cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Certificate error with new certificate

Go to solution
peter_wallner2
Active Contributor

on ‎06-12-2012 10:43 AM

0 Kudos

Dear experts,

I had opened thread http://scn.sap.com/message/13209781 a while ago and I was able to solve this by installing additional certificates

from Thawte. So I had a SOAP Axis sender Adapter which was working already.

Now our partner renewed his SSL certificate. I downloaded it, installed it via http://<host>:<port>/nwa in "Key storage views" - "Trusted CAs".

It is valid from 12 April 2012 - 03 June 2013.

Now I got an error and used XPI Inspector to get more information:

The certificates themselves though are trusted:

I already contacted our partner and he said he was in contact with Thawte. According to them there is no problem with the certificate from

our partner. They think our application - SAP PI - does not recognize our partners certificate as a valid one.

Does anyone have an idea on this?

Thank you and best regards,

Peter

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member4985
Employee
Employee
‎06-14-2012 8:42 PM
0 Kudos

Hi Peter,

The main reasons for errors like this are the following:

1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. So ensure you have done all the steps described in the URL below:

Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm



2. The server certificate chain contains expired certificate.

Check for it (that was the cause for other customers as well) and

Caio Cagnani

if it's the case renew it or extend the validation.


3. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate
is A which is issued by an intermediate CA B and then B's certificate is
issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to
have the right order of certificate in the chain. If the order is B
first followed by A followed by C, then the IAIK library used by PI
cannot verify the server as trusted. Generate the certificate in
the right order and then import this certificate in the TrustedCA
keystore view and try again.


4. If the end point of the SOAP Call(Server) is configured to accept
a client certificate(mandatory), then make sure that it is configured
correctly in the SOAP channel and it is also within validity period.
(This certificate is the one which is sent to Server for Client
authentication)

As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has

to have certificate with CN equal to the requested siteI mean if I
request URL X then the CN must be CN=X.

In other words, the CN of the certificate has to be equal to the URL in
the ftp request. This can be the IP address or the full name of the host.

Request the url with the IP of the SSL Server and the certificate to be
with CN = IP of the server.
In any other case the SSL communication will not work.

Kind regards,

Show replies
Show replies
peter_wallner2
Active Contributor
‎06-15-2012 10:41 AM
0 Kudos

Hello Caio Cagnani,

thank you for your ideas.

We are on PI 7.3 and I was wondering how I maintain the order of the certificate chain in NWA (SAP Netweaver Administrator), like you describe in point 3.

In my SOAP-Axis sender adapter I do not have the possibility to configure a certificate (point 4).

I am just wondering about your last point, the CN of the certificate has to be equal to the URL in the request from the sender adapter:

CN=oden.ourpartner.net

URL in sender adapter: https://oden.ourpartner.net/linkTransfer/...

So the URL is not completely equal, it is longer than the CN.

Best regards,

Peter

former_member4985
Employee
Employee
‎06-15-2012 4:39 PM
0 Kudos

Hi Peter,

The CN is correct, i.e., "oden.ourpartner.net" which is the Full name of your host.

Concerning point 3, for example, if you have a three-certificate chain, like X, Y and Z:

  a) X is the certificate generated by J2EE engine;

  b) Then, X is exported and signed by its CA; The generated certificate is Y;

  c) Y is imported. Step "2)" is repeated for Y and Z is generated;

  d) Z is imported. As Z is self-signed, he is the last certificate in the chain.

Kind regards,

Caio Cagnani

peter_wallner2
Active Contributor
‎06-26-2012 8:55 AM
0 Kudos

Hello Caio Cagnani,

thank you for your answer again. In the meantime I opened an OSS ticket with SAP. I could not figure out the problem. I will update this thread as soon as we have a solution.

Best regards,

Peter

Former Member
‎09-06-2012 2:50 PM
0 Kudos

Hi Peter,

I was wondering if you found the resolution to this issue yet?

I am having similiar problem with this TrustedCAs thing after PI 7.3 upgrade.

We never used trusted Certificate before with our PI 7.0 release.  Recently we've upgraded to PI 7.3.

After the upgrade our soap channels that uses HTTPS URL are getting error "Peer Certifitcate rejected by ChainVerifier"  I've installed the Certificate under NWA-TrustedCAs, and put in the SP08 patch for Messaging SErvice component and am still getting the same error.   Have implemented notes 1588148 also.  But no luck.   If you have found the resolution, can you please share, I would appreciate it very much, as I've been on this issue for the last 3 weeks.

thank you in advance.

Velvet

peter_wallner2
Active Contributor
‎09-13-2012 3:26 PM
0 Kudos

Hello Velvet,

This became a major issue. Yesterday I got an answer from SAP, they solved it releasing a hotfix. The hotfix will be included in SP3 (released in 2013) for PI. Please refer to SAP notes 1751851 and 1751837.

I have not tried it yet - I will download the hotfix tomorrow morning and start working on it.

Best regards,

Peter

Former Member
‎02-14-2013 7:22 PM
0 Kudos

Hi Peter,

I am just now seeing your reply.  Thanks for the reply.

Anyway, I've also open a message for SAP too, they've asked us to apply patches

patches ENGINEAPI -> update to patch "14"

J2EE ENGINE FRAMEWORK -> update to patch "12"

J2EE ENGINE SERVERCORE -> update to patch "39

Did the Note 1751851 and 1751837 works for you??

Thank you,

Velvet

peter_wallner2
Active Contributor
‎02-15-2013 8:03 AM
0 Kudos

Hello Velvet,

Yes, bot those notes worked for us. The problem is solved.

Good luck with it - I am sure it will work for you too.

Best regards,

Peter

Answers (1)

Answers (1)

peter_wallner2
Active Contributor
‎06-12-2012 10:45 AM
0 Kudos

sorry, here are the screenshots:

Show replies
Show replies
Former Member
‎06-12-2012 3:41 PM
0 Kudos

Hi

Just a basic question.

the error seems to be with the order of the certificate chain. Have you installed all three certificates in NWA?

And also delete all old entries in NWA-->Key store

peter_wallner2
Active Contributor
‎06-13-2012 9:42 AM
0 Kudos

Hello Rajesh Shanmugasundaram,

Yes, something in the chain is not right.

It says the issuer of cert. # does not match the subject of cert. #

But when I compare the issuer of cert. 0 with the subject of cert. 1 they are the same.

Also 1 and 2 as well as 2 and 3 - the issuer matches the subject of the higher certificate.

Yes, I imported all three certificates into NWA and I deleted any with a red dot (expired).

Would you have any other ideas?

Best regards,

Peter

Former Member
‎06-13-2012 10:13 AM
0 Kudos

Hi,

Have you tried to restart java stack?

It is not required ideally but i would give it a try

peter_wallner2
Active Contributor
‎06-13-2012 11:16 AM
0 Kudos

Hello,

Yes, we just did a restart of java stack but I still get the same error.

Also I imported the certificates into STRUST in ABAP stack and restarted ICM.

That did not help either.

In my NWA keystore is there a ranking of certificates I have to follow when importing?

Root --> intermediate --> partner cert.?

Does it matter which certificate I import first, second, last?

Best regards,

Peter

peter_wallner2
Active Contributor
‎06-14-2012 8:59 AM
0 Kudos

Hello Rajesh, Hello experts,

I now did a debugging again with XPI-Inspector and switched from "11 (Authentication & SSL)" to

"17 (Axis Adapter)" and I get the following message:

Our partner claims everything is okay with the certificate. But could it be that there is a problem with it? I downloaded it with Internet Explorer.

Thank you for any ideas.

Best regards,

Peter

Ask a Question