on 07-25-2016 11:38 AM
I am getting this error in an ECC to SOAP synchronous scenario in single stack SAP PO.
7/25/2016 2:40:50.333 PM | Error | Axis: error in invocation: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier |
7/25/2016 2:40:50.336 PM | Error | MP: exception caught with cause iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier |
7/25/2016 2:40:50.343 PM | Error | Exception caught by adapter framework: ; nested exception is: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier |
7/25/2016 2:40:50.391 PM | Error | Transmitting the message using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier |
7/25/2016 2:40:50.449 PM | Error | Message status set to FAIL |
I am using wssdl and also encrypting the message.
This is my module configuration in the comunication channel.
any clue why I am getting this error
Dear Madhav,
According to the error, the certificate chain is not correct. What is the target URL you would like to reach?
Are you sure that no certificate needs to reach the target URL?
If you use XPI_Inspector use example 11 in order to see what shoudl be the root cause.
Best regards,
Bence
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I ran the XPI trace with Example 11.
I saw this message, The signing certificate was not provided in the chain. It also says Found certificate chain with two elements.
So all the three certificates are not there?
How can I verify whether my message has been at least encrypted in the SOAP Axis receiver channel>
Dear Madhav,
Yes, the chain is not correct. If you check a certificate, you see an subject name and an issuer name. If the subject and issuer is the same, that means the certificate signes itself. So you have to correct the chain, after restart the communication channel in the channel monitoring in order the certificates be alive. The certificates have to be in TrustedCAs.
Best regards,
Bence
I checked the certificate name. I have different subject name and issuer name. So I guess it's not self signed. How do I figure out which certificate I am missing? Root or intermediatary?
Secondly.. I am only encrypting.. So I have kepot the certificate in the TrustedCAs and gave the values like this in reciver SOAP Axis Adapter configuration
Modulekey ParameterName Parametervalue
wssec action Encrypt
wssec crypto.view TrustedCAs
wssec encryptionKeyIdentifier X509KeyIdentifier
wssec pwd.password
wssec user gave the certificate view in TrsutedCAs
I kept the password fields blank
Dear Madhav,
Are you trying to connect to a specific URL? If yes, please call the https URL from IE -> Click on security report -> View Certificates -> Certification Path -> Here you are able to identify which certificates are need to reach the URL (if the URL is not secure, actually certificates are not needed).
Best regards,
Bence
Hi Midhun
You can use this tool to check what the server is sending as its hostname and compare to the URL you are calling.
IAIK SSLServerInfo Request Form
If there is a mismatch on the server name you can try configuring the strict hostname check parameter messaging.ssl.serverNameCheck of SSL provider service.
Or, you can configure the hostVerification parameter in the AXIS module SSL properties according to note 1751851.
Please keep us posted.
-Sam.
I am having the same problem.
I've verified that the certificates are correct and that all configuration is good but the chain verifier is still rejecting the certificates.
So I asked BASIS to elevate to DEBUG the level of logging of this trace location: com.sap.aii.af.sdk.xi.net.SSLChainVerifier and ran a test.
What I found is that the certificate chain being verified does not correspond to the certificates we expect from the server we are trying to connect to. That is the name is the same but the certificate issuer is different.
This is more obvious because the original chain has the site certificate, an intermediate certificate and the root CA certificate but the one we are getting instead has only a site certificate and a root CA.
So I am assuming the firewall is interfering in the SSL connection and PI gets a surrogate certificate from the firewall instead of the original certificate from the server it is trying to connect to, so naturally the chain verifier rejects it.
I have asked the security team to help. If anyone has an idea of how to work around this without changing the firewall configuration it would be greatly appreciated.
Will keep you posted.
-Sam.
Midhun,
This issue may arise due to multiple reason :
So as suggested try to run XPI_INSPECTOR and recreate the error it helps you understand what exactly the issue is.
Additionally you may check this notes:
1588148 - Trusted certificates for SOAP receiver channels
Br,
Manoj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Madhav,
Its pure SSL certificate issue. Trace file will tell you the exact information of certificate errors. Ask your Network team or Certificate admin team. They can help and get it resolved quickly.
Regards,
Gopi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.