cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error:iaik.security.ssl.SSLCertificateException: Peer certificate rejected

Former Member

on ‎10-14-2011 2:56 PM

0 Kudos

Hi,

I am getting error com.sap.engine.interfaces.messaging.api.exception.MessagingException:

iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

When i test for digital signing and encryption using soap receiver CC

we passed all the values for soap CC

Created key store view and in that view I have generated private certificate and generated CSR using SAP CA(test ssl for 8 weeks) for the private key and also imported public key for encryption given by reciver

When i test i get the error message

I check certificates validity dates

I restarted java engine and ICM

I added the public key in trusted CA in NWA

I re created the view and added the certifcates

still the same error

how and where to check to check IAIK in NWA and how to deploy it in java engine using NWA, we are using PI7.11 (no VA)

any suggestions?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

HuiyangLi
Product and Topic Expert
Product and Topic Expert
‎07-17-2013 5:49 AM
0 Kudos

I think you do need to care about the iaik library, it is just the a basis security library used for any encryption or digital signature application.  You just need to make sure all the issuer's certificate, inlcude the ROOT certficate have been import into the trust store on the "Key Store" view.

Show replies
Show replies
Former Member
‎10-17-2011 5:35 AM
0 Kudos

iaik files can be checked at /usr/sap/<SID>/DVEBMGS00/j2ee/cluster/server0/bin/ext/tcsecssl

Check all the reasons posted here: http://sapnwnewbie.blogspot.com/2011/06/sslexception-while-handshaking.html

The problem occurs if a cert in the chain (root, intermediate or base) is invalid. You have to check all of them.

Show replies
Show replies
baskar_gopalakrishnan2
Active Contributor
‎10-14-2011 5:29 PM
0 Kudos

Check the date validity of certificate, See your certificate import is successful once again , Also as Spontaneoni said, certificate should match server name details of the other system. If there is conflict, the certificate adding is not useful. Are u deploying in java stack using NWA or Abap stack using STRUST.

Show replies
Show replies
Former Member
‎10-14-2011 6:48 PM
0 Kudos

HI,

In java stack using NWA

yes CN=fqdn'

Strust is not required as iam deploying in JAVA

any further suggestions would be appreciated

bhavesh_kantilal
Active Contributor
‎10-17-2011 5:11 AM
0 Kudos

Make sure that the common name in the certificate and the SOAP URL are the same.

Did you try to hit the SOAP URL in a browser? Did it prompt for the certificate considering its a self signed cert?

Regards

Bhavesh

Former Member
‎10-18-2011 2:19 PM
0 Kudos

Hi,

Make sure that the common name in the certificate and the SOAP URL are the same.

Did you try to hit the SOAP URL in a browser? Did it prompt for the certificate considering its a self signed cert?

I have an issue with private certificate for digital signing,public certificate is ok encryption

Now,i am not understanding why the CN should and soap url should be same soap url is related to receiving system but CN belongs to server host name ie FQDN

I tried with intermediate using SAP CA service.sap.com/tcs

now i am going with trusted CA

Need to test the output

bhavesh_kantilal
Active Contributor
‎10-19-2011 10:34 AM
0 Kudos

> Now,i am not understanding why the CN should and soap url should be same soap url is related to receiving system but CN belongs to server host name ie FQDN

>

1. Check the Certificate of your Webservice Provides ( just hit the URL in IE and download the SSL certificate ). The common name in this certificate should match the SOAP URL domain name.

2. Considering you are performing a webservice call , and you have ensured that SSL is enabled, this would be the reason for the failure.

Regards

Bhavesh

former_member4985
Employee
Employee
‎10-19-2011 11:17 PM
0 Kudos

Hi,

The main causes for this kind of problem are:

1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000

0a1550b0/frameset.htm

2. The server certificate chain contains expired certificate. Check for it and if it's the case renew it or extend the validation.

3. The certificate chain was not in correct order. Basically the server certificate chain should be in order

Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again.

4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.

(This certificate is the one which is sent to Server for Client authentication)

As a resource, you may need to create a new SSL Server key.

The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.

In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.

Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.

In any other case the SSL communication will not work.

Regards,

Caio Cagnani

Former Member
‎10-21-2011 2:50 AM
0 Kudos

Hi,

I am still getting the same error message:Error:iaik.security.ssl.SSLCertificateException: Peer certificate rejected

I did all the steps suggested

I have restrted java and Icm

added ip and host name in etc

created new private key(authorized from sap ca,si there is no chain) loaded in DEFAULT view and also public key

Added the private and public for encryption certificates to trusted CA,re selected view in Receiver agreement

How to check IAIK version in NWA as my system in PI7.11

Do i need any patch or spam to be deployed ,if so what level ,my current level is 21

No issues with mapping or FM as we are able to get payload with out security parameters

Any suggestions ?

Former Member
‎10-21-2011 10:28 AM
0 Kudos

Have you restarted the J2ee/R3 instance after importing the certificate?

Former Member
‎10-21-2011 4:14 PM
0 Kudos

Hi,

yes i restarted java not R/3

Former Member
‎03-13-2014 1:20 PM
0 Kudos

Hi Caio,

Thanks for the tip 1 .It helped to resolve the issue with peer certificate  rejected message.

Allthough the Client certificate was imported in the ICM_SSL_Keystoreview and visible in the hostname:50001/nwa/SSL. It was giving the above error when accessed from RWB .

What i did is :

1) Deleted the expired certificates in the Trusted CAs  Key store view & imported again here the

Client certificates .

Former Member
‎10-14-2011 5:18 PM
0 Kudos

Have you added the Server Certificate in strust transaction?

The hostname in certificate is equal to Soap Endpoint Call hostname?

Show replies
Show replies
Ask a Question