cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PI 7.30: SOAP Axis Sender Adapter - SSL error

Go to solution
peter_wallner2
Active Contributor

on ‎04-24-2012 2:33 PM

0 Kudos

Dear experts,

I have a scenario: Partner server -> PI -> SAP R/3.

I have configured a SOAP Sender Adapter which picks Orders files from a partner.

  • Transport Protocol: Task(Axis).
  • The URL is a "https://our.partner.net/Transfer/Next"
  • Authentication: Basic
  • User and Password I received from the partner from where the Orders file gets picked from.

With Internet Explorer I downloaded the SSL certifcate from the partner URL "https://our.partner.net" and saved it

as a ".cer"-file. Then in "Certificates and Keys: Key Storage" I went to View "TrustedCAs" and with "Import Entry" I imported

the ".cer"-file.

  • But the communication channel gives me the error: "error during receive: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier"

I also renamed the ".cer"-file to ".crt" and imported that into "TrustedCAs". It gave me the same error.

(also after importing the .cer and the .crt I restarted the Java stack)

I also tried a different URL for testing: http://www.thomas-bayer.com/sqlrest/

This URL did not give me an error. So I assume something is wrong with the SSL connection.

What am I missing here? Please help me.

Thank you and best regards,

Peter

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-25-2012 11:18 AM
0 Kudos

Hi,

Please refer to the notes:-

1577913-PI SOAP receiver channel cannot connect over HTTPS

1588148-Trusted certificates for SOAP receiver channels

1591971-Added property strictHostnameChecking

I believe they should help solve your problem.

Thanks.

Show replies
Show replies
peter_wallner2
Active Contributor
‎04-25-2012 1:25 PM
0 Kudos

Hello Atul,

One of your notes suggested to use "xpi_inspector" which I did now and it gave me the following entry in the log:

"Found Certificate chain with 4 elements:..."

then a list of certificates which looks fine (no errors) but at the end it tells me:

End IAIK Debug.

     ERROR: The issuer of the certificate #2 doesn't match the subject of certificate #3

What can I do about that? How can I make sure the certificate chain is correctly set up?

I will now contact our partner and let me know where to download the correct certificates.

thank you again,

Peter

Former Member
‎04-25-2012 2:04 PM
0 Kudos

Hi,

The line:-

ERROR: The issuer of the certificate #2 doesn't match the subject of certificate #3

would suggest that it is indeed a certificate ordering issue.

In case, even after discussion with your partner, the issue remains unresolved, please provide the entire traces seen, for further analysis.

Thanks.

Answers (3)

Answers (3)

peter_wallner2
Active Contributor
‎04-30-2012 1:27 PM
0 Kudos

In the end it really was an issue of the SSL certificates. Even though I made sure I had all certificates of the chain there was an error between certificate #2 and #3.

With the help of "xpi_inspector" --> "11  (Authentication & SSL)" I was able to find out about the error. I contacted the partner who directed me to the Thawte-Download site for the 2 missing "Primary and Secondary Intermediate" certificates. After downloading those the original error "error during receive: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier" was gone.

Best regards,

Peter

Show replies
Show replies
baskar_gopalakrishnan2
Active Contributor
‎04-24-2012 6:40 PM
0 Kudos

>Peer certificate rejected by ChainVerifier"

Please make sure you import the entire CA hierarchy of the client cert in your Trusted CAs. Plus check whether hostname matches with the certificate. If you don't maintain the chain such as certificate -> intermediate CA cert -> root CA cert, this could happen. Take help from Basis.

Show replies
Show replies
peter_wallner2
Active Contributor
‎04-25-2012 9:44 AM
0 Kudos

Hello Michael, Hello Baskar,

Thank you for your hints. I have downloaded all three certificates now:

And I imported all of them them into "Certificates and Keys: Key Storage" --> View "TrustedCAs".

The one from our.partner only goes until June but that should not be a problem I think.

Also in the partner's certificate the CN is "CN=our.partner.net" which I also have in the sender channel URL.

Java stack got restarted but still the same error.

On http://sapnwnewbie.blogspot.com/2011/06/sslexception-while-handshaking.html it says:

"4. If the call goes to ICM, add the certificates (in the chain) to Trust Manager using the transaction STRUST."

--> Do I have to upload all 3 certificates into STRUST?

Our STRUST looks pretty empty:

I do not know what else could be the problem.

Thank you again,

Peter

Former Member
‎04-25-2012 10:35 AM
0 Kudos

Dear Peter

You have to import client's certificates into SSL client (Standard)

Regards

Monika

peter_wallner2
Active Contributor
‎04-25-2012 10:55 AM
0 Kudos

Hello Monika,

Thank you for your advice.

I went into STRUST: I right-clicked on "SSL client SSL Client (Standard)" and clicked "Create new" and a new entry for the PI ABAP was created.

Then under "Certificate" --> "Import Certificate" I imported my 3 certificates and for each clicked "Add to certificate list". All 3 certificates are in the view "Certificate List" now.

Do I have to restart something because the Sender Channel still gives me the same error?

Thank you,
Peter

Former Member
‎04-25-2012 2:29 PM
0 Kudos

Dear Peter

Now to you have to restart icm.

Go to SMICM -> Administration -> Global ICM ->Ext Hard

Regards

Monika

michael_ruth3
Contributor
‎04-24-2012 3:13 PM
0 Kudos

Here's a link you can go to that will guide you on hopefully resolving your issue.

http://sapnwnewbie.blogspot.com/2011/06/sslexception-while-handshaking.html

If you can't open it, let me know.

Cheers

Show replies
Show replies
Ask a Question