on 04-24-2012 2:33 PM
Dear experts,
I have a scenario: Partner server -> PI -> SAP R/3.
I have configured a SOAP Sender Adapter which picks Orders files from a partner.
With Internet Explorer I downloaded the SSL certifcate from the partner URL "https://our.partner.net" and saved it
as a ".cer"-file. Then in "Certificates and Keys: Key Storage" I went to View "TrustedCAs" and with "Import Entry" I imported
the ".cer"-file.
I also renamed the ".cer"-file to ".crt" and imported that into "TrustedCAs". It gave me the same error.
(also after importing the .cer and the .crt I restarted the Java stack)
I also tried a different URL for testing: http://www.thomas-bayer.com/sqlrest/
This URL did not give me an error. So I assume something is wrong with the SSL connection.
What am I missing here? Please help me.
Thank you and best regards,
Peter
Hi,
Please refer to the notes:-
1577913-PI SOAP receiver channel cannot connect over HTTPS
1588148-Trusted certificates for SOAP receiver channels
1591971-Added property strictHostnameChecking
I believe they should help solve your problem.
Thanks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Atul,
One of your notes suggested to use "xpi_inspector" which I did now and it gave me the following entry in the log:
"Found Certificate chain with 4 elements:..."
then a list of certificates which looks fine (no errors) but at the end it tells me:
End IAIK Debug.
ERROR: The issuer of the certificate #2 doesn't match the subject of certificate #3
What can I do about that? How can I make sure the certificate chain is correctly set up?
I will now contact our partner and let me know where to download the correct certificates.
thank you again,
Peter
Hi,
The line:-
ERROR: The issuer of the certificate #2 doesn't match the subject of certificate #3
would suggest that it is indeed a certificate ordering issue.
In case, even after discussion with your partner, the issue remains unresolved, please provide the entire traces seen, for further analysis.
Thanks.
In the end it really was an issue of the SSL certificates. Even though I made sure I had all certificates of the chain there was an error between certificate #2 and #3.
With the help of "xpi_inspector" --> "11 (Authentication & SSL)" I was able to find out about the error. I contacted the partner who directed me to the Thawte-Download site for the 2 missing "Primary and Secondary Intermediate" certificates. After downloading those the original error "error during receive: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier" was gone.
Best regards,
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
>Peer certificate rejected by ChainVerifier"
Please make sure you import the entire CA hierarchy of the client cert in your Trusted CAs. Plus check whether hostname matches with the certificate. If you don't maintain the chain such as certificate -> intermediate CA cert -> root CA cert, this could happen. Take help from Basis.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Michael, Hello Baskar,
Thank you for your hints. I have downloaded all three certificates now:
And I imported all of them them into "Certificates and Keys: Key Storage" --> View "TrustedCAs".
The one from our.partner only goes until June but that should not be a problem I think.
Also in the partner's certificate the CN is "CN=our.partner.net" which I also have in the sender channel URL.
Java stack got restarted but still the same error.
On http://sapnwnewbie.blogspot.com/2011/06/sslexception-while-handshaking.html it says:
"4. If the call goes to ICM, add the certificates (in the chain) to Trust Manager using the transaction STRUST."
--> Do I have to upload all 3 certificates into STRUST?
Our STRUST looks pretty empty:
I do not know what else could be the problem.
Thank you again,
Peter
Hello Monika,
Thank you for your advice.
I went into STRUST: I right-clicked on "SSL client SSL Client (Standard)" and clicked "Create new" and a new entry for the PI ABAP was created.
Then under "Certificate" --> "Import Certificate" I imported my 3 certificates and for each clicked "Add to certificate list". All 3 certificates are in the view "Certificate List" now.
Do I have to restart something because the Sender Channel still gives me the same error?
Thank you,
Peter
Here's a link you can go to that will guide you on hopefully resolving your issue.
http://sapnwnewbie.blogspot.com/2011/06/sslexception-while-handshaking.html
If you can't open it, let me know.
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.