on 11-18-2014 2:52 PM
Folks,
I have successfully imported a wildcard certificate and corresponding root/intermediate certificates into the keystore for an Odata service.
The endpoint resides at *.sapdemocloud.com, so my "smp_keystore.jks" should look like this:
The wildcard certificate imported looks like this:
After creating a hybrid app configuration on my local SMP 3.0 I am not able to ping the OData service residing on this site which uses wildcard certificates.
The log file tells me that SSL failed to validate the certificate:
2014 11 18 11:37:31#0-200#DEBUG#org.apache.tomcat.util.net.jsse.JSSESupport##anonymous#http-bio-8083-exec-9###Error trying to obtain a certificate from the client javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
at org.apache.tomcat.util.net.jsse.JSSESupport.getX509Certificates(JSSESupport.java:99)
at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:156)
at org.apache.coyote.http11.Http11Processor.actionInternal(Http11Processor.java:256)
at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:848)
at org.apache.coyote.Request.action(Request.java:346)
at org.apache.catalina.connector.Request.getAttribute(Request.java:956)
at org.apache.catalina.connector.RequestFacade.getAttribute(RequestFacade.java:284)
at javax.servlet.ServletRequestWrapper.getAttribute(ServletRequestWrapper.java:120)
.......
at org.apache.cxf.transport.https.SSLUtils.propogateSecureSession(SSLUtils.java:555)
at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:374)
at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:87)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:464)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:149)
at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPut(AbstractHTTPServlet.java:120)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:758)
I have created a different hybrid app with the backend Odata just like explained here: and the ping works.
Basically the same steps to create both apps were taken. The only difference is the fact that the second one uses wildcard certificates.
Which leads me into thinking that SMP 3.0 doesn't handle this type of certificate.
I am using SMP 3.0 SPS04 PL02:
Any ideas?
BR,
Ivan
Hi Ivan,
I had the same issue with an Agentry app in SMP3.0 SP3. (not tested again on SP4)
So, I think you are right and it looks like SMP3 is not supporting wildcard certificates at this point.
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am not sure for OData / Hybrid apps. I do know that for Agentry apps and the Management cockpit that the certificate the server presents is the smp_crt alias certificate. If you are trying to swap in a different certificate when you import you should delete the smp_crt cert and replace with your new certificate.
Not sure if that will solve your problem or not but something to consider.
--Bill
Well,
What you are saying would help if the SMP server should present a server certificate to a connecting device. In this case the SMP server "acts" as an SSL_Client to the SAP backend (OData). In that case, I would suspect only the backend server certificates should be imported into the truststore. That's what is mentioned on the Kapsel Part I document. This is something I have tested and works, but not for the wildcard.
Thanks for the info anyway.
BR,
Ivan
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.