cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

J2EE Client application using SSL, keystore question.

RemiB1
Explorer

on ‎07-05-2012 2:11 PM

0 Kudos

Hi,

A developer colleague of mine is modifying one of our internal application in Netweaver CE so that it can consume Web Services from our PI system using SSL instead of HTTP.

The application is authenticated with username/password (not client certificates) so for the SSL part it's only "server authentication".

I know that the PI system (the "server") is correctly configured for SSL. If I access it from my browser I can see that it's certificate is fine and it's been signed by our own internal Certificate Authority.

The client (NW CE) has our CA's root certificate in the keystore view "TrustedCAs", so it should be able to accept SSL connection to the PI system withouth problems.

The issue that we have is that whenever we test the application, I can see the following message in the PI server's dev_icm's trace file :

[Thr 1118591296] Thu Jun 14 14:44:58 2012

[Thr 1118591296] SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"

[Thr 1118591296] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 1118591296] session uses PSE file "/usr/sap/SID/DVEBMGS##/sec/SAPSSLS.pse"

[Thr 1118591296] SecudeSSL_SessionStart: SSL_accept() failed --

[Thr 1118591296]   secude_error 536875078 (0x20001046) = "received a fatal SSLv3 certificate unknown alert message from the peer"

[Thr 1118591296] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 1118591296] WARNING in ssl3_read_bytes: (536875078/0x20001046) received a fatal SSLv3 certificate unknown alert message from the peer

[Thr 1118591296] << ---------- End of Secude-SSL Errorstack ----------

[Thr 1118591296] SSL NI-sock: local=<ip address:port>  peer=<ip address:port>

[Thr 1118591296] <<- ERROR: SapSSLSessionStart(sssl_hdl=2aaabbefde10)==SSSLERR_SSL_ACCEPT

[Thr 1118591296] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn_mt. 1689]

So the client doesn't seem to trust the server's certificate and I don't understand why.

I'm wondering if the "client application" from NW CE needs to have some code that specify in which keystore to look for trusted server certificate. (the developper says otherwise, that it should find it by itself in the default keystore)

Does it look in the "trustedCAs" keystore by default or do we need to specify a keystore with something like "KeyStore keystoreCAs = TrustedCAs"  ??

I've also tried to the whole server's certificate in the TrustedCA's keystore view, but it still doesn't work,

Any help would be appreciated.

Thank you !

Rémi Beaulieu

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎06-25-2013 12:17 PM
0 Kudos

Hi Remi,

did you find any solution for problem you described here?

I am facing the same issue and cant move..

Marek

Show replies
Show replies
RemiB1
Explorer
‎06-25-2013 2:28 PM
0 Kudos

Hi Marek,

Yes, in our case, the way their java applications were developped they did not use the TrustedCAs keystore from within the SAP j2ee engine but instead they were using the JVM keystore on the OS (Linux is this case).

So the certificates had to be imported into /usr/sap/<SID>/J##/exe/sapjvm_5/security/cacerts.

It could be done with a command similar to this :

/usr/sap/SID/J##/exe/sapjvm_5/bin/keytool -import -alias <ALIAS> -file "location of your certificate.crt" -keystore /usr/sap/SID/J##/exe/sapjvm_5/jre/lib/security/cacerts

BTW the default password for the cacerts keystore is "changeit".

You can also list the certificates with the command ./keytool -list -keystore /usr/sap/SID/J##/exe/sapjvm_5/jre/lib/security/cacerts

Hope it helps !

Regards,

Remi Beaulieu

Ask a Question