cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PROXY-TO-REST Synchronous scenario with SSL

Go to solution
Former Member

on ‎08-22-2017 4:53 PM

0 Kudos

Dear All,

I have configured a scenario PROXY-PI-REST.

PI version: 7.31, SP16

And while making API call through SAP PI REST adapter I am getting an error.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

I have gone through some blogs and links but could not resolve yet.

Steps I have done:

1. Got the Public ROOT certificate from 3rd party system.
2. Imported into Trusted CAs of NWA.

ssl.jpg
rest1.jpg
rest2.jpg
rest3.jpg
I dont have XPI Inspector installed.
I have tested the API call using Advance rest client, where I need to provide Basic authentication to authenticate us.
Can I get any help from anyone?

Regards,
Aarti

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

manoj_khavatkopp
Active Contributor
‎08-22-2017 5:08 PM
0 Kudos

Hi Aarti,

In the screenshot of Trusted CAs the certificate is only root certificate , but you need the complete chain of certificate i.e root , intermediate as well as leaf certificate .

The root certificate is usually provided by CA authority in your case it is provided by Digi cert authority but they should have also provided the intermediate as well as signed leaf certificate for your third party , so ask your third party the complete cert chain and import in Trusted CA view. If it is possible to reach the third party via browser then you can put that URL in browser and get the chain path from there too.

You may consider installing xpi it would be very helpful to debug such kind of issues. xpi can actually tell what cert are missing and you can download from that xpi log too.

Br,

Manoj

Show replies
Show replies

Answers (3)

Answers (3)

Former Member
‎08-24-2017 12:29 PM
0 Kudos

Hi Manoj,

I used XPI Inspector tool, today and that tool proved extremely helpful.

The problem is: The certificate which the API is using is different than the one I have downloaded from the browser.

Now I have told 3rd party to provide the right certificate which their API is referring to.

Thanks!

Best Regards,

Aarti

Show replies
Show replies
Former Member
‎08-23-2017 10:28 AM
0 Kudos

Hi Manoj,

Thanks for the info!

I have uploaded all three certificates into Trusted CAs list but issue remains same.

May be I should try using XPI inspector to find what is the problem.

One more thing I forgot to add there is a proxy in between the internal and external world.

Is this problem arouse due to that?

If yes, then I can check with basis team

Regards,

Aarti

Show replies
Show replies
manoj_khavatkopp
Active Contributor
‎08-23-2017 10:55 AM
0 Kudos

Aarti,

Proxy shouldn't be the problem looking at the error.

You are able to hit the target Rest API but have SSL exception.

Br,

Manoj

Former Member
‎08-22-2017 5:20 PM
0 Kudos

Hi Manoj,

This certificate I have downloaded from their site (The lock symbol). I could also see the chain of the certificates.(Root->Intermediate->leaf

So u mean I should be having 3 certificates in Trustated CA list

1. Root

2. Intermediate

3. leaf

Regards,

Aarti

Show replies
Show replies
manoj_khavatkopp
Active Contributor
‎08-22-2017 5:59 PM
0 Kudos

Yes, this is something you need to have . Below is the example of certificate if we need to connect to https://s1.ariba.com

So your hostname in the URL which you want to connect should be CN name in leaf certificate.

2099883 - REST: SSL connections fail with remote certificate validation error

But before implementing this note its better to have a xpi run once. It is just deploying a EAR file if you have NWDS it is pretty easy .

2010715 - How to deploy/undeploy the XPI INSPECTOR

And also i think your REST adapter is trying to read the SSL cert from jdk instead of the trusted key store , there was this issue of Rest adapter reading the properties from JDK instead of IAIK library for SSL/TLS version check with below SAP note.

2229837 - REST receiver adapter is using SSL implementation provided by JDK

Br,

Manoj

Ask a Question