on 06-12-2012 10:43 AM
Dear experts,
I had opened thread http://scn.sap.com/message/13209781 a while ago and I was able to solve this by installing additional certificates
from Thawte. So I had a SOAP Axis sender Adapter which was working already.
Now our partner renewed his SSL certificate. I downloaded it, installed it via http://<host>:<port>/nwa in "Key storage views" - "Trusted CAs".
It is valid from 12 April 2012 - 03 June 2013.
Now I got an error and used XPI Inspector to get more information:
The certificates themselves though are trusted:
I already contacted our partner and he said he was in contact with Thawte. According to them there is no problem with the certificate from
our partner. They think our application - SAP PI - does not recognize our partners certificate as a valid one.
Does anyone have an idea on this?
Thank you and best regards,
Peter
Hi Peter,
The main reasons for errors like this are the following:
1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. So ensure you have done all the steps described in the URL below:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
2. The server certificate chain contains expired certificate.
Check for it (that was the cause for other customers as well) and
Caio Cagnani
if it's the case renew it or extend the validation.
3. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate
is A which is issued by an intermediate CA B and then B's certificate is
issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to
have the right order of certificate in the chain. If the order is B
first followed by A followed by C, then the IAIK library used by PI
cannot verify the server as trusted. Generate the certificate in
the right order and then import this certificate in the TrustedCA
keystore view and try again.
4. If the end point of the SOAP Call(Server) is configured to accept
a client certificate(mandatory), then make sure that it is configured
correctly in the SOAP channel and it is also within validity period.
(This certificate is the one which is sent to Server for Client
authentication)
As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has
to have certificate with CN equal to the requested site. I mean if I
request URL X then the CN must be CN=X.
In other words, the CN of the certificate has to be equal to the URL in
the ftp request. This can be the IP address or the full name of the host.
Request the url with the IP of the SSL Server and the certificate to be
with CN = IP of the server.
In any other case the SSL communication will not work.
Kind regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Caio Cagnani,
thank you for your ideas.
We are on PI 7.3 and I was wondering how I maintain the order of the certificate chain in NWA (SAP Netweaver Administrator), like you describe in point 3.
In my SOAP-Axis sender adapter I do not have the possibility to configure a certificate (point 4).
I am just wondering about your last point, the CN of the certificate has to be equal to the URL in the request from the sender adapter:
CN=oden.ourpartner.net
URL in sender adapter: https://oden.ourpartner.net/linkTransfer/...
So the URL is not completely equal, it is longer than the CN.
Best regards,
Peter
Hi Peter,
The CN is correct, i.e., "oden.ourpartner.net" which is the Full name of your host.
Concerning point 3, for example, if you have a three-certificate chain, like X, Y and Z:
a) X is the certificate generated by J2EE engine;
b) Then, X is exported and signed by its CA; The generated certificate is Y;
c) Y is imported. Step "2)" is repeated for Y and Z is generated;
d) Z is imported. As Z is self-signed, he is the last certificate in the chain.
Kind regards,
Caio Cagnani
Hi Peter,
I was wondering if you found the resolution to this issue yet?
I am having similiar problem with this TrustedCAs thing after PI 7.3 upgrade.
We never used trusted Certificate before with our PI 7.0 release. Recently we've upgraded to PI 7.3.
After the upgrade our soap channels that uses HTTPS URL are getting error "Peer Certifitcate rejected by ChainVerifier" I've installed the Certificate under NWA-TrustedCAs, and put in the SP08 patch for Messaging SErvice component and am still getting the same error. Have implemented notes 1588148 also. But no luck. If you have found the resolution, can you please share, I would appreciate it very much, as I've been on this issue for the last 3 weeks.
thank you in advance.
Velvet
Hello Velvet,
This became a major issue. Yesterday I got an answer from SAP, they solved it releasing a hotfix. The hotfix will be included in SP3 (released in 2013) for PI. Please refer to SAP notes 1751851 and 1751837.
I have not tried it yet - I will download the hotfix tomorrow morning and start working on it.
Best regards,
Peter
Hi Peter,
I am just now seeing your reply. Thanks for the reply.
Anyway, I've also open a message for SAP too, they've asked us to apply patches
patches ENGINEAPI -> update to patch "14"
J2EE ENGINE FRAMEWORK -> update to patch "12"
J2EE ENGINE SERVERCORE -> update to patch "39
Did the Note 1751851 and 1751837 works for you??
Thank you,
Velvet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Rajesh Shanmugasundaram,
Yes, something in the chain is not right.
It says the issuer of cert. # does not match the subject of cert. #
But when I compare the issuer of cert. 0 with the subject of cert. 1 they are the same.
Also 1 and 2 as well as 2 and 3 - the issuer matches the subject of the higher certificate.
Yes, I imported all three certificates into NWA and I deleted any with a red dot (expired).
Would you have any other ideas?
Best regards,
Peter
Hello,
Yes, we just did a restart of java stack but I still get the same error.
Also I imported the certificates into STRUST in ABAP stack and restarted ICM.
That did not help either.
In my NWA keystore is there a ranking of certificates I have to follow when importing?
Root --> intermediate --> partner cert.?
Does it matter which certificate I import first, second, last?
Best regards,
Peter
Hello Rajesh, Hello experts,
I now did a debugging again with XPI-Inspector and switched from "11 (Authentication & SSL)" to
"17 (Axis Adapter)" and I get the following message:
Our partner claims everything is okay with the certificate. But could it be that there is a problem with it? I downloaded it with Internet Explorer.
Thank you for any ideas.
Best regards,
Peter
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.