should be same soap url is related to receiving system but CN belongs to server host name ie FQDN
I tried with intermediate using SAP CA service.sap.com/tcs
now i am going with trusted CA
Need to test the output
> Now,i am not understanding why the CN should and soap url should be same soap url is related to receiving system but CN belongs to server host name ie FQDN
>
1. Check the Certificate of your Webservice Provides ( just hit the URL in IE and download the SSL certificate ). The common name in this certificate should match the SOAP URL domain name.
2. Considering you are performing a webservice call , and you have ensured that SSL is enabled, this would be the reason for the failure.
Regards
Bhavesh
Hi,
The main causes for this kind of problem are:
1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
0a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for it and if it's the case renew it or extend the validation.
3. The certificate chain was not in correct order. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again.
4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
(This certificate is the one which is sent to Server for Client authentication)
As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.
In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
In any other case the SSL communication will not work.
Regards,
Caio Cagnani
Hi,
I am still getting the same error message:Error:iaik.security.ssl.SSLCertificateException: Peer certificate rejected
I did all the steps suggested
I have restrted java and Icm
added ip and host name in etc
created new private key(authorized from sap ca,si there is no chain) loaded in DEFAULT view and also public key
Added the private and public for encryption certificates to trusted CA,re selected view in Receiver agreement
How to check IAIK version in NWA as my system in PI7.11
Do i need any patch or spam to be deployed ,if so what level ,my current level is 21
No issues with mapping or FM as we are able to get payload with out security parameters
Any suggestions ?
Hi Caio,
Thanks for the tip 1 .It helped to resolve the issue with peer certificate rejected message.
Allthough the Client certificate was imported in the ICM_SSL_Keystoreview and visible in the hostname:50001/nwa/SSL. It was giving the above error when accessed from RWB .
What i did is :
1) Deleted the expired certificates in the Trusted CAs Key store view & imported again here the
Client certificates .
Have you added the Server Certificate in strust transaction?
The hostname in certificate is equal to Soap Endpoint Call hostname?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.