Skip to Content
0

PROXY-TO-REST Synchronous scenario with SSL

Aug 22, 2017 at 03:53 PM

175

avatar image
Former Member

Dear All,

I have configured a scenario PROXY-PI-REST.

PI version: 7.31, SP16

And while making API call through SAP PI REST adapter I am getting an error.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

I have gone through some blogs and links but could not resolve yet.

Steps I have done:

1. Got the Public ROOT certificate from 3rd party system.
2. Imported into Trusted CAs of NWA.

ssl.jpg
rest1.jpg
rest2.jpg
rest3.jpg
I dont have XPI Inspector installed.
I have tested the API call using Advance rest client, where I need to provide Basic authentication to authenticate us.
Can I get any help from anyone?

Regards,
Aarti

ssl.jpg (296.1 kB)
rest1.jpg (83.1 kB)
rest2.jpg (143.5 kB)
rest3.jpg (183.3 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Best Answer
Manoj K Aug 22, 2017 at 04:08 PM
0

Hi Aarti,

In the screenshot of Trusted CAs the certificate is only root certificate , but you need the complete chain of certificate i.e root , intermediate as well as leaf certificate .

The root certificate is usually provided by CA authority in your case it is provided by Digi cert authority but they should have also provided the intermediate as well as signed leaf certificate for your third party , so ask your third party the complete cert chain and import in Trusted CA view. If it is possible to reach the third party via browser then you can put that URL in browser and get the chain path from there too.

You may consider installing xpi it would be very helpful to debug such kind of issues. xpi can actually tell what cert are missing and you can download from that xpi log too.

Br,

Manoj

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Aug 22, 2017 at 04:20 PM
0

Hi Manoj,

This certificate I have downloaded from their site (The lock symbol). I could also see the chain of the certificates.(Root->Intermediate->leaf

So u mean I should be having 3 certificates in Trustated CA list

1. Root

2. Intermediate

3. leaf

Regards,

Aarti

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Yes, this is something you need to have . Below is the example of certificate if we need to connect to https://s1.ariba.com

So your hostname in the URL which you want to connect should be CN name in leaf certificate.

2099883 - REST: SSL connections fail with remote certificate validation error

But before implementing this note its better to have a xpi run once. It is just deploying a EAR file if you have NWDS it is pretty easy .

2010715 - How to deploy/undeploy the XPI INSPECTOR

And also i think your REST adapter is trying to read the SSL cert from jdk instead of the trusted key store , there was this issue of Rest adapter reading the properties from JDK instead of IAIK library for SSL/TLS version check with below SAP note.

2229837 - REST receiver adapter is using SSL implementation provided by JDK

Br,

Manoj

cert.png (10.8 kB)
cert.png (7.4 kB)
cert.png (15.4 kB)
0
avatar image
Former Member Aug 23, 2017 at 09:28 AM
0

Hi Manoj,

Thanks for the info!

I have uploaded all three certificates into Trusted CAs list but issue remains same.

May be I should try using XPI inspector to find what is the problem.

One more thing I forgot to add there is a proxy in between the internal and external world.

Is this problem arouse due to that?

If yes, then I can check with basis team

Regards,

Aarti

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Aarti,

Proxy shouldn't be the problem looking at the error.

You are able to hit the target Rest API but have SSL exception.

Br,

Manoj

0
avatar image
Former Member Aug 24, 2017 at 11:29 AM
0

Hi Manoj,

I used XPI Inspector tool, today and that tool proved extremely helpful.

The problem is: The certificate which the API is using is different than the one I have downloaded from the browser.

Now I have told 3rd party to provide the right certificate which their API is referring to.

Thanks!

Best Regards,

Aarti

Share
10 |10000 characters needed characters left characters exceeded