on 04-18-2012 7:58 AM
Hi SCN,
Good day.
We have recently renewed our SSL certificate for SAP PI 7.1 system and asked our trading partners to update and install our new certificate.
After the update, everything seems to be fine with other partners which use HTTP as transport protocol. However, we are encountering the below error with one of our partner which use HTTPS.
Message could not be forwarded to the JCA adapter. Reason: Fatal exception: javax.resource.ResourceException: SEEBURGER AS2: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found # , SEEBURGER AS2: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found #
Previously, the connection seems to work using the old SSL certificate.
Some facts:
Could you let us know what is causing the error?
Is it possible that the new SSL certificate from Entrust is not applicable for HTTPS connection?
Is there a specific certificate for HTTP and HTTPS connection?
Thank you,
Carlo
Hello Clemente Carlo Borja,
We are connecting to webmethods AS2 server. I am facing a similar issue and getting SEEBURGER AS2: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate # too. In our case we are using client authentication additionally. Is is possible for you to recall more about what your partner did.
My partner is telling me everything is correct on there so exact information would be helpful
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All,
Thank you for all your inputs.
After weeks of troubleshooting this issue, we have finally solved it.
Apparently the cause of the "SSL Handshake - Bad certificate error" is that the trading partner did not trust our public certificate.
The partner is using Webmethods application and after placing our public certificate on their trustedCA the connection worked fine.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
have you updated the cert in Java and ABAP stack properly?
Have you replaced the old certificate everywhere and restarted the Java-stack? Maybe the connection still refers to the old cert and therefore cannot complete the SSL handshake to encrypt the HTTP connection (which makes it HTTPS).
As HTTP isn't encrypted no SSL-certificate is required as already mentioned.
Regards,
Phillip
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We are using SAP PI 7.1 and all certificates (own and partner) are stored in NWA. All certificates are properly installed as we are able to use HTTP connection without problems.
I have learned that HTTPS connection over AS2 use encryption on the HTTP layer (through SSL) and on message layer (through SMIME).
Is there a different keystore for storing the certificate for the HTTP layer?
Does this error indicate that we have missing certificate for HTTP layer?
SEEBURGER AS2: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found #
Hi All,
I was able to eliminate the error "No trusted certificate found" by pointing the SSL Certificate - Server Certificate (Keystore) found in the receiver comm. channel to the partners certificate.
However upon sending a test message, I get the error a bad certificate error.
SEEBURGER AS2: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate # .
Anyone know how to solve this issue?
Is it possible that the certificate is in another format than before?
Maybe in a format the receiver doesn't understand?
Another idea to think of:
Are you using mutual authentication?
That means, that not only the server needs to authenticate via SSL-certificate (which is one-way-authentication and always needed to establish an SSL-connection) but also the client has to present its cert to the server with whom he's communicating.
Therefore it has to be considered if the PI is on the server-side of the connection or on the client side. And the certificates for either situation has to be present.
Hello,
It looks like a transport level issue, were you able to install your renewed certificate into your PI system? The HTTP connections will work because a certificate is not required.
Regards,
Mark
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.