cancel
Showing results for 
Search instead for 
Did you mean: 

Error in HTTP_AAE receiver communication channel, PI 7.4 dual stack

Former Member
0 Kudos

Dear Experts,

I am facing the below certificate error in HTTP_AAE receiver communication channel while using the third party (bank) private key. Third party bank server is HTTPS enabled, moreover they have generated the public and private keys on their server, and they shared the corresponding private keys in .p12 format to us. Our scenario in SAP PI is synchronous ABAP Proxy to HTTP_AAE, when I see the message in SXMB_MONI after testing, we get he below certificate error, though we have provided the correct path from keystorage view and keystorage entry in HTTP_AAE receiver communication channel

com.sap.aii.adapter.http.api.HttpAdapterException: ERROR_SENDING_HTTP_REQUEST, sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


We have imported the private key provided by bank in Netweaver admin key storage, by following the below steps.

NWA -> Certificates -> Key Storage -> TrustedCA->Import Entry->Entry Type->PKCS#12 Key Pair->select the .p12 file->import.

Please see the attached doc for related screenshots.

Please experts help me experts as this is on high priority from client, also suggest me if I am doing anything wrong here.

Thanks,

Farhan

Accepted Solutions (1)

Accepted Solutions (1)

Harish
Active Contributor
0 Kudos

Hi Farhaan,

do you have only one certificate or multiple certificate? HTTPS can have 2 or 3 certificates (Root, Intermediate [optional, if any 3rd party person is there in the middle then we can get this certificate] and system certificates).

The issue is with the certificate and it can be because All the certificate is not present or path is not correct.

Please refer the below wiki in which solution is given for this peroblem.

Troubleshooting 7.1 - End-User Experience Monitoring - SCN Wiki

The similar issue is resolved by applying SP level patch, please refer the below discussion

Please check the below blog -

please also check the below discussion

regards,

Harish

Former Member
0 Kudos

Hi Harish,

Thanks a lot for the prompt response as usual

I have only one private key for HTTPS/SSL,and its not signed by any CA, its just a test keys(private and public) created on bank web server server, bank has shared the private key to us, and corresponding public key they have maintained on their server.

Do you think we need to ask all the certificates Root, Intermediate from bank? even though if no CA involves here. I mean they are giving Private key just for testin with DEV environment.

I have gone through most of the thread already, before posting on SCN, but let me go through again.

Thanks,

Farhan

Harish
Active Contributor
0 Kudos

Hi Farhan,

AFAIK - The private will not be shared with any partner and only public key is shared. We used partners public key to encrypt the data and they decrypt using there private key.

So try with public key of Bank.

But your current error is because key is not reachable from the adapter. please try to reload the public key and retest.

regards,

Harish

Harish
Active Contributor
0 Kudos

Can you please also provide the full error text like in below wiki

EXCEPTION

com.sap.smd.eem.executor.MessageException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target[

LinkedList0:

Issuer: CN=Company CA 5, OU=Trust Center Company, O=Company Services GmbH, C=DE

Subject: CN=selfservice-test.portal.Company.de, C=DE, ST=NRW, L=Anywhere, Company GmbH

SerialNum: 8166

Expires: Thu Nov 25 08:25:04 CET 2010

Former Member
0 Kudos

Thanks again Harish. I will try to get the public key from bank, moreover after testing I will update in thread.

For Exception as you have mentioned above, I could not find anywhere in my error details. I have just that much whatever I have mentioned here.

I am not closing this thread wright now. I will update you after my testing.

Regards,

Farhan

Former Member
0 Kudos

Hello Harish,

One more thing I would like confirm here, do we need to import the private/public key in SSL configuration tab as well, as I read in some blogs, .

Do you think we need to enable SSL as well on our PI server, if we are communicating with HTTPS url? or just importing the third party certificates/keys is enough?

We have tried this as well in our PI server. please see the attached screenshot from SSL configuration, if we need to how to configure this one?


Thanks,

Farhan

Harish
Active Contributor
0 Kudos

Hi Farhaan,

I think you need to enable the SSL configuration in PI server. According to the below blog SSL configuration is required. Please check the blog for more detail.

regards,

Harish

arijit_mukherjee2
Participant
0 Kudos

Hi Farhan,

In my case,I used the certificates(which you can download from your partner's HTTPs URL or you can ask your partner to provide the same) ,not the keys. I imported those to Trusted CA's as you have done.Below is the config I done in HTTP_AAE receiver CC.

Please let me know if that helps!!

Thanks,Arijit

Former Member
0 Kudos

Hi Arijit,

I understand. I can also download the certificate from the bank URL, but when we import the certificate in TrustedCAs, its comes as a certificate, but when we try to select the same from HTTP_AAE receiver channel under "Use SSL->KeyStorage View and keystorage entry" it will only popup the option to select the private keys, not the certificates.

Also Have you done any configuration under "SSL configuration" from nwa to enable SSL. we have enabled the SSL as well, but still we are getting the same error.

