cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOAP Receiver SSL certificate - SSLCertificateException: Peer certificate rejected by ChainVerifier

prabhu_s2
Active Contributor

on ‎04-15-2017 12:35 PM

0 Kudos

Hi

i'm working on a soap receiver interface which is configured for the given location "https://www.xxxxxxx" but when i run the interface i'm receiving the following error:

com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

I assume we needed a certificate and hence obtained from the service providers and installed it:

My config is:

certificate details:

please any help to validate if my config are okay and how to resolve the issue?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

markangelo_dihiansan
Active Contributor
‎04-19-2017 4:27 AM

Hi,

Uncheck Configure Certificate Authentication and then place the Root Certificate (Fabxxxxx) in the TrustedCAs keystore (the red one in your screenshot).

Regards,

Mark

Show replies
Show replies
prabhu_s2
Active Contributor
‎04-19-2017 2:08 PM
0 Kudos

Hello Mark

Thanks for your feedback, but have a question on your suggestion. If I'm not providing the certificate details how would the interface determine the SSL? By unchecking the option to enter the certificate details , how does it work for https url?

manoj_khavatkopp
Active Contributor
‎04-19-2017 2:19 PM

Prabhu,

The reason why mark is suggecstng this because when PI hits any SSL server it validates if there is any certificate in the Default key store i.e TrustedCA's with that particular common name i.e host name. the same goes when you are working with FTPS too.

Br,

Manoj

markangelo_dihiansan
Active Contributor
‎04-20-2017 3:26 AM

Hi Prabhu,

Manoj's answer is spot on. In the screenshot, the URL is already https. You only check Certificate Authentication when you are doing https with client authentication. For https without client authentication, placing the certificates in the trustedca keystore should be enough.

Regards,

Mark

prabhu_s2
Active Contributor
‎05-09-2017 12:04 AM
0 Kudos

thkx manjo. will check and update

prabhu_s2
Active Contributor
‎05-09-2017 12:04 AM
0 Kudos

thkx for ur feedback mark

prabhu_s2
Active Contributor
‎05-09-2017 12:07 AM
0 Kudos

hi manoj

am i right to assume that the certificate name and the keychain name to be the same in trusted ca's as recieved from the service providers?

prabhu_s2
Active Contributor
‎05-09-2017 12:49 AM
0 Kudos

hi mark

just to clarify, for recv soap with https url we do not need client authentication? how do we know if need client authentication or not? please can you advise

nitindeshpande
Active Contributor
‎05-11-2017 11:56 AM
0 Kudos

Hello Prabhu,

There are two types of security features which are involved when you use certificates. One for the connection between the two systems which is your PI system and the third party and this is usually done using the SSL connection setup. In this case the connection is setup only if the SSL handshake happens. For this case you need to deploy the certificates from 3rd party in TrustedCAs and also send PI system certificates to the 3rd party and ensures SSL handshake takes place.

But in your case currently you are securing on the data end, so here you securing your file with the pfx certificate and the 3rd party will be able to see the data only if he has the another pair of certificate/key which he has shared to you. As Mark has suggested for this case you need to create a separate keystore view just like the TicketKeyStore or some other keystore view which has been shown in your screenshot and deploy the pfx certificate and private key there and use this keystore view name in your Channel.

As the link is HTTPs, you would need a SSL certificate from your 3rd party and you need to deploy this in TrustedCAs keystore view.

Regards,

Nitin Deshpande

Show replies
Show replies
Harish
Active Contributor
‎05-09-2017 4:52 AM
0 Kudos

Hi,

The error you are getting is for SSL while you configure the certificate as authentication medium. As Mark said in the earlier reply, you need to configure the certificate for SSL and upload this in TrustedCA (both root and URL certificate).

regards,

Harish

Show replies
Show replies
markangelo_dihiansan
Active Contributor
‎05-09-2017 3:28 AM
0 Kudos

Hi Prabhu,

Usually SSL without client authentication should be enough. The best way to test client authentication is executing the external webservice via SOAP UI. If you did not do any additional configuration, then it is ssl without client authentication. Otherwise, you would have to do these steps:

http://geekswithblogs.net/gvdmaaden/archive/2011/02/24/how-to-configure-soapui-with-client-certifica...

Regards,

Mark

Show replies
Show replies
prabhu_s2
Active Contributor
‎05-11-2017 12:04 AM
0 Kudos

Hi -

Finally it seems to narrow down to an invalid certificate that was provided. Now they had provided a PFX file with a pwd (private key) which seems to work fine when i tested the WSDL (imported SSL) in SOAP UI. Though no user name provided. How do i need to proceed in this with the given PFX file? Do i request the basis to install the PFX in trustedCAs and later use the pwd in SOAP recv config via client authentication?

Please can you advise?

markangelo_dihiansan
Active Contributor
‎05-11-2017 6:42 AM
0 Kudos

Hi Prabhu,

Since you now have a pfx file, you need to create a separate keystore and then check Certificate Authentication in the channel.

Regards,

Mark

manoj_khavatkopp
Active Contributor
‎04-17-2017 6:13 AM
0 Kudos

Prabhu,

Have you tried using XPI_inspector :

https://blogs.sap.com/2015/12/10/using-xpi-inspector-to-troubleshoot-http-ssl-connections/

Br,

Manoj

Show replies
Show replies
prabhu_s2
Active Contributor
‎04-17-2017 5:09 PM
0 Kudos

Nope, have not installed XPI yet but with the given time frame i'm not sure if we will have an option to install xpi.....

Andrzej_Filusz
Contributor
‎04-18-2017 9:08 AM
0 Kudos

Hi Prabhu,

All you have to do is to deploy a file to your PI server.

Regards,

Andrzej

Ask a Question