on 02-26-2015 10:18 AM
Dear Experts,
I'm configuring an interface with proxy to HTTPS web service (external WS) scenario.
When testing the interface I face the following error:
24.02.2015 19:51 151.722 Error Failed to call the endpoint: Error in cal over HTTP. HTTP 0 null
24.02.2015 19:51 :51 .722 Error SOAP: Call failed: java.io.lOException: Faied to get the input stream from socket: iaiksecurity.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
24.02.2015 19:51:51.741 Error SOAP: Error occurred: corn.sap.engi1e.irrtertaces.rnessaging.api.exception.MessagingExcep1ion: iava.io.|OException: Failed to get the input stream from socket: iaik.security.sst.SSLCertificateException: Peer certificate rejected by Chainverifier
24.02.2015 19:51 :51 .742 MP: exception caught with cause com.sap.engine.interfaces.messaging.api.excep1ion.Messagi1gException: iava.io.IOException: Faied to getttginput stream from socket@s§cgiy5§1.SSLCqtificateException: Peer certificate rejected by Chainveritier
24.02.2015 19:51:51.745 Error Exception caught by adapter framework: java.io.lOException: Faied to get the input stream from socket:
iaik.security.ssl.SSLCertificateException: Peer certificate rejected by Chainverifier
24.02.2015 19151151746 Error Delivery of the message to the application using connection SOAP_ht|p;!Isap.comIxiIXlISystem failed, due to:
com.sap.engine.interfaces.messaging.apiexception.MessagingException: java.io.lOException: Failed to get the input stream from socket fail<.security.ssl.SSLCertiticatzeException: Peer certificate rejected by Chainverifier. Setting message to status failed
24.02.2015 19:51:51.746 Error Message status set to FAIL
The first error message seen is HTTP 0 Null, but all the next message error refer to Peer certificate rejected by Chainverifier.
I believe we've test to access the web service url via https from the PI server using a web browser and succeeded.
What I'm confused about is that: Does this error is because PI cannot connect to the web service (HTTP 0 Null) then it causes the Certificate error? Or is this because the Certificate error that cause the HTTP 0 Null error?
Thank you,
Suwandi C.
Hi Suwandi,
I think you have not connectivity, check with your basis if the connectivity is available by the https port or there is any firewall problem.
Please check if these note affects to your PI version and your certificate type:
1577913 - PI SOAP receiver channel cannot connect over HTTPS
1588148 - Trusted certificates for SOAP receiver channels
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi all,
Thank you for the help.
The problem was solved by creating a new key store view instead of using the TrustedCA.
In the CC'module, in the XISOAPAdapterBean. add an entry:
Module Key: soap
Parameter name: trustStore
Paramater value: [the newly created key store view]
Thank you,
Suwandi C.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Suwandi
Thank you for updating this thread with the final resolution to the issue. I didn't know you can specify a different trust store through the module bean so I've learned something today
However, I think for accuracy purpose, Inaki's answer above with the SAP note 1588148 should be marked as the correct answer as the parameter was mentioned there.
Rgds
Eng Swee
Hi Suwandi,
Check if the certificate is correctly imported. if it is already imported then check if the certificates are valid without expiration.
Check if firewall ports are open.
Thanks and Regards,
Naveen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kumar,
I think the certificate is already imported at the Trusted CAs, I can see it at the Certificate and Keys. The expiry time is also valid.
After importing the certificate do we have to configure at the CC Which certificate to use? at the CC I can only see "Configure Certificate Authentication" that is relevant to certification.
Thank you,
Suwandi C.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It's very hard for me to say without knowing the contents of both files. I can't tell just by the file extensions if one could be the end server cert and the other is the CA cert.
Did you try the steps mentioned in my blog? Double click both files to see the cert details, check the issued to and issued by and also the certification path.
User | Count |
---|---|
81 | |
25 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.