cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Go to solution
Former Member

on ‎03-22-2012 8:23 AM

0 Kudos

Hi gurus,

i am getting following error when i call a https soap webservice;

"

iaik.security.ssl.SSLCertificateException:

Peer certificate rejected by ChainVerifier

"

i am getting a .cer file from customer. Where should i install and how should i use this in receiver soap adapter configuration?

any help is appreciated and is urgenly needed,

Regards,
Peter

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-22-2012 8:27 AM
0 Kudos

pls deploy the .cer file in Visual Admin in case of XI3.0 or PI7.0

pls deploy the .cer file in NWA - Java systems - trusted systems - keystore in case of PI 7.1 or higher.

in receiver SOAP comm channel, in transport protocol use HTTPS.

Show replies
Show replies
Former Member
‎03-22-2012 8:53 AM
0 Kudos

Hi Rajeev & Mark

My partner Certificate (partner.crt) is verified from VeriSign. Therefore i have been installed in

Configuration > Certificates and Keys > Key Storage > TrustedCAs >Import Entry > X.509 Certificate > Partner.crt

I have also created a view ("Partner") and installed there again.

Rajeev wrote;

in receiver SOAP comm channel, in transport protocol use HTTPS.

But I have only HTTP protocoll for selection.

What can I do, to get this working?

Regards,

Peter

Former Member
‎03-22-2012 9:02 AM
0 Kudos

in receiver SOAP comm channel, use HTTP as transport protocol and select Configure Certificate Authentication and specify the following: Keystore Entry and Keystore View for your installed certificate

Former Member
‎03-22-2012 9:32 AM
0 Kudos

Hi Rajeev,

i canot see my installed certificate in Keystore entry (soap receiver)  there!!!

Former Member
‎03-22-2012 9:36 AM
0 Kudos

ask your basis team to restart the PI system and then pls see if the installed certificate shows there.

markangelo_dihiansan
Active Contributor
‎03-22-2012 9:38 AM
0 Kudos

Hello,

You can type the entries directly rather than use the search help e.g

Keystore Entry is the name of your certificate

Keystore View is the name of the View where you placed your Cert

Regards,

Mark

Former Member
‎03-22-2012 10:11 AM
0 Kudos

Hi Mark,

I typed the entries manually but, i am getting exactly the same error, again. 

Error While Sending Message:
Additional error text from response:
com.sap.engine.interfaces.messaging.api.exception.MessagingException:
iaik.security.ssl.SSLCertificateException: Peer certificate rejected by
ChainVerifier

Former Member
‎03-22-2012 10:12 AM
0 Kudos

We have restarded our PI system, but i don't see the certificate and view entry.

Former Member
‎03-22-2012 10:27 AM
0 Kudos

can you check with your partner what is the type of the certificate........you have used X.509 is it this only or some other type of certificate? pls check this.

Former Member
‎03-22-2012 10:31 AM
0 Kudos

Hi Rajeev,

i got a partner.crt file from customer and installed this on Keystore with X.509 type. Please see following screenshot. 

Former Member
‎03-22-2012 10:44 AM
0 Kudos

have you specified keystore name and keystore view correctly in receiver SOAP comm channel? pls check again.

Former Member
‎03-22-2012 10:51 AM
0 Kudos

I think, yes. Here a screenshot from CC SOAP Receiver Adapter

markangelo_dihiansan
Active Contributor
‎03-22-2012 10:52 AM
0 Kudos

Hello,

You need to install all of the chain in your certificate e.g

In the screenshot above, I download the certificate from hotmail. There is a chain composed of 4 certificates, now, if you only install the certificate mail.live.com, it will not be verified by GTE CyberTrust Global Root and Microsoft Interfnet Authority. Hence, all 4 are needed to be installed in NWA (at least for your view).

Hope this helps,

Mark

Former Member
‎03-22-2012 11:04 AM
0 Kudos

is HTTP proxy server needed to contact the receiver web service? - you can get this thing checked from your basis team - if yes, then please configure proxy in your receiver SOAP channel. also please see mark's suggestion of importing of complete chain of certificate.

Former Member
‎03-22-2012 11:08 AM
0 Kudos

Hi Mark,

thanks again for your time.

Aha!!! Should i deploy all certificates into Shell View and select in CC Soap receiver partner certificate only?

Regards,

Peter

markangelo_dihiansan
Active Contributor
‎03-22-2012 11:25 AM
0 Kudos

Hello Peter,

Yup, that is correct. Only the receiver partner certificate is needed to be declared in SOAP Receiver CC.

Hope this helps,

Mark

Former Member
‎03-22-2012 11:27 AM
0 Kudos

Hi,

i have installed all 4 .certs into Keystore and tested again but no luck.

markangelo_dihiansan
Active Contributor
‎03-22-2012 11:43 AM
0 Kudos

Hello,

Were you able to provide to the third-party the xi certificates to be installed on their system?

Regards,

Mark

Former Member
‎03-22-2012 11:53 AM
0 Kudos

Hi Mark,

yes here the details of view "CHAIN";

Former Member
‎03-22-2012 12:16 PM
0 Kudos

is the certificate chain in correct order? How can i realise this?

markangelo_dihiansan
Active Contributor
‎03-23-2012 2:12 AM
0 Kudos

Hello Peter,

What I meant was, your PI system has an SSL certificate too. You should give them to your third-party and ask that the certificates get installed in their system. SSL with client authentication is a two-way process and you have already finished with your setup in PI.

Regards,

Mark

Former Member
‎03-27-2012 12:05 PM
0 Kudos

Hi Mark,

we have allready the issue now. But i cannot imagine that the third party need our certs. Because we are sending to them. I tested successfully with SOAP UI test tool. Without any changes.

Former Member
‎03-27-2012 12:12 PM
0 Kudos

pls check the HTTP proxy server setting in your receiver SOAP channel as suggested in above post.

Answers (2)

Answers (2)

iaki_vila
Active Contributor
‎03-22-2012 8:44 AM
0 Kudos

Hi Peter,

In order to complete the information by Rajeev and Mark you could get more information in SAP Help library. If you are using SAP PI 7.1 you could read that link http://help.sap.com/saphelp_nwpi71/helpdata/de/32/1c1041a0f6f16fe10000000a1550b0/frameset.htm

Regards

Show replies
Show replies
former_member223761
Explorer
‎03-11-2015 12:51 PM
0 Kudos

Is this issue resolved?

What was the changes done, I am also struck with the same issue. I have installed the certificates in NWA, but still am getting the error Peer certificate rejected by ChainVerifier

former_member181985
Active Contributor
‎03-11-2015 1:11 PM

Hi Rohan,

You must restart the soap channel after installing certificates in NWA

Best Regards,

Praveen Gujjeti

markangelo_dihiansan
Active Contributor
‎03-22-2012 8:31 AM
0 Kudos

Hello,

The path for nwa would be:

http://host:port/nwa

Once you have logged in, go to Configuration Management -> Security -> Certificates and Keys. You may opt to create a view first and then install the certificates there.

Regards,

Mark

Show replies
Show replies
Ask a Question