Skip to Content
avatar image
Former Member

PI 7.1 certificate problem: Peer certificate rejected by ChainVerifier

I'm working on a rfc to soap scenario in PI 7.1, and I must connect PI to some external web services through https. In order to achieve it I've configured the receiver soap channels using a digital certificate previously imported in the PI server.

The certificate is a pfx archive, and with it I didn't have problems to connect to said web services using the soapui application (and installing it in my internet navigator it can access the web services too). However if I use my PI scenario, when going through the rcv soap channel I get the next error:

Message processing failed. Cause: 
com.sap.engine.interfaces.messaging.api.exception.MessagingException:
iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

I've serched this error through the forums and read that it is produced because our certificate is not verified by a certificate authoritiy. First it was imported in the Default keystore view, but after getting this error it has been imported in TrustedCAs following the note 694290 (though it is not specific for 7.1 version) with no success.

I would need any indication about how import said certificate in 7.1 version, or the possible causes of the error.

Thanks in advance.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Feb 25, 2010 at 12:49 PM

    1. Check if the certificate has expired.

    2. Restart Java engine and reselect the certificate in receiver soap channel.

    Regards,

    Prateek

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 25, 2010 at 02:27 PM

    Hi Eduardo,

    For fixing this problem you must to install the Certificate Authorities in Trusted CA keystore.

    The J2EE server must to verified the certificate that remote server sends in handshake dialog. If the CAs of the remote server isn't installed in the Java Server, the certificate can not be verified because you don't trust server certificate.

    If you want to know how SSL works check this link. http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66

    Regards

    Ivá

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 25, 2010 at 04:58 PM

    I recently had a problem where the certificate I imported into the JavaWeb AS still didn't work. It was due to a discrepancy between the name in the certificate and the required server name of the FTP server in the Directory configuration. We created an alias in the etc/hosts file (we run UNIX) so that the two matched in both the certificate and the ID config since WebAS will be using the ID config to look up the certificate.

    Keep it in mind.

    Phil

    Add comment
    10|10000 characters needed characters exceeded