$(function () { pageContext.i18n.modTalk = 'moderation talk'; pageContext.i18n.replyToComment = 'Reply'; pageContext.i18n.modTalkEmpty = 'moderation talk is empty'; pageContext.url.getModTalk = "/comments/%25ID%25/listModTalk.json"; pageContext.url.possibleCommentRecipients = "/comments/%ID%/possibleRecipients.json"; pageContext.url.commentEdit = '/comments/%25ID%25/edit.html'; pageContext.url.commentView = '/comments/%ID%/view.html'; pageContext.i18n.commentVisibility = { 'full': 'Viewable by all users', 'op': 'Viewable by the original poster', 'mod': 'Viewable by moderators', 'opAndMod': 'Viewable by moderators and the original poster', 'other': 'Advanced visibility', 'dialogTitle': 'Comment visibility', 'selectGroups': 'Visible to groups', 'selectOther': 'Other recipients', 'selectOriginalPoster': 'Original poster', 'selectModerators': 'Moderators', 'selectAssignees': 'Asked to answer users' }; pageContext.i18n.commentMenuLabels = { 'comment-edit': 'comments.menu.edit', 'comment-delete': 'comments.menu.delete', 'comment-convert': 'comments.menu.convert' };pageContext.i18n.answer= { bestAnswer: 'Best Answer', controlBar : { accept: 'Accept', unaccept: 'Unaccept', acceptCommand: 'Accept this answer as correct', cancelAcceptedCommand: 'Remove this answers accepted status' } }; window.croles = { u: false, op: false, m: false, og: false, as: false, ag: false, dc: false, doc: false, eo: false, ea: false }; tools.init({ q: { e: false, ew: false, eo: false, r: false, ro: false, d: false, dow: false, fv: false, c: false, co: false, p: false, tm: false , ms: false, mos: false }, n: { f: false, vf: false, vfo: false, vr: false, vro: false, c: false, co: false, vu: false, vd: false, w: false, wo: false, l: false }, c: { e: false, eo: false, d: false, dow: false, ta: false, tao: false, l: false }, a: { e: false, ew: false, eo: false, d: false, dow: false, a: false, aoq: false, ao: false, tc: false, tco: false, p: false, tm: false }, pc: croles }, { tc: true, nsc: true }); commandUtils.initializeLabels(); }); Skip to Content
0

SOAP Receiver SSL certificate - SSLCertificateException: Peer certificate rejected by ChainVerifier

Apr 15, 2017 at 11:35 AM

1.2k

avatar image

Hi

i'm working on a soap receiver interface which is configured for the given location "https://www.xxxxxxx" but when i run the interface i'm receiving the following error:

com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

I assume we needed a certificate and hence obtained from the service providers and installed it:

My config is:

certificate details:

please any help to validate if my config are okay and how to resolve the issue?

keystore.jpg (214.7 kB)
soap-recv.jpg (81.6 kB)
cert.jpg (31.9 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

5 Answers

Mark Dihiansan Apr 19, 2017 at 03:27 AM
1

Hi,

Uncheck Configure Certificate Authentication and then place the Root Certificate (Fabxxxxx) in the TrustedCAs keystore (the red one in your screenshot).

Regards,

Mark

Show 7 Share
10 |10000 characters needed characters left characters exceeded

Hello Mark

Thanks for your feedback, but have a question on your suggestion. If I'm not providing the certificate details how would the interface determine the SSL? By unchecking the option to enter the certificate details , how does it work for https url?

0

Prabhu,

The reason why mark is suggecstng this because when PI hits any SSL server it validates if there is any certificate in the Default key store i.e TrustedCA's with that particular common name i.e host name. the same goes when you are working with FTPS too.

Br,

Manoj

2

thkx manjo. will check and update

0

hi manoj

am i right to assume that the certificate name and the keychain name to be the same in trusted ca's as recieved from the service providers?

0

Hi Prabhu,

Manoj's answer is spot on. In the screenshot, the URL is already https. You only check Certificate Authentication when you are doing https with client authentication. For https without client authentication, placing the certificates in the trustedca keystore should be enough.

Regards,

Mark

1

thkx for ur feedback mark

0

hi mark

just to clarify, for recv soap with https url we do not need client authentication? how do we know if need client authentication or not? please can you advise

0
Manoj K Apr 17, 2017 at 05:13 AM
0
Show 2 Share
10 |10000 characters needed characters left characters exceeded

Nope, have not installed XPI yet but with the given time frame i'm not sure if we will have an option to install xpi.....

0

Hi Prabhu,

All you have to do is to deploy a file to your PI server.

Regards,

Andrzej

0
Harish Mistri May 09, 2017 at 03:52 AM
0

Hi,

The error you are getting is for SSL while you configure the certificate as authentication medium. As Mark said in the earlier reply, you need to configure the certificate for SSL and upload this in TrustedCA (both root and URL certificate).

regards,

Harish

Share
10 |10000 characters needed characters left characters exceeded
Mark Dihiansan May 09, 2017 at 02:28 AM
0

Hi Prabhu,

Usually SSL without client authentication should be enough. The best way to test client authentication is executing the external webservice via SOAP UI. If you did not do any additional configuration, then it is ssl without client authentication. Otherwise, you would have to do these steps:

http://geekswithblogs.net/gvdmaaden/archive/2011/02/24/how-to-configure-soapui-with-client-certificate-authentication.aspx

Regards,

Mark

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Hi -

Finally it seems to narrow down to an invalid certificate that was provided. Now they had provided a PFX file with a pwd (private key) which seems to work fine when i tested the WSDL (imported SSL) in SOAP UI. Though no user name provided. How do i need to proceed in this with the given PFX file? Do i request the basis to install the PFX in trustedCAs and later use the pwd in SOAP recv config via client authentication?

Please can you advise?

0

Hi Prabhu,

Since you now have a pfx file, you need to create a separate keystore and then check Certificate Authentication in the channel.

Regards,

Mark

0
Nitin Deshpande May 11, 2017 at 10:56 AM
0

Hello Prabhu,

There are two types of security features which are involved when you use certificates. One for the connection between the two systems which is your PI system and the third party and this is usually done using the SSL connection setup. In this case the connection is setup only if the SSL handshake happens. For this case you need to deploy the certificates from 3rd party in TrustedCAs and also send PI system certificates to the 3rd party and ensures SSL handshake takes place.

But in your case currently you are securing on the data end, so here you securing your file with the pfx certificate and the 3rd party will be able to see the data only if he has the another pair of certificate/key which he has shared to you. As Mark has suggested for this case you need to create a separate keystore view just like the TicketKeyStore or some other keystore view which has been shown in your screenshot and deploy the pfx certificate and private key there and use this keystore view name in your Channel.

As the link is HTTPs, you would need a SSL certificate from your 3rd party and you need to deploy this in TrustedCAs keystore view.

Regards,

Nitin Deshpande

Share
10 |10000 characters needed characters left characters exceeded