cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSLCertificateException: Peer certificate rejected by ChainVerifier

Former Member

on ‎01-20-2011 1:59 PM

0 Kudos

Hi All,

I am with problems to consume a webservice in a specific scenario:

I want to consume a webservice via PI, using HTTPS SOAP, but the supplier that are hosting the webservice doesn't has a certificate chain, there is no CA ROOT and CA level, there is only a self-signed certificate that they create.

When i try to consume, i have the follow error : " SSLCertificateException: Peer certificate rejected by ChainVerifier".

I can consume their webservice using XMLSPY, i also tried to consume via Browser (Firefox) and i could consume after added the certificate like an excepetion, but i receive like response a message that says "SOAP is only supported using HTTP POST protocol"

Someone could consume a webservice via PI with SSL using a self-signed certificate?

Thanks!

Leandro Von Zubem.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member4985
Employee
Employee
‎01-20-2011 4:33 PM
0 Kudos

Hi Leandro,

1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm

2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.

3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct

order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.

4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period. (This certificate is the one which is sent to Server for Client authentication)

As a resource, you may need to create a new SSL Server key.

The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.

In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.

Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.

In any other case the SSL communication will not work.

Regards,

Caio Cagnani

Show replies
Show replies
srikanth_srinivasan3
Active Participant
‎01-20-2011 2:33 PM
0 Kudos

Add your certificate to TrustedCAs in Java key store as well as STRUST in ABAP stack.

-

Srikanth Srinivasan

Show replies
Show replies
Former Member
‎01-20-2011 4:26 PM
0 Kudos

Hello,

This was already done but still doesn't work.

I also made a refresh after add the certificate in JAVA.

I don't know if this make any difference, but my PI is upgraded to 7.1 version.

Best Regards,

Leandro Von Zubem.

srikanth_srinivasan3
Active Participant
‎01-20-2011 6:07 PM
0 Kudos

Is it the default java key store only that you are importing into?

If your server has multiple server nodes, you may have to import in all key stores.

Are you sure that the cert. properties are correct?

The cert. was provided by the sender or extracted by you directly from browser?

-

Srikanth Srinivasan

Ask a Question