on 04-15-2017 12:35 PM
Hi
i'm working on a soap receiver interface which is configured for the given location "https://www.xxxxxxx" but when i run the interface i'm receiving the following error:
com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
I assume we needed a certificate and hence obtained from the service providers and installed it:
My config is:
certificate details:
please any help to validate if my config are okay and how to resolve the issue?
Hi,
Uncheck Configure Certificate Authentication and then place the Root Certificate (Fabxxxxx) in the TrustedCAs keystore (the red one in your screenshot).
Regards,
Mark
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Prabhu,
The reason why mark is suggecstng this because when PI hits any SSL server it validates if there is any certificate in the Default key store i.e TrustedCA's with that particular common name i.e host name. the same goes when you are working with FTPS too.
Br,
Manoj
Hi Prabhu,
Manoj's answer is spot on. In the screenshot, the URL is already https. You only check Certificate Authentication when you are doing https with client authentication. For https without client authentication, placing the certificates in the trustedca keystore should be enough.
Regards,
Mark
Hello Prabhu,
There are two types of security features which are involved when you use certificates. One for the connection between the two systems which is your PI system and the third party and this is usually done using the SSL connection setup. In this case the connection is setup only if the SSL handshake happens. For this case you need to deploy the certificates from 3rd party in TrustedCAs and also send PI system certificates to the 3rd party and ensures SSL handshake takes place.
But in your case currently you are securing on the data end, so here you securing your file with the pfx certificate and the 3rd party will be able to see the data only if he has the another pair of certificate/key which he has shared to you. As Mark has suggested for this case you need to create a separate keystore view just like the TicketKeyStore or some other keystore view which has been shown in your screenshot and deploy the pfx certificate and private key there and use this keystore view name in your Channel.
As the link is HTTPs, you would need a SSL certificate from your 3rd party and you need to deploy this in TrustedCAs keystore view.
Regards,
Nitin Deshpande
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
The error you are getting is for SSL while you configure the certificate as authentication medium. As Mark said in the earlier reply, you need to configure the certificate for SSL and upload this in TrustedCA (both root and URL certificate).
regards,
Harish
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Prabhu,
Usually SSL without client authentication should be enough. The best way to test client authentication is executing the external webservice via SOAP UI. If you did not do any additional configuration, then it is ssl without client authentication. Otherwise, you would have to do these steps:
Regards,
Mark
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi -
Finally it seems to narrow down to an invalid certificate that was provided. Now they had provided a PFX file with a pwd (private key) which seems to work fine when i tested the WSDL (imported SSL) in SOAP UI. Though no user name provided. How do i need to proceed in this with the given PFX file? Do i request the basis to install the PFX in trustedCAs and later use the pwd in SOAP recv config via client authentication?
Please can you advise?
Prabhu,
Have you tried using XPI_inspector :
https://blogs.sap.com/2015/12/10/using-xpi-inspector-to-troubleshoot-http-ssl-connections/
Br,
Manoj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.