cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Web service client applications with Peer certificate rejected by ChainVerifier

michael_knecht
Explorer

on ‎05-24-2016 2:31 PM

0 Kudos

Hi Experts,


I created a web service client applications with Netweaer Developer Studio. I imported a WSDL destination and created web service proxies. Here I followed the description “Creating Web Service Client Applications” (see https://help.sap.com/saphelp_nw73/helpdata/de/4b/96e16c4d8e584de10000000a42189c/content.htm)

Then I built a servlet to call that service like this:

@WebServiceRef (name=SERVICE_NAME)

WSSoapApi service;

protected void doGet(HttpServletRequest request,

            HttpServletResponse response) throws ServletException, IOException {

...

            ISoapApiDocument port = service.getBasicHttpBinding_ISoapApiDocument();

            HTTPControlInterface httpControl = HTTPControlFactory.getInterface(port);

            httpControl.setEndpointURL(url);

            port.getXmlListEx(user, password, xmlDate, getXmlListExResult, xmlList);

The code was deployed as an war file on Java AS SAP PI 7.31 single stack. I have imported a certificate into the TrustedCAs key store. When I call the web service I receive the error: Peer certificate rejected by ChainVerifier. The full trace is listed below.

I am using:

VM-Java-Version:      1.6.0_111

VM-Laufzeitversion:   6.1.086 25.51-b02

Kernel-Version:          7.31.3301.373065.20141031130932


Thanks in advance





Cannot process an HTTP request to servlet [TestConnectionServlet] in [RegisTrTest] web application.

[EXCEPTION]

  1. javax.servlet.ServletException: javax.xml.ws.WebServiceException: Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier).

at de.metro.finanzen.registr.test.servlets.TestConnectionServlet.doGet(TestConnectionServlet.java:127)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)

at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)

at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:38)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:466)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)

at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:278)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)

at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)

at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)

at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)

at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)

at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)

at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)

at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)

at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)

at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)

at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)

at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)

at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)

Caused by: javax.xml.ws.WebServiceException: Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier).

at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.processTransportBindingCall(WSInvocationHandler.java:174)

at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invokeSEISyncMethod(WSInvocationHandler.java:121)

at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invokeSEIMethod(WSInvocationHandler.java:84)

at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invoke(WSInvocationHandler.java:65)

at com.sun.proxy.$Proxy3949.getXmlListEx(Unknown Source)

at de.metro.finanzen.registr.test.servlets.TestConnectionServlet.doGet(TestConnectionServlet.java:106)

... 41 more

Caused by: com.sap.engine.services.webservices.espbase.client.bindings.exceptions.TransportBindingException: Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier).

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.outputSOAPMessage(SOAPTransportBinding.java:426)

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call_SOAP(SOAPTransportBinding.java:1371)

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.callWOLogging(SOAPTransportBinding.java:997)

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call(SOAPTransportBinding.java:951)

at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.processTransportBindingCall(WSInvocationHandler.java:168)

... 46 more

Caused by: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

at iaik.security.ssl.r.checkIsTrusted(Unknown Source)

at iaik.security.ssl.x.b(Unknown Source)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.r.d(Unknown Source)

at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)

at iaik.security.ssl.SSLTransport.getOutputStream(Unknown Source)

at iaik.security.ssl.SSLSocket.getOutputStream(Unknown Source)

at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initStreamsFromSocket(HTTPSocket.java:676)

at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initializeStreams(HTTPSocket.java:553)

at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.getOutputStream(HTTPSocket.java:504)

at com.sap.engine.services.webservices.espbase.client.bindings.ClientHTTPTransport.getRequestStream(ClientHTTPTransport.java:202)

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.outputSOAPMessage(SOAPTransportBinding.java:382)

... 50 more

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

michael_knecht
Explorer
‎05-27-2016 8:54 AM
0 Kudos

Hi,

I have created logs with the IPX tool.

I think the problem is that the host name verification is enabled and returns false.

How can I disbale this check within a java web service call?

Thank you in advance!

