Skip to Content
avatar image
Former Member

Peer Certificate Rejected by ChainVerifier

Hi,

I am laying my first hands on SAP LVM plugin development. In my use-case, the plugin needs to talk to a soap service that runs locally on the same host where the LVM / plugin executes. The soap service is written in java and runs on a Tomcat 7 server and is secured via HTTPS using a self-signed certificate.

The Tomcat server side of things works as expected - the WSDL is perfectly accessible via any standard browser or any test soap client process (java stub / soap UI etc). However the same fails when the plugin code tries accessing it with the following exception:

Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier).

[EXCEPTION]

com.sap.engine.services.webservices.espbase.client.bindings.exceptions.TransportBindingException

Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier).

[EXCEPTION]

com.sap.engine.services.webservices.espbase.client.bindings.exceptions.TransportBindingException: Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier).

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.outputSOAPMessage(SOAPTransportBinding.java:419)

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call_SOAP(SOAPTransportBinding.java:1364)

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.callWOLogging(SOAPTransportBinding.java:990)

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call(SOAPTransportBinding.java:944)

at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.processTransportBindingCall(WSInvocationHandler.java:168)

at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invokeSEISyncMethod(WSInvocationHandler.java:121)

at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invokeSEIMethod(WSInvocationHandler.java:84)

at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invoke(WSInvocationHandler.java:65)

at $Proxy428.login(Unknown Source)

...

...

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)

at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)

at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)

at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)

at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)

at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)

at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)

at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)

at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)

Caused by: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

at iaik.security.ssl.r.checkIsTrusted(Unknown Source)

at iaik.security.ssl.x.b(Unknown Source)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.r.d(Unknown Source)

at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)

at iaik.security.ssl.SSLTransport.getOutputStream(Unknown Source)

at iaik.security.ssl.SSLSocket.getOutputStream(Unknown Source)

at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initStreamsFromSocket(HTTPSocket.java:676)

at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initializeStreams(HTTPSocket.java:553)

at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.getOutputStream(HTTPSocket.java:504)

at com.sap.engine.services.webservices.espbase.client.bindings.ClientHTTPTransport.getRequestStream(ClientHTTPTransport.java:202)

at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.outputSOAPMessage(SOAPTransportBinding.java:375)

... 73 more

I have imported the self-signed certificate in NWA trustCAs keystore. I have also ensured that the CN=hostname and the dates are valid on the certificate. Not sure if I am missing anything here. This is time critical and any help getting past this problem is greatly appreciated.

Thanks in advance.

-Hari

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Oct 31, 2015 at 05:03 AM

    Hello Hari,

    After deploying the certificates did you try restarting the Java server?

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 31, 2015 at 05:43 AM

    Hi Raghu,

    Yes,  I have restarted both the LVM and the tomcat servers. Like I mentioned, there is absolutely no issues seen accessing the WSDL. I could see the cert details from stub client logs / browser https security dialog.

    I am given to suspect if and whether  SAP LVM ecosystem supports a self signed certificate at all. If it does, then do I need to configure anything else other than  importing the cert into trust CA nwa key store and restarting LVM.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 01, 2015 at 06:34 AM

    For using HTTPS , the certificate has to be signed by a valid CA, it cannot be self signed .This is my experience with other SAP systems like ECC,HCM etc.

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 01, 2015 at 03:56 PM

    I believe, you have shared your server certificate with the receiver system already.

    And they have installed your certificate in their trusted key store.

    According to your error, Either receiver has not installed your server certificate in their system or you are not using same certificate which you have shared with them for ssl authentication.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello Ambuj,

      Both the SAP LVM plugin (Web service client) and the Tomcat Java application (Web service) are something that I develop as part of my product. Hence I am using a self signed certificate. 

      The server-side, as I mentioned before, is configured right, and I am able to hit the Ssl port and retrieve the WSDL from any standard browser or any arbitrary Web service client (resides outside of SAP LVM). The problem stems when I consume the service from the LVM plugin.