on 01-09-2014 10:53 AM
Hello experts.
The error below occurs when we try to check the connection with SEFAZ (SP, MG and RJ):
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- <!-- Mensagem de entrada
-->
- <SAP:Error SOAP:mustUnderstand="1"
xmlns:SAP="http://sap.com/xi/XI/Message/30"
xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SAP:Category>XIAdapterFramework</SAP:Category>
<SAP:Code area="MESSAGE">GENERAL</SAP:Code>
<SAP:P1 />
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText>com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer
certificate rejected by ChainVerifier</SAP:AdditionalText>
<SAP:Stack />
<SAP:Retry>M</SAP:Retry>
</SAP:Error>
We already have made the steps below:
1) update the certificate
2) restart in the Java
3) check the firewall.
Thanks
Pessoal, boa noite,
Desculpe a demora em responder, estou colocando meu SCN em ordem.
O problema foi no firewall mesmo.
abraços
Juliano Diniz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Juliano.
Neste espaço você deve postar em português. Por favor reescreva a sua questão.
grato
Edaurdo Chagas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Juliano Diniz Jan 9, 2014 11:53 AM
Currently Being Moderated
Obrigado Eduardo.
Segue abaixo:
O erro abaixo está ocorrendo no nosso PI NFE de homologação, o GRC apresenta erros na tela de check de disponibilidade dos serviços do SEFAZ (SP, MG and RJ):
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- <!-- Mensagem de entrada
-->
- <SAP:Error SOAP:mustUnderstand="1"
xmlns:SAP="http://sap.com/xi/XI/Message/30"
xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SAP:Category>XIAdapterFramework</SAP:Category>
<SAP:Code area="MESSAGE">GENERAL</SAP:Code>
<SAP:P1 />
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText>com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer
certificate rejected by ChainVerifier</SAP:AdditionalText>
<SAP:Stack />
<SAP:Retry>M</SAP:Retry>
</SAP:Error>
Já verificamos os passos abaixo:
1) certificado
2) restart do JAVA
3) verificamos o firewall.
Alguém já passou por este problema e poderia ajudar com isto?
Obrigado
Juliano
Juliano,
Você já subiu as CA´s da SEFAZ que você esta emitindo nova na NWA - Entrada TrustedCA´s ?
Não basta apenas subir o certificado digital no PI, precisa importer mais algumas coisas.
Verifica o meu blog, sobre a SEFAZ SP, basicamente é o mesmo procedimento para as outras.
http://scn.sap.com/community/portuguese/sped-and-nf-e/blog/2013/12/18/sefaz-sp--cifras-ssl
Para conexão HTTPS + SSL, o certificado digital serve para identificação e o que está importado na Trusted CA´s para "tunelamento".
Tive esse problema no passado, veja a thread abaixo:
http://scn.sap.com/thread/3288028
Espero ter ajudado.
Atenciosamente,
Ricardo Viana.
Oi Juliano
Por favor verifique as orientações abaixo descritas na nota 1524196 - Import certificates in ABAP and Java
- J2EE
- Check that your complete certification authorites (CAs) certificate chain + your private certificate is correctly imported into the PI Keystore. The certificate chain has to be in the correct order. Otherwise SEFAZ will reject your request with a HTTP 403 response. The government needs to know whom they can trust, i.e. that your certificate is signed from a trusted authority. Therefore you need to have the complete certificate chain in your keystore. We attached an example (our details were removed) for your convenience to this message (see certificate_chain.pdf).
- It shows, that additionally to your private key, you need to import the governments (SEFAZ) root certificate. Afterwards, you have to import an intermediate certificate that shows that SEFAZ trusts the Security Provider. And finally, the certificate that shows that the Security Provider trusts the issuer of your certificate. Then the certificate chain is complete and the government knows that you're certificate is OK.
- Where the CA certificates just download please refer to the attached document "Structure of ICP-Brazil.pdf" and choose your Security Provider (e.g. CertiSign). When the CA certificates are in PKCS#7 format refer to the attached document "P7B certificate export.pdf" to export them in .cer format.
- Please import your private certificate with the CA certificates chain one by one via the Visual Administrator for Netweaver 700 or NetWeaver Administrator (NWA) for Netweaver 710 (in the correct order). Alternatively you can import the certificates with Internet Explorer and export them as one PFX including the certificate chain. In attachment "Generate Certificate Chain.pdf" is described how the private certificate has to be imported into the Personal folder of the Windows key store. The AC certificates have to be imported the same way, but in different folders (automatically). Then you can load the exported PFX into the J2EE key storage view (e.g. NFE).
- For the server authentication of SEFAZ import the SEFAZ.cers into Keystore View TrustedCAs and restart the instance.
Abraço
Eduardo Chagas
Você pode usar esta ferramenta para analisar o que está acontecendo quando tenta comunicar com a Sefaz:
Mas, pela descrição do seu erro, parece que o certificado que vc importou no NWA ou no Visual Admin, está incorreto. Você tem este certificado em mãos?
Se sim, instale ele no seu computador local e depois tente acessar algum webservice da Sefaz.
Se não conseguir, já descobriu o problema.
Se funcionar, tente importar este certificado novamente no NWA/VA de forma a gerar outra Keystore Entry.
Então, atualize as informações de Keystore Entry e View no adaptador Soap Receiver, limpe o cache (restart no Java seria ideal) e faça um novo teste.
Deve funcionar.
User | Count |
---|---|
14 | |
4 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.