Could you please help me, not sure what we are missing. We have followed this blog as well.

Configure the HTTP_AAE receiver communication channel with SSL

Thanks,

Farhan

Former Member
0 Kudos

Thanks again Harish for all your help, We followed this to enable but we are getting still the same error.

Regards,

Farhan

arijit_mukherjee2
Participant
0 Kudos

Hi Farhan,

Please do not select any view from Communication Channel. Just click on the check box of  "use SSL" and import all the certificates to Trusted CA's. Try run that scenario by configuring the receiver CC as I done in attached screenshot in my earlier reply.No need to specify clients certificate.

Thanks,

Arijit

Former Member
0 Kudos

Hi Arijit,

One more thing, could you please let us know in which format you exported the certificate for your partner URL, and in which format you imported under "TrustedCas"  on nwa.

If you do not mind, could please provide the complete steps which you all followed/done to communicate your partner HTTPS URL.

For us this has become very burning issue now, because we are not able to proceed for testing.

Thanks for your help.

Regards,

Farhan

arijit_mukherjee2
Participant
0 Kudos

Hi Farhan,

Open the certificate.

Select CopyToFile.

Select file format as base-64 X509.

Now save that to your local disk. Do same steps to save the certificate for all the chain certificates.For my case I have done the above steps for 3 times.

Now import all of them to TrustedCA's.

Now configure you HTTP_AAE as below.

You can see that I used "Usee SSL" check box however did not specified the certificate.

Once done,try repost your message once again.

Former Member
0 Kudos

Hi Ariji,

Thanks a lot for the prompt help. In our case, while downloading the certificate from third party partner website, I am able to see only one certificate, unlike in your case you have three certificate. Moreover in "TrustedCas" keystorage view by default there will be many other certificates, which comes during installation, shall we delete all the other certificate under "TrustedCas" ?

jsut wondering if we do not specify any keys name(keystorage view and keyenetry view) under "Use SSL" how the server will know at runtime which certificate to use, if more certificates are present  are present in TrustedCas, other than partner certificates?

Thanks,

Farhan

arijit_mukherjee2
Participant
0 Kudos

Hi Farhan,

1)It is OK if you have only one certificate.

2)No need to delete other certificate.

3)While importing the certificate,you can rename the certificate as your wish. eg. "ABC.cer"

4)While you try to post the message to your partners URL,system will automatically search for the corresponding certificates.It won't check the names. So you can try without mentioning the certificate in HTTP_AAE. Just check "Use SSL" in your channel once you have imported the certificate in Trusted CA..

Thanks,

Arijit

Former Member
0 Kudos

Hi Arijit,

Highly appreciated your all help. I tested the way you told me, and hit the bank URL, and bank server rejected because certificate is not correct, I told I have downloaded from your URL, they said thats not the way, you should use only the test private key, which we have provided in .pb12 format. However, when we install the private key in "TrustedCas" it will display as private key. screenshot below.

But this way we are not able to hit even the bank url as well. So do you think, when we import a private key under "TrustedCas", in that case also we do not need to use specify any keys name(keystorage view and keyenetry view) under "Use SSL" in HTTP_AAE receiver communication channel?

and one last question have you enabled SSL as well on your case under "SSL configuration" on nwa?

Thanks,

Farhan

arijit_mukherjee2
Participant
0 Kudos

Hi Farhan.

Try importing the certificate in Trusted CA's which you saved earlier in".cer" like below and rerun the test.

Regard,

Arijit

Former Member
0 Kudos

Hi Arijit,

Thanks a lot for your throughout support. I have asked for the complete certificates from bank. I will update you, after testing with complete certificates by using the above option mentioned by you.

Thanks,

Farhan

Former Member
0 Kudos

Hello Arijit Mukherjee,

I have imported the root and intermediate certificate under "TrustedCas" but still getting the same error.

Could you please let me know, have you or your basis team had enabled  the SSL as well under "SSL configuration" on nwa? I mean your PI URL starts with https://pihost:port or starts with http://pihost:port?

Please help me.

Thanks,

Farhan

arijit_mukherjee2
Participant
0 Kudos

Sorry for being late Farhan.

Yes,our PI system supports the HTTPs communication. Have you resolved the problem yet??

Thanks,

Arijit

nitinlpatil12
Participant
0 Kudos

Hi Arjit and Farhan,

I am also facing the similar issue and posted the query on SCN - http://scn.sap.com/thread/3761337

Please help out.

Regards,

Nitin Patil

arijit_mukherjee2
Participant
0 Kudos

Hi Nitin,

Can you please elaborate the exact error you are getting or post a new thread with the error and refer that here?

Thanks,

Arijit

nitinlpatil12
Participant
0 Kudos

Hi Arijit,

I have open a new thread with details,

http://scn.sap.com/thread/3761337

Regards,

Nitin Patil

Answers (0)