on 12-03-2015 11:39 AM
Hi everybody,
We have a synchronous scenario which involves ABAP proxy To third party HTTPS Web Service with client authentication.
We have received the client certificate and the server certificate from the third party.
Our SOAP receiver channel has the option "Configure Client authentication" with this client certificate, which is stored in the proper keystore of the NWA. We also have the server certificate in the keystore "TrustedCAs" in order to avoid the error "Peer certificate rejected by ChainVerifier".
However, we're having problems while stablishing the SSL handshake between the web service and our PI 7.4 ( JAVA single stack).
We think that the problem is related to cipher suites or something like this.
Any help would be very appreciated.
Thanks!
Hello José,
where is this error produced? You have to analyse the error on server side. If this is PI then take the XPI_Inspector. The security analyser in NWA won't give you sufficient details. Naturally, in these security scenarios the client does not get much error information.
Regards,
Jörg
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jörg & Enf Swee Yeoh,
XPI_Inspector was sucesfully installed and here is the extended SSL debug log
Begin IAIK Debug:
ssl_debug(14): Starting handshake (iSaSiLk 4.403)...
ssl_debug(14): Sending v3 client_hello message to "Web Service URL", requesting version 3.1...
ssl_debug(14): Received v3 server_hello handshake message.
ssl_debug(14): Server selected SSL version 3.1.
ssl_debug(14): Server created new session AE:23:30:5E:25:92:96:70...
ssl_debug(14): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA
ssl_debug(14): CompressionMethod selected by server: NULL
ssl_debug(14): TLS extensions sent by the server: renegotiation_info (65281)
ssl_debug(14): Server supports secure renegotiation.
ssl_debug(14): Received certificate handshake message with server certificate.
ssl_debug(14): Server sent a 2048 bit RSA certificate, chain has 2 elements.
ssl_debug(14): ChainVerifier: Found a trusted certificate, returning true
ssl_debug(14): Received certificate_request handshake message.
ssl_debug(14): Accepted certificate types: RSA, DSA, Unknown (64)
ssl_debug(14): Accepted certificate authorities:
ssl_debug(14): CN=-----,O=--------
ssl_debug(14): CN=------,O=---- ---
ssl_debug(14): CN=Certificate Manager,O=---,C=ES
ssl_debug(14): CN=----OU=----,O=----,C=es
ssl_debug(14): CN=------,O=------
ssl_debug(14): Received server_hello_done handshake message.
ssl_debug(14): Sending certificate handshake message with RSA client certificate...
ssl_debug(14): Sending client_key_exchange handshake...
ssl_debug(14): Sending certificate_verify handshake message...
ssl_debug(14): Sending change_cipher_spec message...
ssl_debug(14): Sending finished message...
ssl_debug(14): Received alert message: Alert Fatal: decrypt error
ssl_debug(14): SSLException while handshaking: Peer sent alert: Alert Fatal: decrypt error
ssl_debug(14): Shutting down SSL layer...
ssl_debug(14): Closing transport...
The problem is related to the client certificate. This step shows the problem...
Verify Local SSL Client Key Pair.......
Private Key View/Entry: DEFAULT/ClientCertificate
Algorithm: RSA
Format: PKCS#8
Found Certificate chain with 2 elements:
Certificate #0
SubjectDN: CN=----,O=-----
IssuerDN: CN=----,O=-----
Self Signed CA
Verifying KeyPair: !!! EXCEPTION OCCURRED: Signature decryption error: javax.crypto.BadPaddingException: Invalid PKCS#1 padding: no leading zero!
Certificate #1
SubjectDN: UID=ClientCertificate,CN=-----,
OU=----,O=-----,C=ES
IssuerDN: CN=----,O=-----
Some additional Info:
Chain Verifier is OK, the CA is trusted and also de server certificate. Both certs are in TrustedCAs keystore.
The client certificate belongs to the "DEFAULT" keystore.
Help please. SOAPUI is working with the same client certificate.
Hello José,
do you have access to the server logs? The server should have all the details about the error.
From what you post here I assume that it is a problem of misinterpretation of the encryption algorithm. For example, you take a PKCS#8 certificate, but interprete it as PKCS#1. I found this regarding the leading zeros:
So it looks like your server expects a PKCS#1 with a leading zero like in #2 in that article, but you send a different format that has no leading zeros.
Your soapUI might have different settings in this regard. So the certificate is certainly correct, but the settings must have an error somewhere.
Hope that helps,
Jörg
Hi Jose
XPI inspector is the best tool to troubleshoot this. Use Example 11 (Authentication, SSL & PP) and if you still can't resolve it, post the SSL debug log here for further analysis.
Rgds
Eng Swee
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Up!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.