cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOAP Axis receiver Error: Peer certificate rejected by ChainVerifier

Go to solution
Former Member

on ‎07-25-2016 11:38 AM

0 Kudos

I am getting this error in an ECC to SOAP synchronous scenario in single stack SAP PO.

7/25/2016 2:40:50.333 PMErrorAxis: error in invocation: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
7/25/2016 2:40:50.336 PMErrorMP: exception caught with cause iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
7/25/2016 2:40:50.343 PMErrorException caught by adapter framework: ; nested exception is:
iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
7/25/2016 2:40:50.391 PMErrorTransmitting the message using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
7/25/2016 2:40:50.449 PMErrorMessage status set to FAIL

I am using wssdl and also encrypting the message.

This is my module configuration in the comunication channel.

any clue why I am getting this error

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member5611
Employee
Employee
‎07-25-2016 1:57 PM
0 Kudos

Dear Madhav,

According to the error, the certificate chain is not correct. What is the target URL you would like to reach?

Are you sure that no certificate needs to reach the target URL?

If you use XPI_Inspector use example 11 in order to see what shoudl be the root cause.

Best regards,

Bence

Show replies
Show replies
Former Member
‎07-25-2016 2:47 PM
0 Kudos

I ran the XPI trace with Example 11.

I saw this message, The signing certificate was not provided in the chain. It also says Found certificate chain with two elements.

So all the three certificates are not there?

How can I verify whether my message has been at least encrypted in the SOAP Axis receiver channel>

former_member5611
Employee
Employee
‎07-25-2016 2:50 PM
0 Kudos

Dear Madhav,

Yes, the chain is not correct. If you check a certificate, you see an subject name and an issuer name. If the subject and issuer is the same, that means the certificate signes itself. So you have to correct the chain, after restart the communication channel in the channel monitoring in order the certificates be alive. The certificates have to be in TrustedCAs.

Best regards,

Bence

manoj_khavatkopp
Active Contributor
‎07-25-2016 3:09 PM
0 Kudos

To check the final output of the SOAP AXIS you need to add the HTTP trace parameter :

Former Member
‎07-26-2016 6:53 AM
0 Kudos

I checked the certificate name. I have different subject name and issuer name. So I guess it's not self signed. How do I figure out which certificate I am missing? Root or intermediatary?

Secondly.. I am only encrypting.. So I have kepot the certificate in the TrustedCAs and gave the values like this in reciver SOAP Axis Adapter configuration

Modulekey     ParameterName     Parametervalue

wssec          action                       Encrypt

wssec          crypto.view               TrustedCAs

wssec          encryptionKeyIdentifier X509KeyIdentifier

wssec          pwd.password

wssec          user                         gave the certificate view in TrsutedCAs

I kept the password fields blank

former_member5611
Employee
Employee
‎07-26-2016 9:22 AM
0 Kudos

Dear Madhav,

Are you trying to connect to a specific URL? If yes, please call the https URL from IE -> Click on security report -> View Certificates -> Certification Path -> Here you are able to identify which certificates are need to reach the URL (if the URL is not secure, actually certificates are not needed).

Best regards,

Bence

Former Member
‎08-03-2016 2:09 PM
0 Kudos

// Mismatch in the hostname and the CN name in the certificate.//

Can you please tell me how can I check this error?

manoj_khavatkopp
Active Contributor
‎08-03-2016 6:06 PM
0 Kudos

Midhun,

Check the certificate in nwa which you installed you will be having CN = <hostname> against subject name and cross check this with the hostname which you mentioned in URL of receiver SOAP AXIS channel.

Additionally check these link :

Br,

Manoj

Former Member
‎08-08-2016 4:28 PM
0 Kudos

Hi Midhun

You can use this tool to check what the server is sending as its hostname and compare to the URL you are calling.

IAIK SSLServerInfo Request Form

If there is a mismatch on the server name you can try configuring the strict hostname check parameter messaging.ssl.serverNameCheck of SSL provider service.

Or, you can configure the hostVerification parameter in the AXIS module SSL properties according to note 1751851.

Please keep us posted.

-Sam.

Former Member
‎08-08-2016 6:34 PM
0 Kudos

I am having the same problem.

I've verified that the certificates are correct and that all configuration is good but the chain verifier is still rejecting the certificates.

So I asked BASIS to elevate to DEBUG the level of logging of this trace location: com.sap.aii.af.sdk.xi.net.SSLChainVerifier and ran a test.

What I found is that the certificate chain being verified does not correspond to the certificates we expect from the server we are trying to connect to. That is the name is the same but the certificate issuer is different.

This is more obvious because the original chain has the site certificate, an intermediate certificate and the root CA certificate but the one we are getting instead has only a site certificate and a root CA.

So I am assuming the firewall is interfering in the SSL connection and PI gets a surrogate certificate from the firewall instead of the original certificate from the server it is trying to connect to, so naturally the chain verifier rejects it.

I have asked the security team to help. If anyone has an idea of how to work around this without changing the firewall configuration it would be greatly appreciated.

Will keep you posted.

-Sam.

Former Member
‎08-09-2016 2:30 PM
0 Kudos

Sam

Are you using SOAP Axis at receiver and doing encryption? I am doing the same here.

I find a line like this in the XPI trace.

Does it mean that the certificate chan is not proper

Answers (3)

Answers (3)

manoj_khavatkopp
Active Contributor
‎07-25-2016 1:56 PM
0 Kudos

Midhun,

This issue may arise due to multiple reason :

  • No chain Certificate.
  • Invalid certificates.
  • Mismatch in the hostname and the CN name in the certificate.
  • Mismatch versioin of TLS/SSL.

So as suggested try to run XPI_INSPECTOR and recreate the error it helps you understand what exactly the issue is.

Additionally you may check this notes:

1588148 - Trusted certificates for SOAP receiver channels

Br,

Manoj

Show replies
Show replies
former_member186851
Active Contributor
‎07-25-2016 2:41 PM
0 Kudos

Hello Midhun,

If all the certificates are in place try restarting the PI server and check.

Former Member
‎07-25-2016 1:08 PM
0 Kudos

Hi Madhav,

Its pure SSL certificate issue. Trace file will tell you the exact information of certificate errors. Ask your Network team or Certificate admin team. They can help and get it resolved quickly.

Regards,

Gopi

Show replies
Show replies
Former Member
‎07-25-2016 1:27 PM
0 Kudos

I am using only encryption.

I am not using anything else.

thats the only thing done in PO

apu_das2
Active Contributor
‎07-25-2016 2:01 PM
0 Kudos

As others said, use XPI to find out the root cause. Its definitely the peer chain verification error. There are some mismatch in the certificates you have imported in TrustedCAs  key store view. Check with XPI inspector and correct the chain certificates accordingly.

Thanks,

Apu

former_member186851
Active Contributor
‎07-25-2016 12:05 PM
0 Kudos

Hello Midhun,

Use XPI Inspector and check.

I guess root certificate is missed.

Show replies
Show replies
Former Member
‎07-25-2016 12:14 PM
0 Kudos

All three certificates are there

former_member186851
Active Contributor
‎07-25-2016 12:24 PM
0 Kudos

Use XPI and check the exact issue.

Also check the vailidity of the certificate.

Ask a Question