on 07-29-2016 10:34 AM
Hi,
using a Sender SOAP Adapter to consume a third-party webservice with https we always get the Exception
SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.
I already read several posts and blogs concerning similar problems, e.g.
and implemented the provided solutions (imported whole certificate chain ...)
However we face the problem, that the provided certificate does not list the url/hostname as common name. Instead the third-party shares one certificate for multiple urls listing them as
Certificate extensions:
[critical]
[non critical]
SubjectAltName: dNSName:
We were informed by the third-party that they are not able to provide a certificate especially for the webservice we need which has exactly the url as common name.
Can someone help with a solution for this configuration?
Our PI is on NetWeaver 7.50 SPS 02 Release NW750EXT_02_REL.
Thanks and regards
Lisa
Hi Lisa,
You only need to import the rootCA and intermediateCA in the TrustedCA for the HTTPs without Client Authentication to work. Please remove the server cert from the trusted CA.
Regards,
Mark
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mark,
thanks for your support!
It tried deleting only the server cert but receive the same error.
Do I need to import the certifcates in a special manner to keep the chain in working order?
Here are some screenshot of my configuration. The language is german but I hope the content / structure is clear nevertheless.
The certificate chain as listed in IE.
The keystore of our PI, I deleted the server cert and left the two superior:
And the configuration of the sender channel in the integration builder.
Regards,
Lisa
Hi Lisa,
Are you using propose URL or are you sending to https://host:port/XISOAPAdapter/MessageServlet?channel=p:s:c ?
Regards,
Mark
Hi Harish,
I consumed it with the command line tool cURL, this worked fine. But the tool itself does not require to upload the certificates beforehand. Instead - similar to a browser session - it downloads the certificates during the communication with the server.
As stated below, I have to contact our technical team as I do not have access to the OS level to check weather we are maintaing a DNS.
Regards,
Lisa
Hi,
we have identified the issue and were able to patch it.
Additonally to your posts, the usage of the XPI-Inspector was helpful:
As you guessed in the first step, the chain was not complete. Surprisingly the PI identified an additional Root Certificate, which was not listed in the certificate chain of the browser.
Thanks again for the helpful suggestions.
Regards,
Lisa
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.