on 05-24-2016 2:31 PM
Hi Experts,
I created a web service client applications with Netweaer Developer Studio. I imported a WSDL destination and created web service proxies. Here I followed the description “Creating Web Service Client Applications” (see https://help.sap.com/saphelp_nw73/helpdata/de/4b/96e16c4d8e584de10000000a42189c/content.htm)
Then I built a servlet to call that service like this:
@WebServiceRef (name=SERVICE_NAME)
WSSoapApi service;
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
...
ISoapApiDocument port = service.getBasicHttpBinding_ISoapApiDocument();
HTTPControlInterface httpControl = HTTPControlFactory.getInterface(port);
httpControl.setEndpointURL(url);
port.getXmlListEx(user, password, xmlDate, getXmlListExResult, xmlList);
The code was deployed as an war file on Java AS SAP PI 7.31 single stack. I have imported a certificate into the TrustedCAs key store. When I call the web service I receive the error: Peer certificate rejected by ChainVerifier. The full trace is listed below.
I am using:
VM-Java-Version: 1.6.0_111
VM-Laufzeitversion: 6.1.086 25.51-b02
Kernel-Version: 7.31.3301.373065.20141031130932
Thanks in advance
Cannot process an HTTP request to servlet [TestConnectionServlet] in [RegisTrTest] web application.
[EXCEPTION]
at de.metro.finanzen.registr.test.servlets.TestConnectionServlet.doGet(TestConnectionServlet.java:127)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:38)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:466)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:278)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)
at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)
at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
Caused by: javax.xml.ws.WebServiceException: Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier).
at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.processTransportBindingCall(WSInvocationHandler.java:174)
at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invokeSEISyncMethod(WSInvocationHandler.java:121)
at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invokeSEIMethod(WSInvocationHandler.java:84)
at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.invoke(WSInvocationHandler.java:65)
at com.sun.proxy.$Proxy3949.getXmlListEx(Unknown Source)
at de.metro.finanzen.registr.test.servlets.TestConnectionServlet.doGet(TestConnectionServlet.java:106)
... 41 more
Caused by: com.sap.engine.services.webservices.espbase.client.bindings.exceptions.TransportBindingException: Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier).
at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.outputSOAPMessage(SOAPTransportBinding.java:426)
at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call_SOAP(SOAPTransportBinding.java:1371)
at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.callWOLogging(SOAPTransportBinding.java:997)
at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call(SOAPTransportBinding.java:951)
at com.sap.engine.services.webservices.espbase.client.jaxws.core.WSInvocationHandler.processTransportBindingCall(WSInvocationHandler.java:168)
... 46 more
Caused by: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
at iaik.security.ssl.r.checkIsTrusted(Unknown Source)
at iaik.security.ssl.x.b(Unknown Source)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.r.d(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
at iaik.security.ssl.SSLTransport.getOutputStream(Unknown Source)
at iaik.security.ssl.SSLSocket.getOutputStream(Unknown Source)
at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initStreamsFromSocket(HTTPSocket.java:676)
at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.initializeStreams(HTTPSocket.java:553)
at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.getOutputStream(HTTPSocket.java:504)
at com.sap.engine.services.webservices.espbase.client.bindings.ClientHTTPTransport.getRequestStream(ClientHTTPTransport.java:202)
at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.outputSOAPMessage(SOAPTransportBinding.java:382)
... 50 more
Hi,
I have created logs with the IPX tool.
I think the problem is that the host name verification is enabled and returns false.
How can I disbale this check within a java web service call?
Thank you in advance!
09:44:22:709 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~y.core.server.https.V3ChainVerifier | ⇨ |
09:44:22:709 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~ttps.DefaultHostnameVerifier.verify | ⇦ with (form.xyz.com, xyz.com) |
09:44:22:709 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~erver.https.DefaultHostnameVerifier | name mismatch: form.xyz.com != xyz.com |
09:44:22:721 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~erver.https.DefaultHostnameVerifier | HostnameVerifier returns: false |
09:44:22:721 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~erver.https.DefaultHostnameVerifier | ⇨ |
09:44:22:721 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~ttps.DefaultHostnameVerifier.verify | ⇦ with (form.xyz.com, *.xyz.com) |
09:44:22:721 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~erver.https.DefaultHostnameVerifier | hostname ok. |
09:44:22:721 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~erver.https.DefaultHostnameVerifier | ⇨ |
09:44:22:722 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~sap.security.core.server.https.IAIK | ssl_debug(12): ChainVerifier: No trusted certificate found, rejected. |
09:44:22:722 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~y.core.server.https.V3ChainVerifier | Chain rejected by default verifier. IAIK log has more details. |
09:44:22:723 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~y.core.server.https.V3ChainVerifier | ⇨ |
09:44:22:723 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~sap.security.core.server.https.IAIK | ssl_debug(12): Sending alert: Alert Fatal: bad certificate |
09:44:22:723 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~sap.security.core.server.https.IAIK | ssl_debug(12): Shutting down SSL layer... |
09:44:22:723 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~sap.security.core.server.https.IAIK | ssl_debug(12): SSLException while handshaking: Peer certificate rejected by ChainVerifier |
09:44:22:727 | Guest | Thread[HTTP Worker [@2038195471],5,~ | ~xceptions.TransportBindingException | Exception : Connection IO Exception. Check nested exception for details. (Peer certificate rejected by ChainVerifier). |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Michael,
good question...i know for example in PI the file adapter has a functionality to avoid such an error:
1992392 - SSLException due to name mismatch in FTPS Adapter
1591971 - Added property strictHostnameChecking
But for WS calls i doubt that such feature exists. Instead of looking for a functionality to disable this check i would advise to solve the error.
According to the error message the target server provides a certificate with CN filed: form.xyz.com .
But in your call you are trying to connect to the xyz.com host. Since these does not match exactly the error is thrown.
So either try to modify the certificate of the target server, or ensure that your call is calling the same host name what is available in the CN field of the cerfitiface. Also probably the host file of the server from where the call is started has to contain the host name and IP address pair of this target server.
Best Regards,
Viktor
Hi Michael,
first i think it would be a good idea to test the web service call with a 3rd party tool like SOAPUI.
try to reach the WS with HTTPS protocol. If itis working you will see there the certificate chain what the webservice sent back to SOAPUI. There you can validate if the certificate chain is valid and is not expired.
You might also use a tool to validate the server side certificates:
SSL Checker - SSL Certificate Verify
As soon you are sure that the certificate chain is valid than you can import the root CA certificate into the TrustedCAs keystore view of the AS JAVA and try to test the call again. Hopefully it will work.
If not than deeper traces are needed on AS JAVA to see the whole SSL handshake. There you will see what certificate the server sent back to your client application and why the AS JAVA chain verifier rejects the cert chain.
Best Regards,
Viktor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.