cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP PI 7.4 - Success Factor connection issue

Go to solution
apu_das2
Active Contributor

on ‎02-20-2016 4:34 AM

0 Kudos

Hi Experts,

I am trying to connect our SAP PI 7.4 single stack version with Success Factor for employee data integration. But I am not able to connect properly as pinging the channel is showing could not open connection to success factor URL.Network team is confirmed that port 443 is open and PI can telnet.

I have done below . Please help me to create the successful connection. I am using below URL to connect to SF -https://salesdemo4.successfactors.com/sfapi/v1/soap?wsdl

Opening this URL in Web browser I got 3 certificates and exported all 3 in local. successfactors.com is saved as successfactors.crt as saving as it is making this a MS DOS application due to .com extension.

VeriSignClass3PublicPrimaryCertificationAuthority-G5.crt

                  SymantecClass3SecureServerCA-G4.crt

                             successfactors.crt

I have imported all 3 certificates as it is without renaming anything in Keystore under view TrustedCAs and WebServiceSecurity. Below is my channel configuration where I put all required module parameters as per SFIHCM600 01. I have tried by putting other 2 certificates name as well in the channel but no luck.

When I am pinging the channel , I am getting below error -

Please help if I am missing anything or doing anything wrong.

Thanks in advance,

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

maheswarareddykonda
Active Contributor
‎02-22-2016 7:31 AM
0 Kudos

Hi,

Are you sure , you are using correct URL?

i am using URL (https://api2.successfactors.eu/sfapi/v1/soap) for employee data and working fine.

also you no need to use certificate authentication(you can mention option as none for Authentication in channel) , just try to import certificate for corresponding url in NWA.

FYR: 2192064 - API urls (Successfactors system) and Boomi urls for different Datacenters



Note: i have observed Successfactor interface channel always show red alert while do ping in channel monitoring.


Show replies
Show replies
apu_das2
Active Contributor
‎02-22-2016 2:30 PM
0 Kudos

Hi,

I have restarted our DEV server and made authentication as None. when I run the program from ECC system its giving error and I can see below error in my receiver HTTP-Axis login response channel -

Any help.

Thanks,

Apu

former_member182412
Active Contributor
‎02-22-2016 3:10 PM
0 Kudos

Hi Apu,

Run the XPI inspector as Jens mentioned below and it will show the certificates are trusted or not, you can download from the XPI Inspector result and load them in NWA.

Check below blog for more details.

Regards,

Praveen

apu_das2
Active Contributor
‎02-22-2016 4:14 PM
0 Kudos

Hi Praveen,

Exactly same error I am getting as you have provided in xpi inspector. So should I delete all other certificates and import only the Root one in keystore view TrustedCAs as per the blog -

Thanks,

Apu

JaySchwendemann
Active Contributor
‎02-22-2016 4:26 PM
0 Kudos

This message was moderated.

former_member182412
Active Contributor
‎02-22-2016 4:27 PM
0 Kudos

Hi Apu,

Remove all the certificates previously loaded and download the certificates from XPI Inspector log the screen shot which you shown, there is certificate#0 and certificate#1, download these two and import them in NWA keystore, and you need to import Root CA certificate also, import all these three certificates and test the interface. after you import the certificate restart the communication channel.

Regards,

Praveen.

apu_das2
Active Contributor
‎02-23-2016 7:16 AM
0 Kudos

Thanks Praveen. Its working absolutely fine now.

Thanks,

Apu

engswee
Active Contributor
‎02-23-2016 7:23 AM
0 Kudos

Normally you only need to trust the Root CA. If you trust all the certs in the chain, it affects the security as that means any future certificates signed by the intermediate or site certificates are trusted as well.

apu_das2
Active Contributor
‎02-23-2016 9:03 AM
0 Kudos

Hi Eng,

Thats mean you want to say that only root certificate is required to be imported in TrustedCAs and rest two certificates in the chain is not required.

Thanks,

engswee
Active Contributor
‎02-23-2016 9:09 AM
0 Kudos

Yes.

