on 10-30-2015 2:26 PM
Hi,
I am laying my first hands on SAP LVM plugin development. In my use-case, the plugin needs to talk to a soap service that runs locally on the same host where the LVM / plugin executes. The soap service is written in java and runs on a Tomcat 7 server and is secured via HTTPS using a self-signed certificate.
The Tomcat server side of things works as expected - the WSDL is perfectly accessible via any standard browser or any test soap client process (java stub / soap UI etc). However the same fails when the plugin code tries accessing it with the following exception:
Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier). [EXCEPTION] com.sap.engine.services.webservices.espbase.client.bindings.exceptions.TransportBindingException |
Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier). [EXCEPTION] com.sap.engine.services.webservices.espbase.client.bindings.exceptions.TransportBindingException: Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier). at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.outputSOAPMessage(SOAPTransportBinding.java:419) at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call_SOAP(SOAPTransportBinding.java:1364) at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.callWOLogging(SOAPTransportBinding.java:990) at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call(SOAPTransportBinding.java:944) at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.processTransportBindingCall(WSInvocationHandler.java:168) at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invokeSEISyncMethod(WSInvocationHandler.java:121) at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invokeSEIMethod(WSInvocationHandler.java:84) at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invoke(WSInvocationHandler.java:65) at $Proxy428.login(Unknown Source) ... ... at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78) at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43) at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12) at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78) at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475) at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269) at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56) at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122) at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101) at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328) Caused by: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier at iaik.security.ssl.r.checkIsTrusted(Unknown Source) at iaik.security.ssl.x.b(Unknown Source) at iaik.security.ssl.x.a(Unknown Source) at iaik.security.ssl.r.d(Unknown Source) at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source) at iaik.security.ssl.SSLTransport.getOutputStream(Unknown Source) at iaik.security.ssl.SSLSocket.getOutputStream(Unknown Source) at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initStreamsFromSocket(HTTPSocket.java:676) at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initializeStreams(HTTPSocket.java:553) at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.getOutputStream(HTTPSocket.java:504) at com.sap.engine.services.webservices.espbase.client.bindings.ClientHTTPTransport.getRequestStream(ClientHTTPTransport.java:202) at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.outputSOAPMessage(SOAPTransportBinding.java:375) ... 73 more |
I have imported the self-signed certificate in NWA trustCAs keystore. I have also ensured that the CN=hostname and the dates are valid on the certificate. Not sure if I am missing anything here. This is time critical and any help getting past this problem is greatly appreciated.
Thanks in advance.
-Hari
I believe, you have shared your server certificate with the receiver system already.
And they have installed your certificate in their trusted key store.
According to your error, Either receiver has not installed your server certificate in their system or you are not using same certificate which you have shared with them for ssl authentication.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ambuj,
Both the SAP LVM plugin (Web service client) and the Tomcat Java application (Web service) are something that I develop as part of my product. Hence I am using a self signed certificate.
The server-side, as I mentioned before, is configured right, and I am able to hit the Ssl port and retrieve the WSDL from any standard browser or any arbitrary Web service client (resides outside of SAP LVM). The problem stems when I consume the service from the LVM plugin.
For using HTTPS , the certificate has to be signed by a valid CA, it cannot be self signed .This is my experience with other SAP systems like ECC,HCM etc.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raghu,
Yes, I have restarted both the LVM and the tomcat servers. Like I mentioned, there is absolutely no issues seen accessing the WSDL. I could see the cert details from stub client logs / browser https security dialog.
I am given to suspect if and whether SAP LVM ecosystem supports a self signed certificate at all. If it does, then do I need to configure anything else other than importing the cert into trust CA nwa key store and restarting LVM.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Hari,
After deploying the certificates did you try restarting the Java server?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
9 | |
9 | |
6 | |
6 | |
6 | |
5 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.