on 07-17-2018 7:37 AM
Hi Experts,
We are facing an exception with SSL connectivity towards AS2 Receiver channel using https URL. We received SSL certificate for the external partner system, where it was deployed in "Trusted CA's of key storage in NWA, still getting below exception while trying to post to external partner syste.
"Message could not be forwarded to the JCA adapter. Reason: Message cannot be delivered: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
MP: exception caught with cause javax.resource.ResourceException: Message cannot be delivered: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Transmitting the message to endpoint <local> using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: javax.resource.ResourceException: Message cannot be delivered: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier "
We noticed that partner certificate is self signed(not signed by any signing authority), so no root & intermediate certificates are available. Does it creating this issue..?, where we are using SAP PO 7.5 single stack, Does PO accepts only signed certificates for SSL connection..?
Kindly share your views in resolving this.
Thanks,
Raj.
follow below steps to resolve the issue
1. Access web-service URL on browser , check validity and issuer
2. Export certificates and save locally
3. Import certificates into PI -->NWA-->Keystore-->KeystoreView(example: TrustedCAs)
4. Still issue persists remove old or expiry certificates from Key-store or CPACache refresh
Thanks - Sankar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raj,
If the URL is publicly accessible URL, Please open the URL in browser and check the certificate of that URL and make sure you have imported that certificate in TrustedCAs NWA.
Also check the validity date of that certificate, if it is expired get new certificate from partner.
Regards
Pavan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hello Raj,
please check that all certificates is imported int he "TrustedCAs" from NWA to the link you are trying to reach.
There should be one Root certificate and then constitutive certificates, so please import those and check.
Regards,
Khaja.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Khaja,
I compared the hostname with certificate and the hostname is the URL, which is exactly same. If it is a self-signed certificates, not chance of multiple chain certificates, only one i.e., nothing but a hostname based.
For test, I removed and re-imported the certificates and tried again, but no luck.
Regards,
Raj
Hi Khaja,
For confidential reasons, can't share the URL.
I tried to access the URL: https://<hostname>:<port>; over web browser to download the certificate. But url not accessing due to firewall access issues.
Thanks for your help.
Regards,
Raj.
hi Raj,
please try that Channel with XPI Inspector as per following weblog.
https://blogs.sap.com/2015/12/10/using-xpi-inspector-to-troubleshoot-http-ssl-connections/
Regards,
Karimulla
Hi Karimulla,
Yes I did the same, generated traces using xpi_inspector and found below exception from logs.
"ssl_debug(4):Chain Verifier: No trusted certificate found, rejected.
ssl_debug(4):Sending alert: Alert Fatal:Bad certificate
ssl_debug(4):Shutting down SSL Layer
ssl_debug(4):SSL Exception while handshaking: Peer certificate rejected by Chain Verifier"
Regards,
Raj.
Hi Raj,
The exception
iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
happens as the certificate chain cannot be verified as some of the certificates are missing from the trusted keystore.
First you need to find out the certificate chain entries, then include the public keys of the CAs into the trusted keystore.
In case the remote server SSL certificate is a self signed, you need to import the self signed certificate into the trusted keystore.
Best regards,
Antal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Antal,
Checked the remote server SSL certificate, which is self-signed one, so no intermediate and root certificates chain. This self-signed certificate is already imported into Trusted CA's of NWA.
For self-signed certificates, does PO verifies chain entries..? Any suggestions..
Thanks,
Raj
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.