cancel
Showing results for 
Search instead for 
Did you mean: 

HTTPS Web Service Error: HTTP 0 Null, Peer Certificate Rejected by ChainVerifier

suwandi_cahyadi
Contributor
0 Kudos

Dear Experts,

I'm configuring an interface with proxy to HTTPS web service (external WS) scenario.

When testing the interface I face the following error:

24.02.2015 19:51 151.722           Error Failed to call the endpoint: Error in cal over HTTP. HTTP 0 null

24.02.2015 19:51 :51 .722           Error SOAP: Call failed: java.io.lOException: Faied to get the input stream from socket:                                                   iaiksecurity.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

24.02.2015 19:51:51.741             Error SOAP: Error occurred: corn.sap.engi1e.irrtertaces.rnessaging.api.exception.MessagingExcep1ion:                                                   iava.io.|OException: Failed to get the input stream from socket: iaik.security.sst.SSLCertificateException: Peer                                                   certificate rejected by Chainverifier

24.02.2015 19:51 :51 .742           MP: exception caught with cause com.sap.engine.interfaces.messaging.api.excep1ion.Messagi1gException:                                                                      iava.io.IOException: Faied to getttginput stream from socket@s§cgiy5§1.SSLCqtificateException: Peer certificate                                                        rejected by Chainveritier

24.02.2015 19:51:51.745           Error Exception caught by adapter framework: java.io.lOException: Faied to get the input stream from socket:

                                                  iaik.security.ssl.SSLCertificateException: Peer certificate rejected by Chainverifier

24.02.2015 19151151746           Error Delivery of the message to the application using connection SOAP_ht|p;!Isap.comIxiIXlISystem failed, due to:

                                                  com.sap.engine.interfaces.messaging.apiexception.MessagingException: java.io.lOException: Failed to get the input                                                   stream from socket fail<.security.ssl.SSLCertiticatzeException: Peer certificate rejected by Chainverifier. Setting                                                   message to status failed

24.02.2015 19:51:51.746           Error Message status set to FAIL

The first error message seen is HTTP 0 Null, but all the next message error refer to Peer certificate rejected by Chainverifier.

I believe we've test to access the web service url via https from the PI server using a web browser and succeeded.

What I'm confused about is that: Does this error is because PI cannot connect to the web service (HTTP 0 Null) then it causes the Certificate error? Or is this because the Certificate error that cause the HTTP 0 Null error?

Thank you,

Suwandi C.

Accepted Solutions (1)

Accepted Solutions (1)

iaki_vila
Active Contributor
0 Kudos

Hi Suwandi,

I think you have not connectivity, check with your basis if the connectivity is available by the https port or there is any firewall problem.

Please check if these note affects to your PI version and your certificate type:

1577913 - PI SOAP receiver channel cannot connect over HTTPS

1588148 - Trusted certificates for SOAP receiver channels

Regards.

Answers (3)

Answers (3)

suwandi_cahyadi
Contributor
0 Kudos

Hi all,

Thank you for the help.

The problem was solved by creating a new key store view instead of using the TrustedCA.

In the CC'module, in the XISOAPAdapterBean. add an entry:

Module Key:  soap

Parameter name: trustStore

Paramater value: [the newly created key store view]

Thank you,

Suwandi C.

engswee
Active Contributor
0 Kudos

Hi Suwandi

Thank you for updating this thread with the final resolution to the issue. I didn't know you can specify a different trust store through the module bean so I've learned something today

However, I think for accuracy purpose, Inaki's answer above with the SAP note 1588148 should be marked as the correct answer as the parameter was mentioned there.

Rgds

Eng Swee

naveen_chichili
Active Contributor
0 Kudos

Hi Suwandi,


Check if the certificate is correctly imported. if it is already imported then check if the certificates are valid without expiration.


Check if firewall ports are open.



Thanks and Regards,

Naveen    

suwandi_cahyadi
Contributor
0 Kudos

Hi Kumar,

I think the certificate is already imported at the Trusted CAs, I can see it at the Certificate and Keys. The expiry time is also valid.

After importing the certificate do we have to configure at the CC Which certificate to use? at the CC I can only see "Configure Certificate Authentication" that is relevant to certification.

Thank you,

Suwandi C.

engswee
Active Contributor
0 Kudos

"Configure Certification Authentication" is used if you want to login to the server via certificate. It's not the same as SSL verification of the web server's certificate. If you already have all the certs in TrustedCA, then just try to execute the interface again.

engswee
Active Contributor
0 Kudos

Hi Suwandi

Did you check if the SSL certificate for the web service site and all the corresponding CA certificate for it has already been imported into NWA keystore?

If you want to check that you have the correct chain of trust, you can manually verify it following the blog below.

Rgds

Eng Swee

suwandi_cahyadi
Contributor
0 Kudos

Hi,

Thank you for the reply.

one more question regarding the link given from you. We should install the certificate at the PI Server right?

Thank you,

Suwandi C.

engswee
Active Contributor
0 Kudos

Yup, there is a link on installing certificates on PI server at the reference section at the end of the blog.

The blog is just to manually verify that you have the correct certs prior to installation.

suwandi_cahyadi
Contributor
0 Kudos

Hi,

Thank you for the reply.

I received 2 files, which are the *.p8 file and the *.crt file should I import both files in PI?

Thank you,

Suwandi C.

engswee
Active Contributor
0 Kudos

It's very hard for me to say without knowing the contents of both files. I can't tell just by the file extensions if one could be the end server cert and the other is the CA cert.

Did you try the steps mentioned in my blog? Double click both files to see the cert details, check the issued to and issued by and also the certification path.