cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP PI outbound SOAP- SSL error - Peer certificate rejected by ChainVerifier- CertificateExpiredException

Former Member

on ‎01-12-2014 6:58 AM

0 Kudos

Dear Friends,

We have one outbound scenario, where we are sending the file from SAP PI 7.0 to Webserver using SOAP protocol.

We have not configured any authentication . The only authentication is happenning is at SSL level.

When file goes out of the PI system , its failing with below error.

Error:

error “Error: Error: Delivery of the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.aii.af.ra.ms.api.RecoverableException: Peer certificate rejected by ChainVerifier: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.”.

Debug error message :

ssl_debug(514): Received v3 server_hello handshake message.
ssl_debug(514): Server selected SSL version 3.1.
ssl_debug(514): Server created new session F5:1D:00:00:D4:C4:7F:20...
ssl_debug(514): CipherSuite selected by server: TLS_RSA_WITH_AES_128_CBC_SHA
ssl_debug(514): CompressionMethod selected by server: NULL
ssl_debug(514): Received certificate handshake message with server certificate.
ssl_debug(514): Server sent a 2048 bit RSA certificate, chain has 2 elements.
ssl_debug(514): ChainVerifier: Error verifying certificate chain: java.security.cert.CertificateExpiredException
ssl_debug(514): Sending alert: Alert Fatal: bad certificate
ssl_debug(514): Shutting down SSL layer...
ssl_debug(514): SSLException while handshaking: Peer certificate rejected by ChainVerifier


The SOAP connetion was working file from last one year but suddenly ended with above error.

Scenario flow :
-------------------------
SAP PI 7.0[SOAP] ------> Webserver

So in this case , SAP PI will be client and webserver will be Server for SSL.

-----------------------------

My questions are

1. Where we do the SSL configurations in SAP PI for 7.0.
2.Does it mean that clint certificate which migth be present in TrastedCA has expired? (I am not able to find any expired one under TrstedCA eben though)
3.Does server changed its server SSL certificate and I have to import new clinet SSL?
4.The error says "Error verifying certificate chain: java.security.cert.CertificateExpiredException"...which certificate is expired here, How can I search where is that certificate?
5.Anybody has encounterd this error in past?


I have already gone throgh the below blogs/sites for reference, but not were fruitful.


1.Configuring HTTPs Connection in SAP PI 7.10 by Carlos Iván Prieto and Jon Andoni Suarez.
2.https://developer.mozilla.org/en-US/docs/Introduction_to_SSL#The_SSL_Handshake

Can you please help in this.,

Thanks in advance!!!

Regards

Venkatesh


Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎01-14-2014 10:52 AM
0 Kudos

Hi Venkatesh,

ad 1) you do that in VisualAdmin for PI 7.0

ad 2) no. The only certificate that has expired is the server certificate.

ad 3) not yet, but your partner who's operating the receiving https server needs to renew the certificate and send it to you for import into the VisualAdmin. Best would be if he's supplying the whole certificate chain to you for import into the VisualAdmin of your PI system. Your basis guys should know about how to import the ssl certificates for https client connections.

If they renew it, but don't send it to you simply connect to their server via a web browser (if firewall settings allow such a connection) and check/export the certificate from the browsers keystore.

ad 4) it's the partners server certificate that has expired, not the one from the PI.

ad 5) i bet. It's a common problem and will occur with every https receiver adapter connection, be it either soap adapter or http adapter at one point if there is no established workflow for the renewal of server certificates for https services.

Best regards,

Peter

Show replies
Show replies
rhviana
Active Contributor
‎01-12-2014 1:26 PM
0 Kudos

Hi Venkatesh,

So you must import the CA's - Certification Unites, into Visual administrator.

For HTTPS + SSL there is two certifications - One it's to indentify (Handshake)  and another for "SLL Tunneling".

Check this thread about, there is a image where and what you need to do for that:

http://scn.sap.com/thread/3161319

Also there is a verry good document from SAP explain about and where you need import the CA'S

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e...

I hope help you.

Kind regards,

BR.

Ricardo Viana.

Show replies
Show replies
Harish
Active Contributor
‎01-12-2014 1:26 PM
0 Kudos

Hi Venkatesh,

ssl_debug(514): ChainVerifier: Error verifying certificate chain: java.security.cert.CertificateExpiredException


----according to the error your SSL certificate is expired. Please check the below link for SSL configuration.


SAP Library - SAP NetWeaver by Key Capability


check the SSL certificate in Visual admin. you will able to find the expired certificate. you will have the same key store value as it is configure in comm channel.


regards,

Harish

Show replies
Show replies
Ask a Question