on 10-17-2007 9:31 AM
Hi folks,
We are trying to set up a scenario with an external partner where we are sending content via FTPS to their server. We will log on to their system using X.509 client certificates.
We are having issues in getting this to work properly. Our system has been SSL enabled, a server certificate is installed, etc ...
We have configured the channel to use X.509 certificates and filled in the keystore and certificate reference.
When we try to connect then we get an SSL error ... When we look at the trace then an exception is occuring on the following code:
com.sap.aii.security.lib.net.ssl.impl.IAIKSSLContextInternalImpl#sap.com/com.sap.aii.af.app#com.sap.aii.security.lib.net.ssl.impl.IAIKSSLContextInternalImpl.getClientCredentials(Principal[], byte[], PublicKey)
#/Applications/ExchangeInfrastructure/Security#Plain###Could not retrieve key and cert to use for X.509 client authentication. Trying anonymous SSL connection.#
It seems that XI is not able to get the configured certificate out of its store ... and then just doens't present a client certificate ?
We have a couple of questions:
a) Can we use the public key of our server certificate as client certificate ? ( This is done all the time with other software ) ... Or do we need to generate a specific client certificate ...
b) The description on the communication channel says: "X.509 Certificate and Private Key" - it sounds like you need to configure 2 values here but via the dropdown list only one can be selected ... I am just asking as we tried it obviously with only 1 value and that didn't work.
c) Do we need to use a specific key store and/or are special authorizations needed by any kind of internal XI user to access the store ? For the moment our server certificate is sitting in the store 'service_ssl'
Thanks,
Steven
Hi Steven,
this post seems a bit old but we are getting the same error you had before. How did you actually resolve it?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Iddo,
If the Service restart does not help then you may need to check for your certificate and confirm
Regards,
Nipun
Thanks Bai and Nipun,
The certificate is in X.509 format. I have another thread which deals with this issue: http://scn.sap.com/message/14361878 More details can be found there. I also restarted the whole system several times, no luck.
I am however curious about the permissions which are needed. How can I check that?
Iddo
User | Count |
---|---|
98 | |
11 | |
11 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.