09:44:22:709

Guest

Thread[HTTP Worker [@2038195471],5,~

~y.core.server.https.V3ChainVerifier

09:44:22:709

Guest

Thread[HTTP Worker [@2038195471],5,~

~ttps.DefaultHostnameVerifier.verify

with (form.xyz.com, xyz.com)

09:44:22:709

Guest

Thread[HTTP Worker [@2038195471],5,~

~erver.https.DefaultHostnameVerifier

name mismatch: form.xyz.com != xyz.com

09:44:22:721

Guest

Thread[HTTP Worker [@2038195471],5,~

~erver.https.DefaultHostnameVerifier

HostnameVerifier returns: false

09:44:22:721

Guest

Thread[HTTP Worker [@2038195471],5,~

~erver.https.DefaultHostnameVerifier

09:44:22:721

Guest

Thread[HTTP Worker [@2038195471],5,~

~ttps.DefaultHostnameVerifier.verify

with (form.xyz.com, *.xyz.com)

09:44:22:721

Guest

Thread[HTTP Worker [@2038195471],5,~

~erver.https.DefaultHostnameVerifier

hostname ok.

09:44:22:721

Guest

Thread[HTTP Worker [@2038195471],5,~

~erver.https.DefaultHostnameVerifier

09:44:22:722

Guest

Thread[HTTP Worker [@2038195471],5,~

~sap.security.core.server.https.IAIK

ssl_debug(12): ChainVerifier: No trusted certificate found, rejected.

09:44:22:722

Guest

Thread[HTTP Worker [@2038195471],5,~

~y.core.server.https.V3ChainVerifier

Chain rejected by default verifier. IAIK log has more details.

09:44:22:723

Guest

Thread[HTTP Worker [@2038195471],5,~

~y.core.server.https.V3ChainVerifier

09:44:22:723

Guest

Thread[HTTP Worker [@2038195471],5,~

~sap.security.core.server.https.IAIK

ssl_debug(12): Sending alert: Alert Fatal: bad certificate

09:44:22:723

Guest

Thread[HTTP Worker [@2038195471],5,~

~sap.security.core.server.https.IAIK

ssl_debug(12): Shutting down SSL layer...

09:44:22:723

Guest

Thread[HTTP Worker [@2038195471],5,~

~sap.security.core.server.https.IAIK

ssl_debug(12): SSLException while handshaking: Peer certificate rejected by ChainVerifier

09:44:22:727

Guest

Thread[HTTP Worker [@2038195471],5,~

~xceptions.TransportBindingException

Exception : Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier).
java.lang.Exception
at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1230)

Show replies
Show replies
former_member204100
Active Participant
‎05-28-2016 9:18 AM
0 Kudos

Hi Michael,

good question...i know for example in PI the file adapter has a functionality to avoid such an error:

1992392 - SSLException due to name mismatch in FTPS Adapter

1591971 - Added property strictHostnameChecking

But for WS calls i doubt that such feature exists. Instead of looking for a functionality to disable this check i would advise to solve the error.

According to the error message the target server provides a certificate with CN filed: form.xyz.com .

But in your call you are trying to connect to the xyz.com host. Since these does not match exactly the error is thrown.

So either try to modify the certificate of the target server, or ensure that your call is calling the same host name what is available in the CN field of the cerfitiface. Also probably the host file of the server from where the call is started has to contain the host name and IP address pair of this target server.

Best Regards,

Viktor

former_member204100
Active Participant
‎05-24-2016 4:09 PM
0 Kudos

Hi Michael,

first i think it would be a good idea to test the web service call with a 3rd party tool like SOAPUI.

try to reach the WS with HTTPS protocol. If itis working you will see there the certificate chain what the webservice sent back to SOAPUI. There you can validate if the certificate chain is valid and is not expired.

You might also use a tool to validate the server side certificates:

SSL Checker - SSL Certificate Verify

As soon you are sure that the certificate chain is valid than you can import the root CA certificate into the TrustedCAs keystore view of the AS JAVA and try to test the call again. Hopefully it will work.

If not than deeper traces are needed on AS JAVA to see the whole SSL handshake. There you will see what certificate the server sent back to your client application and why the AS JAVA chain verifier rejects the cert chain.

Best Regards,

Viktor

Show replies
Show replies
Ask a Question