cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Needs help with certificate

Go to solution
lars_jnsson
Active Participant

on ‎09-18-2015 9:36 AM

0 Kudos

Hi!

I'm calling an external webservice using a Call HTTP atom and gets the error:

<Payload Role="C" id="atom_call_login" statusNo="HTTP" statusMsg="" reference="atom_login" sysid="" payload="atom_login" throwException="false">

<http.header/>

<httaError xmlns="urn:com.sap.b1i.xcellerator:upltdoc" HTTPcode="" HTTPmsg="">

<exceptionMsg>

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

</exceptionMsg>

<returnData/>

</httaError>

</Payload>

The call is made over https with the following settings:

  • destProtocol = https
  • destHost = login.salesforce.com
  • destPort = 443
  • destPath = XXX

The url https://login.salesforce.com shows the following certificate-chain:

  • login.salesfoce.com (SSL, sha256)
  • VeriSign Class 3 Public Primary Certification Authority - G5 (sh1)

  1. First I made the call with no certificates imported. Got the error above.
  2. I imported the root certificate "VeriSign Class 3 Public Primary Certification Authority - G5" into Tomcat keystore. Got the same error.
  3. I imported the SSL certificate as well. Same error.

I think that only the root certificate needs to exist in the keystore. That is also what the exception tells me (I think).

Please I need help getting this issue solved!

Regards

Lars

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

lars_jnsson
Active Participant
‎09-18-2015 11:17 AM

Hi!

Issue solved!

After reading more about Tomcat/Java certificate handling I realized that:

  • Inbound https calls to B1i uses the B1iExcellerator/.keystore
  • Outbound https calls uses a separate "truststore". In Tomcat there are no truststore, instead the Java truststore "cacerts" is used.

When I listed the installed certs in sap_7_64/jre/lib/security/cacerts usind keytool I couldn't find my VeriSign certificate.

Then I installed the certificate "VeriSign Class 3 Public Primary Certification Authority - G5" into cacerts.

Voila! Then it worked.

Case closed!

Regards

Lars

Show replies
Show replies

Answers (1)

Answers (1)

bastian_schaefer
Active Contributor
‎09-18-2015 2:08 PM

Hi Lars,

please be aware, if you update B1i, the default cacerts of JRE will be restored and your changes will be overwritten.

You can upload ".keystore" from B1iXcellerator folder into B1i as jks file via Control Center -> Maintenance -> BizStore Upload:

Afterwards attach the certificates via "Control Center -> Configuration -> Certificate Admin".

The password is stored in the java keystore file and can be found in following folder path, where the B1 is installed: <localdrive>:\..\Tomcat\conf\server.xml .

For each certificate please choose the same password as for the JAVA keystore.

Now an B1i patch upgrade will not affect your imported certificate, anymore.

Best regards

Bastian

Show replies
Show replies
lars_jnsson
Active Participant
‎09-18-2015 2:20 PM
0 Kudos

Hi Bastian!

Great remark. I will consider this as I don't won't problem with upgrades.

Regards

Lars

bastian_schaefer
Active Contributor
‎09-18-2015 2:36 PM
0 Kudos

... i just forgot to mention to fill the parameter "trustStoreURI" in SLD for H.Any and W.Any system type with the bizstorepath to the uploaded keystore file:

Of course this parameter "trustStoreURI" is also available for the cal atoms.


Best regards

Bastian

BergenMatthias
Discoverer
‎06-11-2021 11:11 AM
0 Kudos

Hey there!

Does anybody know if there is an external way (API etc.) to update imported certificates automatically?

thank you!

Ask a Question