on 06-24-2014 11:18 AM
Dear All,
I am facing the certificate issue in PI production environment, while trying to communicate with third party bank web server. in development and quality we are successfully able run the interface by using the test certs(combination of public and private keys provided by bank) by importing in TrustedCas view. However, for production we generated the SCR in PI production environment under TrustedCas view and shared with bank.
Bank has provided the below list of certificates after getting signed by the CA named SAMA.
I imported the first certificate(Bank_CSR-27042014.crt) to "Import CSR response" tab under TrustedCas view to same entry which I created while generating CSR. certificates 2 and 3 I just imported under TrustedCas view, but when I am running the interface I am getting the error as "com.sap.aii.adapter.http.api.HttpAdapterException: ERROR_SENDING_HTTP_REQUEST". I have also configured the HTTP_AAE receiver adapter to use SSL and certificates.
I have gone through many threads related to certificate, but still have below quires/clarification when it comes to utilizing the certificates signed by CA.
Experts please help me resolve this error or correct me if I am wrong , as this error is in production, and I do not have any certificate expert from basis team.
Thanks,
Farhan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jannus Botha,
Thanks a lot for quick help. I have not tested with SOUP UI, but tested the connectivity by telnet on port 443 with network team, no issue in that. port 443 is open from both side, no firewall issue as well.
same interface is working perfectly in DEV and QA, but here the certificates are different than what I have used in QA and DEV.
I remember you had helped me a lot in the link which you have mentioned, and I have tried all those option but still no luck
Could you please confirm if I am following the correct way to use the singed certs by CA?
Thanks,
Farhan
Hi Farhan,
Yeah lets quickly see if we cannot resolve this issue for you.
Lets quickly do all the steps.
Do you have your system cert signed Thawte or Verisign etc?
If you have one of those certs then the bank should be able to communicate with you.
So you will need to have your server signed and then you need to import it into your java stack?
Import that cert in your service_ssl.
Please also try and run the interface in Production without using the certs or by using the wrong cert. You should get an Auth problem.
Please also try and test the interface using SOAPUI.
Regards,
Jannus Botha
Hi Jannus Botha,
just to summarize, please see the below points.
I just tried by checking the option "Use SSL" but not the "Specify Client Certificate"
Moreover , when I tried by just checking "Use SSL" in receiver communication channel, but not the "specify client certificates" I received the different error as "com.sap.aii.adapter.http.api.HttpAdapterException: ERROR_SENDING_HTTP_REQUEST, sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Please let me know if any other point where I can look to resolve this.
Thanks,
Farhan
Hi Hareesh,
I am using Xpi_inspector, I ran the example 50 in xpi_inspector, and ping the receiver communication channel then it shows the exception as "Peer certificate rejected by ChainVerifier" in xpi_inspector log.
There are many threads for this error, but I ma not sure whats wrong in my case. Please help me if you , because this issue is in production.
Thanks,
Farhan
Hi Farhan - Can you paste trace information here?
not just the error but all the steps before you get that error.. something that start with "ssl_debug: "
Also if you download the zip file(from xpi inspector) -> go to the folder channels -> you should be able to find additional information about certificates under "Verify Remote SSL Server Certificate" segment.
Could you please paste that information.
ssl_debug(19): ChainVerifier: name mismatch: www.riyXXXX.com != 193.xxx.xxx.xxx
How did you configure the channel?
Did you use IP address ? Host name? If you are using ip address then try configuring the hostname instead of IP.
Hi Hareesh and Jannus Botha,
Thanks a ton for the continuous help. The issue has been resolved, I have added the private key and key storage view in receiver communication channel under check box "specify client certificate".
However, I am not sure why the same configuration was not working earlier
Regards,
Farhan
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.