cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Server certificate rejected by ChainVerifier

Go to solution
Former Member

on ‎04-08-2010 7:57 PM

0 Kudos

I have a SSL connection that worked fine until the provider had to roll over onto the disaster recovery server. The yuse the same certificate on this server as the previouse server but now I get a Server certificate rejected by ChainVerifier error message. Since I connect using a URL and not IP address I did not think I needed to do anything. Does SAP some where store the IP address for the certificate? What eelse can I check?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

justin_santhanam
Active Contributor
‎04-08-2010 8:09 PM
0 Kudos

Ron,

Can you check this thread and see if it helps?

raj.

Show replies
Show replies
Former Member
‎04-08-2010 10:02 PM
0 Kudos

I have tried these things and they did not help.

where can i find this "See Checking used credentials and URL.":

taken from

Symptom:

iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier

● Problem:

Server certificate not be accepted.

● Solution:

Add the certificate of the server to a keystore view that is used by the destination. See Checking used credentials and URL.

markangelo_dihiansan
Active Contributor
‎04-12-2010 8:59 AM
0 Kudos

Hi Ron,

When you open a certificate or view it, move under the general tab:

You will see an Issued To detail there. You must ensure that the Issued To is really the hostname that the backup server is using. If the hostnames do not match, the one being verified in XI/PI does not match the one being sent by your server, then this can be already a cause for the rejection. The reason for this is:

1. A different hostname might mean that this is a redirection attack and therefore a security issue

2. I am not sure if SSL Hostname Checking can be disabled in the ABAP Layer(STRUST/STRUSTSSO2).

Hope this helps,

Mark

Former Member
‎04-12-2010 9:05 AM
0 Kudos

Hi,

Just to add to Mark's post, you can disable strict hostname checking on Java by following the link:

http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bb427e28674be10000000a421937/content.htm

If your target system is non-SAP, you won't have to worry about this setting on the ABAP stack.

Regards,

Gokhan

Former Member
‎04-12-2010 3:12 PM
0 Kudos

thanks Mark

the exact URL that they use is in both certificates as they do not use the IP

I can not find a setting in STRUST /STRUST02 to turn off strict checking

Former Member
‎04-12-2010 3:14 PM
0 Kudos

thanks S. Gökhan Topçu

We are pulling files off a FTPS site to put into SAP through XI.

I can not find where to enter this setting.

thanks

Ron

Former Member
‎04-12-2010 4:34 PM
0 Kudos

it looks like it is NOT checking for the exact name:

serverName\check = false

Answers (1)

Answers (1)

Former Member
‎04-12-2010 10:47 AM
0 Kudos

Their backup server's IP may not appear with FQDN matched the value contained in the signed-cert ... Even the DNS has been changed to refer to this backup server and the same hostname, the IP resolution might return sthg else ! Or they may not really use the same cert (and chain)

Rgds

Chris

Show replies
Show replies
Former Member
‎04-12-2010 3:16 PM
0 Kudos

when I ping -a IP both of the servers do return the exact ame URL

Ask a Question