Skip to Content

Needs help with certificate

Hi!

I'm calling an external webservice using a Call HTTP atom and gets the error:

<Payload Role="C" id="atom_call_login" statusNo="HTTP" statusMsg="" reference="atom_login" sysid="" payload="atom_login" throwException="false">

<http.header/>

<httaError xmlns="urn:com.sap.b1i.xcellerator:upltdoc" HTTPcode="" HTTPmsg="">

<exceptionMsg>

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

</exceptionMsg>

<returnData/>

</httaError>

</Payload>

The call is made over https with the following settings:

The url https://login.salesforce.com shows the following certificate-chain:

  • login.salesfoce.com (SSL, sha256)
  • VeriSign Class 3 Public Primary Certification Authority - G5 (sh1)

  1. First I made the call with no certificates imported. Got the error above.
  2. I imported the root certificate "VeriSign Class 3 Public Primary Certification Authority - G5" into Tomcat keystore. Got the same error.
  3. I imported the SSL certificate as well. Same error.

I think that only the root certificate needs to exist in the keystore. That is also what the exception tells me (I think).

Please I need help getting this issue solved!

Regards

Lars

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    Posted on Sep 18, 2015 at 10:17 AM

    Hi!

    Issue solved!

    After reading more about Tomcat/Java certificate handling I realized that:

    • Inbound https calls to B1i uses the B1iExcellerator/.keystore
    • Outbound https calls uses a separate "truststore". In Tomcat there are no truststore, instead the Java truststore "cacerts" is used.

    When I listed the installed certs in sap_7_64/jre/lib/security/cacerts usind keytool I couldn't find my VeriSign certificate.

    Then I installed the certificate "VeriSign Class 3 Public Primary Certification Authority - G5" into cacerts.

    Voila! Then it worked.

    Case closed!

    Regards

    Lars

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Sep 18, 2015 at 01:08 PM

    Hi Lars,

    please be aware, if you update B1i, the default cacerts of JRE will be restored and your changes will be overwritten.

    You can upload ".keystore" from B1iXcellerator folder into B1i as jks file via Control Center -> Maintenance -> BizStore Upload:

    Afterwards attach the certificates via "Control Center -> Configuration -> Certificate Admin".

    The password is stored in the java keystore file and can be found in following folder path, where the B1 is installed: <localdrive>:\..\Tomcat\conf\server.xml .

    For each certificate please choose the same password as for the JAVA keystore.

    Now an B1i patch upgrade will not affect your imported certificate, anymore.

    Best regards

    Bastian


    Capture.PNG (14.4 kB)
    Capture.PNG (11.3 kB)
    Capture.PNG (47.8 kB)
    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.