Skip to Content
avatar image
Former Member

PROXY-TO-REST Synchronous scenario with SSL

Dear All,

I have configured a scenario PROXY-PI-REST.

PI version: 7.31, SP16

And while making API call through SAP PI REST adapter I am getting an error.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

I have gone through some blogs and links but could not resolve yet.

Steps I have done:

1. Got the Public ROOT certificate from 3rd party system.
2. Imported into Trusted CAs of NWA.

ssl.jpg
rest1.jpg
rest2.jpg
rest3.jpg
I dont have XPI Inspector installed.
I have tested the API call using Advance rest client, where I need to provide Basic authentication to authenticate us.
Can I get any help from anyone?

Regards,
Aarti

ssl.jpg (296.1 kB)
rest1.jpg (83.1 kB)
rest2.jpg (143.5 kB)
rest3.jpg (183.3 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    Aug 22, 2017 at 04:08 PM

    Hi Aarti,

    In the screenshot of Trusted CAs the certificate is only root certificate , but you need the complete chain of certificate i.e root , intermediate as well as leaf certificate .

    The root certificate is usually provided by CA authority in your case it is provided by Digi cert authority but they should have also provided the intermediate as well as signed leaf certificate for your third party , so ask your third party the complete cert chain and import in Trusted CA view. If it is possible to reach the third party via browser then you can put that URL in browser and get the chain path from there too.

    You may consider installing xpi it would be very helpful to debug such kind of issues. xpi can actually tell what cert are missing and you can download from that xpi log too.

    Br,

    Manoj

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 22, 2017 at 04:20 PM

    Hi Manoj,

    This certificate I have downloaded from their site (The lock symbol). I could also see the chain of the certificates.(Root->Intermediate->leaf

    So u mean I should be having 3 certificates in Trustated CA list

    1. Root

    2. Intermediate

    3. leaf

    Regards,

    Aarti

    Add comment
    10|10000 characters needed characters exceeded

    • Yes, this is something you need to have . Below is the example of certificate if we need to connect to https://s1.ariba.com

      So your hostname in the URL which you want to connect should be CN name in leaf certificate.

      2099883 - REST: SSL connections fail with remote certificate validation error

      But before implementing this note its better to have a xpi run once. It is just deploying a EAR file if you have NWDS it is pretty easy .

      2010715 - How to deploy/undeploy the XPI INSPECTOR

      And also i think your REST adapter is trying to read the SSL cert from jdk instead of the trusted key store , there was this issue of Rest adapter reading the properties from JDK instead of IAIK library for SSL/TLS version check with below SAP note.

      2229837 - REST receiver adapter is using SSL implementation provided by JDK

      Br,

      Manoj

      cert.png (10.8 kB)
      cert.png (7.4 kB)
      cert.png (15.4 kB)
  • avatar image
    Former Member
    Aug 23, 2017 at 09:28 AM

    Hi Manoj,

    Thanks for the info!

    I have uploaded all three certificates into Trusted CAs list but issue remains same.

    May be I should try using XPI inspector to find what is the problem.

    One more thing I forgot to add there is a proxy in between the internal and external world.

    Is this problem arouse due to that?

    If yes, then I can check with basis team

    Regards,

    Aarti

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 24, 2017 at 11:29 AM

    Hi Manoj,

    I used XPI Inspector tool, today and that tool proved extremely helpful.

    The problem is: The certificate which the API is using is different than the one I have downloaded from the browser.

    Now I have told 3rd party to provide the right certificate which their API is referring to.

    Thanks!

    Best Regards,

    Aarti

    Add comment
    10|10000 characters needed characters exceeded