on 04-08-2010 7:57 PM
I have a SSL connection that worked fine until the provider had to roll over onto the disaster recovery server. The yuse the same certificate on this server as the previouse server but now I get a Server certificate rejected by ChainVerifier error message. Since I connect using a URL and not IP address I did not think I needed to do anything. Does SAP some where store the IP address for the certificate? What eelse can I check?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have tried these things and they did not help.
where can i find this "See Checking used credentials and URL.":
taken from
Symptom:
iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
● Problem:
Server certificate not be accepted.
● Solution:
Add the certificate of the server to a keystore view that is used by the destination. See Checking used credentials and URL.
Hi Ron,
When you open a certificate or view it, move under the general tab:
You will see an Issued To detail there. You must ensure that the Issued To is really the hostname that the backup server is using. If the hostnames do not match, the one being verified in XI/PI does not match the one being sent by your server, then this can be already a cause for the rejection. The reason for this is:
1. A different hostname might mean that this is a redirection attack and therefore a security issue
2. I am not sure if SSL Hostname Checking can be disabled in the ABAP Layer(STRUST/STRUSTSSO2).
Hope this helps,
Mark
Hi,
Just to add to Mark's post, you can disable strict hostname checking on Java by following the link:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bb427e28674be10000000a421937/content.htm
If your target system is non-SAP, you won't have to worry about this setting on the ABAP stack.
Regards,
Gokhan
Their backup server's IP may not appear with FQDN matched the value contained in the signed-cert ... Even the DNS has been changed to refer to this backup server and the same hostname, the IP resolution might return sthg else ! Or they may not really use the same cert (and chain)
Rgds
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.