cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

certificates error, which is signed by CA in PI production environment

Go to solution
Former Member

on ‎06-24-2014 11:18 AM

0 Kudos

Dear All,

I am facing the certificate issue in PI production environment, while trying to communicate with third party bank web server. in development and quality we are successfully able run the interface by using the test certs(combination of public and private keys provided by bank) by importing in TrustedCas view. However, for production we generated the SCR  in PI production environment under TrustedCas view and shared with bank.

Bank has provided the below list of certificates after getting signed by the CA named SAMA.

  1. Bank_CSR-27042014.crt
  2. SAMA_Root_CA_DERformat_PRODUCTION.crt
  3. SAMA_Shared_CA_DERformat_PRODUCTION.crt

I imported the first certificate(Bank_CSR-27042014.crt) to "Import CSR response" tab under TrustedCas view to same entry which I created while generating CSR. certificates 2 and 3 I just imported under TrustedCas view, but when I am running the interface I am getting the error as "com.sap.aii.adapter.http.api.HttpAdapterException: ERROR_SENDING_HTTP_REQUEST". I have also configured the HTTP_AAE receiver adapter to use SSL and certificates.

I have gone through many threads related to certificate, but still have below quires/clarification when it comes to utilizing the certificates signed by CA.

  1. from which keys storage view shall we generate CSR and place the signed certs from CA like "TrustedCas", DEFAULT, "service_ssl", "ICM_SSL_<instance_ID>", are they different technically or they are just like a folder?
  2. Exactly how many certificates we should receive from CAs to communicate with SSL enabled web server, as I have seen root ,intermediate and system, and what should be the correct order to import.
  3. While configuring HTTP_AAE receiver adapter I have checked "Use SSL" and "Specify Client Certificates" as below. is it OK?

Experts please help me resolve this error or correct me if I am wrong , as this error is in production, and I do not have any certificate expert from basis team.

Thanks,

Farhan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-24-2014 11:33 AM
0 Kudos

Hi Farhan,

That might not be a cert error. A cert error would normally give you a Chain or Cert error and not Error sending HTTP request.

Have you tested with SOAPUI?

Also can you make sure that the networks and eveything has been opened.

Please also have a look at the link below.

Regards,

Jannus Botha

Show replies
Show replies
Former Member
‎06-24-2014 11:46 AM
0 Kudos

Hi Jannus Botha,

Thanks a lot for quick help. I have not tested with SOUP UI, but tested the connectivity by telnet on port 443 with network team, no issue in that. port 443 is open from both side, no firewall issue as well.

same interface is working perfectly in DEV and QA, but here the certificates are different than what I have used in QA and DEV.

I remember you had helped me a lot in the link which you have mentioned, and I have tried all those option but still no luck

Could you please confirm if I am following the correct way to use the singed certs by CA?

Thanks,

Farhan

Former Member
‎06-24-2014 12:01 PM
0 Kudos

Hi Farhan,

Yeah lets quickly see if we cannot resolve this issue for you.

Lets quickly do all the steps.

Do you have your system cert signed Thawte or Verisign etc?

If you have one of those certs then the bank should be able to communicate with you.

So you will need to have your server signed and then you need to import it into your java stack?

Import that cert in your service_ssl.

Please also try and run the interface in Production without using the certs or by using the wrong cert. You should get an Auth problem.

Please also try and test the interface using SOAPUI.

Regards,

Jannus Botha

former_member184720
Active Contributor
‎06-24-2014 1:50 PM
0 Kudos

I would suggest you to use xpi_inspector. It provides additional information to trace down the root cause even if it is related to certificates..

Former Member
‎06-24-2014 6:41 PM
0 Kudos

Hi Jannus Botha,

just to summarize, please see the below points.

  1. When you say system certificate, you mean to say Do we need to have one separate certificate signed from Thawte or Verisign, apart from the certificates provided by bank, and how to identify which is system certs.
  2. I imported in service_ssl key storage, but it didn't work on java stack.
  3. I ping the HTTP_AAE recever channel without using any certs, so it shows as Successfully Opened a Connection to URL: http://193.105.119.140:443/b2b/epay2

  1. unfortunately, i can not install SOAP UI, due to security reason.

I just tried by checking the option "Use SSL" but not the "Specify Client Certificate"

Moreover , when I tried by just checking "Use SSL" in receiver communication channel, but not the "specify client certificates" I received the different error as "com.sap.aii.adapter.http.api.HttpAdapterException: ERROR_SENDING_HTTP_REQUEST, sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Please let me know if any other point where I can look to resolve this.

Thanks,

Farhan

Former Member
‎06-24-2014 6:53 PM
0 Kudos

Hi Hareesh,

I am using Xpi_inspector, I ran the example 50 in xpi_inspector, and ping the receiver communication channel then it shows the exception as "Peer certificate rejected by ChainVerifier" in  xpi_inspector log.

There are many threads for this error, but I ma not sure whats wrong in my case. Please help me if you , because this issue is in production.

Thanks,

Farhan

former_member184720
Active Contributor
‎06-24-2014 7:29 PM
0 Kudos

Hi Farhan - Can you paste trace information here?

not just the error but all the steps before you get that error.. something that start with "ssl_debug: "

Also if you download the zip file(from xpi inspector) -> go to the folder channels -> you should be able to find additional information about certificates under "Verify Remote SSL Server Certificate" segment.

Could you please paste that information.

Former Member
‎06-24-2014 8:03 PM
0 Kudos

This message was moderated.

former_member184720
Active Contributor
‎06-24-2014 8:18 PM
0 Kudos

ssl_debug(19): ChainVerifier: name mismatch: www.riyXXXX.com != 193.xxx.xxx.xxx

How did you configure the channel?

Did you use IP address ? Host name? If you are using ip address then try configuring the hostname instead of IP.

Former Member
‎06-25-2014 7:13 AM
0 Kudos

Hi Farhan,

I agree with Hareesh. It seems to be struggling to connect to the IP/Hostname from PI.

Are you able to add endpoint in your HostFile on PI?

Also have a look on your development environment how the hostfile looks there and if there are any entries from the bank.

Regards,

Jannus Botha

Former Member
‎06-25-2014 7:16 AM
0 Kudos

Hi Farhan,

Also found an additional bit of information this morning on certs.

Regards,

Jannus Botha

Former Member
‎06-26-2014 1:41 PM
0 Kudos

Hi Hareesh and Jannus Botha,

Thanks a ton for the continuous help. The issue has been resolved, I have added the private key and key storage view in receiver communication channel under check box "specify client certificate".

However, I am not sure why the same configuration was not working earlier

Regards,

Farhan

Former Member
‎06-26-2014 2:29 PM
0 Kudos

Hi Farhan,

Always a pleasure.

Regards,

Jannus Botha

Answers (0)

Ask a Question