Skip to Content
avatar image
Former Member

ELM send SOAP distributor - SSLCertificateException: certificate rejected

Hi,

I try to configure the Swiss income tax scenario ELM via our PI 7.11. The sending step produces the failure: SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVeri-fier

Usually I have to install the certificates from the https page, but I have already installed the them (from the https side of the distributor: https://distributor.swissdec.ch/services/elm-pucs-puns/SalaryDeclaration/20051002 ). I still get this error.

Is anybody else using transferring the ELM via PI and facing the same problem?

Thanks a lot,

Thomas

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Nov 26, 2010 at 04:58 PM

    Hello,

    The main reasons for why you are receiving this error can be checked below:

    1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in these two URLs:

    Security Configuration at Message Level

    http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bb487e28674be10000000a421937/frameset.htm

    2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.

    3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct

    order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).

    Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.

    4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period. (This certificate is the one which is sent to Server for Client authentication)

    As a resource, you may need to create a new SSL Server key.

    The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.

    In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.

    Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.

    In any other case the SSL communication will not work.

    Hope that is useful for your case too!

    Regards,

    Caio Cagnani

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Caio,

      Thanks you for you answer. I have exported the certificate directly from the website with Firefox. This is also the recommended way in the ELM docu (with IE but I donu2019t think that this is the problem). The ordering etc., should therefore not be a problemu2026

      Regards,

      Thomas