cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error while configuring https in pi 7.3 dual stack: Urgent Plz help

Go to solution
shashi_patan
Active Participant

on ‎09-12-2017 2:36 AM

0 Kudos

I am listing everything i have done till toady in PI .

1) Implemented all steps as per below link. https://blogs.sap.com/2012/04/01/ssl-https-configuration-in-sap-pi-systems-as-of-release-pi-710-step...

1.1) imported certificate in below order

a) PI Dev Certificate

b) Root Certificate

2) set port 50001 in exchange profile for all https parameters and deleted 50000 from existing http profile.

3) set below parameters in ICM; restarted pi system and hence all http is now redirecting to https. icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, PROT=https, HOST=xyz.abv.com, PORT=50001

Problem/Error: When double click on channel in PI i am getting below error.

Inline image 1

Inline image 2

T

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

shashi_patan
Active Participant
‎10-02-2017 1:08 PM
0 Kudos

Issue resolved by importing certificate in right order. root --intermediate and server certificate.

also import the certificate in trusted ca.

Show replies
Show replies

Answers (3)

Answers (3)

former_member190293
Active Contributor
‎09-12-2017 9:50 AM
0 Kudos

Hi Shashi!

https://archive.sap.com/discussions/thread/1836216

...The main reasons for this error could be checked in the steps below:

1. The correct server certificate could not be present in the TrustedCA

keystore view of NWA. Please ensure you have done all the steps described in these two URLs:

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm

2. The server certificate chain contains expired certificate. Check for

it (that was the cause for other customers as well) and if it's the case

renew it or extend the validation.

3. Some other customers have reported similar problem and mainly the

problem was that the certificate chain was not in correct order. Basically the server certificate chain should be in order

Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI

cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.

As a resource, you may need to create a new SSL Server key.

The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.

In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.

Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.

In any other case the SSL communication will not work.

Hope the information help!...

Some people say that even restarting the server could help.

Regards, Evgeniy.

Show replies
Show replies
shashi_patan
Active Participant
‎09-13-2017 5:01 AM
0 Kudos

Retarding this sequence. I talked to the the person who sent me signed certificate. He said he has no intermediate certificate . he said i uploaded the certificate/private key (generated by pi) and he got the public key. so he sent me only two file

1) certificate and

2) root certificate

So i uploaded first and then 2nd.

I think i am right ?

shashi_patan
Active Participant
‎09-12-2017 8:22 AM
0 Kudos

Attempt to access application REPOSITORY using HTTP Method Invocation (HMI) failed. Detailed information: Invoking ROA method "ReadObjects" via HMI ... FAILED due to following exception: Message: Connection to system REPOSITORY using application REPOSITORY lost. Detailed information: Error receiving http response from URL "https://XYZ.A.B.C:50001/rep/remoteobjectaccess/int?container=ejb"! Details: caught exception Message: Peer certificate rejected by ChainVerifier Stacktrace: org.w3c.www.protocol.http.HttpException: Peer certificate rejected by ChainVerifier iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier at iaik.security.ssl.r.checkIsTrusted(Unknown Source) at iaik.security.ssl.x.b(Unknown Source) at iaik.security.ssl.x.a(Unknown Source) at iaik.security.ssl.r.d(Unknown Source) at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source) at iaik.security.ssl.SSLTransport.getOutputStream(Unknown Source) at iaik.security.ssl.SSLSocket.getOutputStream(Unknown Source) at org.w3c.www.protocol.http.HttpBasicConnection.a(SourceFile:459) at org.w3c.www.protocol.http.HttpBasicServer.getConnection(SourceFile:446) at org.w3c.www.protocol.http.HttpBasicServer.runRequest(SourceFile:1208) at org.w3c.www.protocol.http.HttpManager.runRequest(SourceFile:1141) at org.w3c.www.protocol.http.HttpURLConnection.connect(SourceFile:235) at com.sap.engine.httpdsrclient.protocols.instrumented.https.DSRHttpsURLConnection.connect(DSRHttpsURLConnection.java:77) at com.sap.aii.utilxi.hmi.api.HmiHttpJDKClient.sendRequestAndReceiveResponse(HmiHttpJDKClient.java:169) at com.sap.aii.utilxi.hmi.api.HmiClientAdapter.invokeMethod(HmiClientAdapter.java:92) at com.sap.aii.ib.core.roa.RoaServiceImpl.readObjectsImpl(RoaServiceImpl.java:231) at com.sap.aii.ib.core.roa.RoaServiceImpl.readObjects(RoaServiceImpl.java:367) at com.sap.aii.ib.server.cpa.AdapterMDCache.readObject(AdapterMDCache.java:224) at com.sap.aii.ib.server.cpa.AdapterMDCache.actualize(AdapterMDCache.java:214) at com.sap.aii.utilxi.core.cache.MapBasedCache.getValue(MapBasedCache.java:125) at com.sap.aii.utilxi.core.cache.Cache.getSingleValue(Cache.java:112) at com.sap.aii.utilxi.core.cache.Cache.get(Cache.java:87) at com.sap.aii.ib.server.cpa.AdapterMDCache.get(AdapterMDCache.java:186) at com.sap.aii.utilxi.core.cache.Cache.getValue(Cache.java:204) at com.sap.aii.utilxi.core.cache.Cache.getSingleValue(Cache.java:112) at com.sap.aii.utilxi.core.cache.Cache.get(Cache.java:87) at com.sap.aii.utilxi.core.cache.Cache.getValue(Cache.java:204) at com.sap.aii.utilxi.core.cache.Cache.getSingleValue(Cache.java:112) at com.sap.aii.utilxi.core.cache.Cache.get(Cache.java:87) at com.sap.aii.ib.server.misc.MiscServicesBean.getAdapterMetadata(MiscServicesBean.java:75) at sun.reflect.GeneratedMethodAccessor598.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sap.engine.services.ejb3.runtime.impl.RequestInvocationContext.proceedFinal(RequestInvocationContext.java:47) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:166) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_StatesTransition.invoke(Interceptors_StatesTransition.java:19)

Show replies
Show replies
JaySchwendemann
Active Contributor
‎09-12-2017 7:49 AM
0 Kudos

Unfortunately the inline Images are not visible. Could you please try again?

Show replies
Show replies
Ask a Question