06-20-2013 12:59 PM
Hi Experts,
We are configuring SSL between SAP PI7.1 and third party application based on tomcat. Both are in same domain.
The communication between SAP PI and tomcat is happening thorough communication channel
My query is
senderChannel '4bb4bae47bfa34db85ce289daae33f4d': Catching exception calling messaging system; nested exception is:
com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error transmitting the message over HTTP. Reason: java.lang.RuntimeException: Error while silently connecting: org.w3c.www.protocol.http.HttpException: Peer certificate rejected by ChainVerifier"
Can you please suggest the method by which we should go either self signed or CA certificate?
Also which certificate should we import in tomcat whether it is from STRUST or NWA?
Thanks in advance
Regards,
Aditya
06-21-2013 12:13 PM
Hi Aditya,
based on the error, you did not add the certificate to the list of trusted CAs on the remote end of the communicaton (tomcat side?).
To me it seams you are trying to authenticate with X.509 certificates but the remote end has no information on the CA and therefor can not validate the certificate. Adding the certificate to the list of trusted CAs would help.
See this guide for more details or have a look at the docs.
Regards,
Patrick
06-21-2013 1:11 PM
Thanks Patrick for the reply
Yes we have doing with X.509 certificate.
Regarding CA certificate...should it be self signed or CA signed?
Because using SAP signed certificate scenario is working fine but not with self signed certificates from STRUST
Can you please suggest on this
Thanks,
Aditya
06-24-2013 7:11 AM
Hi Aditya,
I'm not quite sure, what you refer to by
Aditya Bhosarekar wrote:
...
Regarding CA certificate...should it be self signed or CA signed?
...
the certificate of the root CA is always self singned. Only intermediat CAs are signed by the root CA.
I do not remeber any occurence where self signed certificates did not work, however they may not make sense. Depending on the use case, you may have to add each and every self signed certificate to the list of trusted sites fr the chain verifier to accept them, which may not make sense. So if you only have one connection and there won't be more in the future you can always use self singed certs only. Everything else depends on the scenario.
In the case of OASIS Webservices, it is even not uncommon to use self signed certificates on the consumer side to authenticate at the provider.
Regards,
Patrick
06-27-2013 12:23 PM
Thanks Patrick,
We are able to resolve issue by using SAP signed certificates.
Thanks,
Aditya