Skip to Content
avatar image
Former Member

SSLHandshakeException - when connecting to thirdparty

Hi Experts,

 

We are facing issues while connecting to third party system using certificates. We are using PI 7.31.

This is a synchronous interface. Connection from ECC to PI via ABAP Proxy. From A Java proxy is deployed in PI (webservice) ECC-->PI-->WS-->ThirdParty.


Error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Previously we are not not using any certificates to connect with the thirdparty. Lately the third party upgraded their security efforts as a part of that we are provided with certificates to update in our PI system. Post Certificate update, third party indicated the incompatibility with the SSL protocol. SSLv2 and SSLv3 are not supported from their end. Thirdparty accepts only TLS protocol.


Actions from our side:

1. We have updated the new certificate in PI NWA Keystore under TrustedCA's entry.

2. Cacerts file also updated with the certificates since it involves webservice. But after the system restart, the imported certificates are being deleted automatically from the cacert file - how to retain the imported certificates ?

3. We have also uploaded the certificates in STRUST as well.

After searching through SCN blogs we are still not able to find any solution for this.

Should the certificates be uploaded in .cer format or .pem format?

Whether any correlation between the certificate which we import for thirdparty with the transport protocol ?

Where else should the certificates be loaded and where can we validate it?

Many thanks in advance.

Regards,

Baskar

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Dec 10, 2015 at 11:49 AM

    Hi Baskar,

    We also faced this issue.

    The certificate should be imported in java keystore of your SAP installation under securities directory(Check this with your basis team).

    This certificates needs to be updated in Cacerts file under that directory.

    Could you let us know more about the java proxy and the web services used in your configuration?

    BR

    Bharath

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Bharath,

      Thanks for your response! We have updated the certificates in  Cacerts file under JVM keystore. When we tested with this certificate update, the Handshake issue is not occurring again.

      But when we take a restart of our PI system, the installed certificates are being removed from the Cacerts file and it is retained to previous version.

      Currently we are using this as a temporary solution. Do you have any idea how to retain the imported certificates in the Cacerts file

      Regards,

      Baskar

  • avatar image
    Former Member
    Oct 14, 2015 at 08:06 PM

    Trusted CA's should be fine. sometimes third party will have new intermediate & root certificates - make sure to import all the related certificates to your Trusted CA.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 14, 2015 at 10:49 PM

    Hi Baskar,

    A couple of things stand out in your question.

    1) You mentioned uploading the certs into STRUST. Therefore you obviously have a dual-stack PI system. Do you know what UME is currently configured? Is it the Java stack or ABAP stack? This makes a big difference as to where your certs need to be stored (the Basis team should be able to help you answer this)

    2) You mention a Java proxy. Is the proxy calling the 3rd party web service? Therefore you must have a custom Java client implemented so we'd need to see the code used to establish the connection to the 3rd party web server

    Regards,

    Nick

    Add comment
    10|10000 characters needed characters exceeded