cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recr SOAP Channel with cluster node - One node failing - iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Go to solution
Former Member

on ‎05-12-2016 11:16 AM

0 Kudos

Dear Experts,

Scenario : BPM TO SFDC. a udf calling a lookup channel will get the session id in message mapping. After that SOAP Channel will perform Upsert operation. This receiver channel has two nodes. Node-1 is green which means working fine other Node-2 is failing with below error.

Message which hits Node-1 is green but message hits Node-2 is failing.

Messages are failing with error as, below is the screen shot :

Screen shot of node :

I have 'stop' & 'start' the channel but still the issue. What is the root cause of this issue  & what is the solution ?

reg, avinash

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-14-2016 8:57 AM
0 Kudos

Dear Nitin/Bhavesh,

I had contacted SFDC team for this issue. SFDC architect informed us about certificate change and issue a new certificate.

This certificate is different from what I get from SFDC URL : https://XXX.salesforce.com/services/Soap/c/28.0/00Db0000000Jful

Team Basis loaded the chain of certificates to TrustedCAs & server restarted. Boom failed messages are successful.

Heartily thanks for your kind support here.

I need to find out why Certificate I get from url didn't work here.

reg, avinash

Show replies
Show replies

Answers (2)

Answers (2)

bhavesh_kantilal
Active Contributor
‎05-12-2016 11:39 AM
0 Kudos
  • Did you restart the PI Server after the Certificates were loaded into PI TrustedCAS? SAP PI Keystore service needs to be restarted or the server restarted for any new cert to be loaded into TrustedCAs
  • Like asked by Nithin, is the issue failing on one node and successful on the other? I have a feeling it has never hit the other node yet and you will have same behavior on the other node as well as the Keystore is not dependent on Application Servers.
  • Restart the PI Server or the Keystore service and then you should be good!

Regards

Bhavesh

Show replies
Show replies
Former Member
‎05-12-2016 11:57 AM
0 Kudos

Hello Bhavesh,

No certificate loaded to nwa. This interface was working fine since yesterday.

Even I have restarted the PI system with the help of Basis, but still this is occurring.

Below is the screen shot of Production, few messages are successfull belongs to same interface but some of them failed.

reg, avinash

nitindeshpande
Active Contributor
‎05-12-2016 12:13 PM
0 Kudos

Hello Avinash,

If you are not using certificates, then the URL you are using to connect SF is HTTP and not HTTPs? It is strange that sometimes it is working and sometimes not.

One more thing, your PI system is single stack or dual? If single, then NWBPM needs to be connected with SOAP channel to SAP PI system.

Regards,

Nitin

bhavesh_kantilal
Active Contributor
‎05-12-2016 12:15 PM
0 Kudos

Do you know what URL is being hit when the calls fail and when the calls are successful?

I would check if the URL are same or different.

If different, I would check the SSL Certificates of both these URLs and see if any of them have a recent SSL Certificate change. You can load the URL in a browser and then download the certificate and check.

If the certificates have changed recently you might need to upload them into the TrustedCAs.

Former Member
‎05-12-2016 1:21 PM
0 Kudos

both successful and failure message is hitting same URL is same.

URL : https://XXX.salesforce.com/services/Soap/c/28.0/00Db0000000Jful

Below is the Audit log of failed message.

this is HTTPS connection. required certificate is already loaded in TrustedCA. This interface working fine since 2015.

Below is the screen shot of certificate chain. Verisign Root CA is already exist in the nwa, but I am not finding other two - Symantec and Salesforce.com

reg, avinash

nitindeshpande
Active Contributor
‎05-12-2016 1:51 PM
0 Kudos

Hello Avinash,

It might have been deleted by mistake by somebody. Peer Certificate Rejected by Chain Verifier is the error we get when the system is unable to find the chain (Root, Intermediate and Main Certificate).

Please upload them again in the TrustedCAs keystore view. This must resolve the problem. Without the certificates currently if it is working, then it is something strange or you might be looking at different keystore view.


Regards,

Nitin

Former Member
‎05-12-2016 1:56 PM
0 Kudos

Hello Nitin,

In production we have other two Salesforce instances, Instance-2 and Instance-3. I have checked its certificate and compared with Instance-1, certificates are same.

Instance-2 and Instance-3, PI is successfully transferring message to it.

If I upload other two certificate of Instance-1, will it create any problem to Instance-2 and Ins-3 ?

reg, avinash

bhavesh_kantilal
Active Contributor
‎05-12-2016 2:47 PM
0 Kudos

Adding additional certificates to the trusted CA will have no issues whatsoever.

Do remember this needs either a server restart or a keystore service restart

nitindeshpande
Active Contributor
‎05-12-2016 11:32 AM
0 Kudos

Hello Avinash,

Do you mean, if the message flow through the 1st node, then the messages are successfully sent to Salesforce.com? Have you successfully connected to Salesforce.com anytime? Or it is failing for every message?

Switching of the data between server nodes happens based on the load.

Regards,

Nitin

Show replies
Show replies
Former Member
‎05-12-2016 11:38 AM
0 Kudos

Hello Nitin,

Yes, Node-1 is successfully transferring messages to SFDC. Node-2 has issue.

Most of the messages of iflow is hitting Node-2 and failing, very less messages hitting Node-1 getting successful.

reg, avinash

nitindeshpande
Active Contributor
‎05-12-2016 11:54 AM
0 Kudos

Hi Avinash,

Can you post the log, where it was successful when it was going through the 1st server node?

As Bhavesh told, this is not dependent on the server node which is processing the data. If you had an extra application server, which will have different IP address, then we might have suspected some problem with the communication between your central instance and App servers. But from your screenshot i see you only have the Central Instance or popularly known as Primary Application Server (PAS) but with 2 server nodes.

Regards,

Nitin

Ask a Question