Answers (2)

Answers (2)

JaySchwendemann
Active Contributor
‎02-22-2016 9:12 AM
0 Kudos

Hi Apu,

some things that come to my mind

  1. You probably only need the root certificate within keystore. No need for intermediate / server certificate. However, they do no harm either
  2. I don't think that it's an certification based error when looking at the error of the channel ping. I'm thinking more in the like of wrong URL, too
  3. You really should get XPI Inspector http://service.sap.com/sap/support/notes/1514898 to narrow down this sort of problems. Invaluable tool IMHO
  4. Alternatively to XPI Inspector increase tracing level for the affected categories (have a look at your current developer trace, examine if the error which you get on ping shows up there, use the category from there to increase trace level)

HTH Cheers

Jens

Show replies
Show replies
former_member186851
Active Contributor
‎02-20-2016 7:48 AM
0 Kudos

Hello Apu Das,

Your URL is wrong I guess, Remove the ?WSDL at the last and check

And below link can be a good reference for you.(it has 3 parts)

Show replies
Show replies
apu_das2
Active Contributor
‎02-20-2016 9:05 AM
0 Kudos

Hi Raghuraman,

Tried removing ?wsdl but no luck.

The url you provided - it looks like they have not used standard SFIHCM600 processes as you can see they have not used http axis in he login CC.

Thanks,

Apu

former_member186851
Active Contributor
‎02-20-2016 10:57 AM
0 Kudos

Hello Apu,

I guess your login itself is not work.

Check the below points.

1,Ensure all AXIS drivers are deployed(details in the link shared)

2.Make sure any firewall/port needs to be opened.

3.Restart the PI server after importing the certificate.

Former Member
‎02-20-2016 11:32 AM
0 Kudos

Hi Apu,

Check axis drivers if Axis adapter working in PI System.

Regards,

Abhay

apu_das2
Active Contributor
‎02-20-2016 1:26 PM
0 Kudos

Hi Raghu,

Thanks for your reply -

1.Ensure all AXIS drivers are deployed(details in the link shared)

   That I have checked at very first front. Deployment is absolutely fine.Please find the screen shot below. Basically we should use latest SFSF adapter for that rather using old HTTP AXIS process but stuck to use Axis as some other developer has worked here for more than 1 month but yet the deployment is not done.

2.Make sure any firewall/port needs to be opened.

I have already mentioned in my initial query that port 443 is open and telnet is working fine.

3.Restart the PI server after importing the certificate.

Thats the only stuff I am also thinking as in some blog I can see restart has resolved the issue. I will do that and let you know. But I have never before face the requirement of restarting the server after importing certificates.

One more thing can you confirm that I need to use VeriSignClass3PublicPrimaryCertificationAuthority-G5 one in my channel or not as in some blog I can see people are saying certificates thawte,ThawteSSLCA all these are required to import in keystore. Are they renaming the downloaded ones I have mentioned above. Actually in my last project SF team has provided us the certificates.

Thanks,

apu_das2
Active Contributor
‎02-20-2016 1:28 PM
0 Kudos

Thanks for your highly valuable information but the deployment is absolutely fine.

former_member186851
Active Contributor
‎02-20-2016 4:26 PM
0 Kudos

Hello Apu,

As far I know the certificates you downloaded and deployed should be fine.

Try a restart and check.

former_member182412
Active Contributor
‎02-20-2016 9:36 PM
0 Kudos

Hi Apu,

After installing the certificate no need to restart the whole PI server to work the new certificate you just need to restart the communication channel after importing the new certificate.

1829329 - Messages fail in PI SOAP Receiver Adapter after updating the Server Certificate



For performance reasons the SOAP adapter caches the server certificate on channel start up. Therefore when the Keystore is updated with the new certificate, the old certificate is still maintained within the cache and therefore used by the channel.

Regards,

Praveen.

apu_das2
Active Contributor
‎02-22-2016 7:01 AM
0 Kudos

Hi Praveen,

I have stop and start the channel numerous time but no luck.

Thanks,

Apu

Ask a Question