Skip to Content

Error while configuring SSL connection in UME to set LDAP as back-end

Hello Everyone,

I am trying to configure SSL in SAP NW AS JAVA UME to set Microsoft AD as a back-end source system.

Connection to LDAP server using 389 port is successful.

while getting the following error while trying to validate configuration over the 636 port with use SSL for LDAP server access option enabled.

Validation failed. Technical detail: No connection to the ldap server: <AD_HostName>:636 CausePeer certificate rejected by ChainVerifier RootCause:Peer certificate rejected by ChainVerifier

Telnet from SAP NW AS JAVA server to Microsoft AD is working fine over the 636 port.

After google search, I found this wiki SCN link but I am unable to understand it properly. As per the wiki SCN post, when I opened the URL http://<host>:<port>/nwa/DestinationTemplates, it found to be empty. Attached the screenshot for reference.

The Basis team informed that they have uploaded the AD root certificate successfully in the SAP NWA and connection over SSL was working earlier. Can anybody help me how I can verify the AD root certificate in SAP NWA and fix this error?

I am on SAP NW AS JAVA 7.4 with SAP IDM 8.0

Regards,

C Kumar

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • May 22, 2018 at 07:44 AM

    Hi Kumar,

    The message "

    Peer certificate rejected by ChainVerifier

    " happens when the root CA of the LDAP SSL certificate is missing from the Java keystore.

    Please double check that root CA is imported in to the TrustedCAs view and no other certificate exists with the same issuer.

    See the online help

    https://help.sap.com/viewer/a42446bded624585958a36a71903a4a7/7.3.18/en-US/fadc74a374ec4b91a9e8eb84966d3329.html?q=LDAP%20SSL

    Best regards,

    Antal

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Kumar,

      The red flag appears as some of the certificates have been expired, they can be removed.

      The intermediate and root CAs of the LDAP server must be in this list.

      If the LDAP server SSL certificate is:

      subject: CN="ldapserverhostname.with.domain"

      issuer: CN="ACME Root CA"

      then there must be a certificate in the TrustedCAs with the issuer CA, where

      subject: CN="ACME Root CA"

      issuer: CN="ACME Root CA"

      In case there is an intermeidate CA it must be there as well. You need to ensure that all these certificates are present in TrustedCAs.

      Best regards,

      Antal

  • May 20, 2018 at 05:37 PM

    Dear C Kumar,

    Probably there is a wrongly generated SSL certtificate that is used for the lDAP connection.

    Check the certificate's details which is used for the LDAP connection e.g. on path: NWA -> Configuration -> SSL -> ssl-credentials

    Check the certificate itself what you have under value CN=<XXXXX>.

    Please keep in mind that the CN must be equal to the FQDN of the server that you are trying to access.

    Please try recreate the certificate with the correct CN, generate the CSR request and sign it with a Certification Authority. When you receive the CSR response from the Certification Authority you can import it over the actual certificate installed.

    Regards,
    Barnabás Paksi

    Add comment
    10|10000 characters needed characters exceeded