Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL configuration between SAP PI and Third Party tomcat applicationnot working

Former Member

‎06-20-2013 12:59 PM

0 Kudos

Hi Experts,

We are configuring SSL between SAP PI7.1 and third party application based on tomcat. Both are in same domain.

The communication between SAP PI and tomcat is happening thorough communication channel

My query is

  • Can we use Self signed certificate exchange between both the application?
  • We tried with self signed certificate we have imported SSL server certificate from STRUST PI in to tomcat application and also imported public key of view from NWA and tomcat certificate to STRUST and NWA.
  • Using self sign certificate the tomcat application is giving error as

     senderChannel '4bb4bae47bfa34db85ce289daae33f4d': Catching exception calling messaging system; nested exception is:

     com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error transmitting the message over HTTP. Reason:      java.lang.RuntimeException: Error while silently connecting: org.w3c.www.protocol.http.HttpException: Peer certificate rejected by      ChainVerifier"

  • When we user SAP signed public key (valid for 8 weeks only) and SAP server CA then scenario is working fine

Can you please suggest the method by which we should go either self signed or CA certificate?

Also which certificate should we import in tomcat whether it is from STRUST or NWA?

Thanks in advance

Regards,

Aditya

4 REPLIES 4

Former Member

‎06-21-2013 12:13 PM

0 Kudos

Hi Aditya,

based on the error, you did not add the certificate to the list of trusted CAs on the remote end of the communicaton (tomcat side?).

To me it seams you are trying to authenticate with X.509 certificates but the remote end has no information on the CA and therefor can not validate the certificate. Adding the certificate to the list of trusted CAs would help.

See this guide for more details or have a look at the docs.

Regards,

Patrick

Former Member
In response to Former Member

‎06-21-2013 1:11 PM

0 Kudos

Thanks Patrick for the reply

Yes we have doing with X.509 certificate.

Regarding CA certificate...should it be self signed or CA signed?

Because using SAP signed certificate scenario is working fine but not with self signed certificates from STRUST

Can you please suggest on this

Thanks,

Aditya

Former Member
In response to Former Member

‎06-24-2013 7:11 AM

0 Kudos

Hi Aditya,

I'm not quite sure, what you refer to by 

Aditya Bhosarekar wrote:
...
 Regarding CA certificate...should it be self signed or CA signed?
...

the certificate of the root CA is always self singned. Only intermediat CAs are signed by the root CA.

I do not remeber any occurence where self signed certificates did not work, however they may not make sense. Depending on the use case, you may have to add each and every self signed certificate to the list of trusted sites fr the chain verifier to accept them, which may not make sense. So if you only have one connection and there won't be more in the future you can always use self singed certs only. Everything else depends on the scenario.

In the case of OASIS Webservices, it is even not uncommon to use self signed certificates on the consumer side to authenticate at the provider.

Regards,

Patrick

Former Member
In response to Former Member

‎06-27-2013 12:23 PM

0 Kudos

Thanks Patrick,

We are able to resolve issue by using SAP signed certificates.

Thanks,

Aditya