cancel
Showing results for 
Search instead for 
Did you mean: 

SSLHandshakeException - when connecting to thirdparty

Former Member
0 Kudos

Hi Experts,

 

We are facing issues while connecting to third party system using certificates. We are using PI 7.31.

This is a synchronous interface. Connection from ECC to PI via ABAP Proxy. From A Java proxy is deployed in PI (webservice) ECC-->PI-->WS-->ThirdParty.


Error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Previously we are not not using any certificates to connect with the thirdparty. Lately the third party upgraded their security efforts as a part of that we are provided with certificates to update in our PI system. Post Certificate update, third party indicated the incompatibility with the SSL protocol. SSLv2 and SSLv3 are not supported from their end. Thirdparty accepts only TLS protocol.


Actions from our side:

1. We have updated the new certificate in PI NWA Keystore under TrustedCA's entry.

2. Cacerts file also updated with the certificates since it involves webservice. But after the system restart, the imported certificates are being deleted automatically from the cacert file - how to retain the imported certificates ?

3. We have also uploaded the certificates in STRUST as well.

After searching through SCN blogs we are still not able to find any solution for this.

Should the certificates be uploaded in .cer format or .pem format?

Whether any correlation between the certificate which we import for thirdparty with the transport protocol ?

Where else should the certificates be loaded and where can we validate it?

Many thanks in advance.

Regards,

Baskar

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Baskar,

We also faced this issue.

The certificate should be imported in java keystore of your SAP installation under securities directory(Check this with your basis team).

This certificates needs to be updated in Cacerts file under that directory.

Could you let us know more about the java proxy and the web services used in your configuration?

BR

Bharath

Former Member
0 Kudos

Hi Bharath,

Thanks for your response! We have updated the certificates in  Cacerts file under JVM keystore. When we tested with this certificate update, the Handshake issue is not occurring again.

But when we take a restart of our PI system, the installed certificates are being removed from the Cacerts file and it is retained to previous version.

Currently we are using this as a temporary solution. Do you have any idea how to retain the imported certificates in the Cacerts file

Regards,

Baskar

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi Baskar,

A couple of things stand out in your question.

1) You mentioned uploading the certs into STRUST. Therefore you obviously have a dual-stack PI system. Do you know what UME is currently configured? Is it the Java stack or ABAP stack? This makes a big difference as to where your certs need to be stored (the Basis team should be able to help you answer this)

2) You mention a Java proxy. Is the proxy calling the 3rd party web service? Therefore you must have a custom Java client implemented so we'd need to see the code used to establish the connection to the 3rd party web server

Regards,

Nick

Former Member
0 Kudos

Trusted CA's should be fine. sometimes third party will have new intermediate & root certificates - make sure to import all the related certificates to your Trusted CA.