cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PI new/renew of SSL certificate does require j2ee restart?

Go to solution
former_member88367
Explorer

on ‎10-20-2011 3:32 PM

0 Kudos

We are running nf-e which require calling webservice (receiver SOAP https).

We have nf-e certificates (under TrustedCAs Keystore view), when we import new cert or renew the existing cert, we have to restart the J2EE to take that into effect.

Although some sdn posts mentioned, restart not required, it has not worked for us without restart.

Just wanted to confirm with experts, does that really need restart? and we are on PI 7.1

Right now we are running on only one APP server, if this really require restart, then can we add one more app server and does the app server restart one after other so that not impacting the other scenarios.. in other words would like to avoid production down scenario.

Thanks in advance.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

baskar_gopalakrishnan2
Active Contributor
‎10-20-2011 9:32 PM
0 Kudos

>Just wanted to confirm with experts, does that really need restart? and we are on PI 7.1

No restart required.

Show replies
Show replies
former_member88367
Explorer
‎10-20-2011 10:08 PM
0 Kudos

I have installed the new cert (TrustedCA) and it is "green" status in Keystore details view.

I have NOT restarted the j2ee.

When I made the SOAP call, I got error:

com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Below is the NWA Log:

Log Record Details

Message: additional info ssl_debug(3): Starting handshake (iSaSiLk 4.31)...

ssl_debug(3): Sending v3 client_hello message to xxxx.com:443, requesting version 3.2...

ssl_debug(3): Received v3 server_hello handshake message.

ssl_debug(3): Server selected SSL version 3.1.

ssl_debug(3): Server created new session E1:9B:4B:97:30:EF:A8:07...

ssl_debug(3): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA

ssl_debug(3): CompressionMethod selected by server: NULL

ssl_debug(3): Received certificate handshake message with server certificate.

ssl_debug(3): Server sent a 1024 bit RSA certificate, chain has 1 elements.

ssl_debug(3): ChainVerifier: No trusted certificate found, rejected.

ssl_debug(3): Sending alert: Alert Fatal: bad certificate

ssl_debug(3): Shutting down SSL layer...

ssl_debug(3): SSLException while handshaking: Peer certificate rejected by ChainVerifier

Former Member
‎10-21-2011 2:47 PM
0 Kudos

Have you referred the certificate in your receiver channel?

Former Member
‎10-21-2011 3:25 PM
0 Kudos

I said "that need a restart" exactly for the same reason (i had the same issue some time ago).

After certificate import (for renew an old certificate), when you call the service it refer to the old certificate.

When you restart the instance, it load the new ssl certificate (in startinstance log it is visible in trace).

former_member88367
Explorer
‎10-21-2011 4:29 PM
0 Kudos

Thanks spantaleoni.

I asked my basis to restart j2ee.. after that it worked.

So it is a big limitation of SAP of restarting the j2ee, imagine you are dealing with lot of certificates, and each expiring in every other week.

where is the startinstance log?(which file).. I am not basis, have only access to NWA logviewer.

Former Member
‎10-24-2011 9:24 AM
0 Kudos

To get the Startinstance log, you need to have access to /usr/sap/<SID>/<Instance>/j2ee/cluster/server/log directory.

former_member88367
Explorer
‎03-15-2012 9:53 PM
0 Kudos

need more details..

is soap receiver adapter?  if yes.. do the external system has sent their certificate?

do they need client authentication by a cert?

did you restart your java stack after the cert creation?

Answers (3)

Answers (3)

Former Member
‎10-24-2011 1:55 PM
0 Kudos

Hi Venkatn,

A restart is required for loading the certificates.

Moreover about your other query "how to avoid downtime", you can have high availability system where you can install a separate instance of same PI. You can find the standard guide on SMP on how to install HA system. You can also ask your basis team on the possibility of configuiring HA system. Actually HA is based on the type of installation performed. ASC and ASCS are available in your PI installation then it should not be a big task for your basis guy to install a separate dialog instance for PI.

I have worked with HA and it worked really amazing.

Thanks,

Vikash

Show replies
Show replies
Former Member
‎10-20-2011 8:51 PM
0 Kudos

New / re-new certificates doesn't require a system re-start. Go ahead and install it, it will work perfectly fine.

Show replies
Show replies
Former Member
‎10-20-2011 4:26 PM
0 Kudos

Yes, That need a restart.

If you take a look to the startinstance log, there're some steps when the sistem reload the certificates.

Show replies
Show replies
Ask a Question