cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSLCertificateException: Peer certificate rejected by ChainVerifier

Go to solution
former_member303666
Active Participant

on ‎12-13-2012 5:10 PM

0 Kudos

Hi,

I am getting Peer certificate rejected by ChainVerifier in Receiver communication.

I have go through so many documents, i could not get out from this issue.

Here my scenario is INVOICE .. PI .. WS

In R/3 system

Once i Triggered the I DOC from R/3 system. it is showing 03 successful status.

PI system

IDX5 ... once i click the inbound idoc. is take into the moni. in MONI it self it is showing checked flag (successful stauts). there is no error.

in Receiver communication channel it is show below certificats error.

in message ID also it is same error.

I have checked the certificates in PI system with STRUST Tcode. All certificates are in live.

Basis team also working on this issure.

have any possible ways to resolve this error.

Regards,

Kesava




Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member181985
Active Contributor
‎12-14-2012 8:31 AM
0 Kudos

what is your PI version?

check "Rajkumar Rajagopal" reply: http://scn.sap.com/message/11074837

Show replies
Show replies
former_member303666
Active Participant
‎12-14-2012 9:52 AM
0 Kudos

Hi Preveen,

what is your PI version?

PI 7.11

Regards,

Kesava

former_member303666
Active Participant
‎12-15-2012 10:08 AM
0 Kudos

Hi,

Today we got a mail form basis team. please give me the suggestion as per the below.

I notice that all you request are http GET.  This is not expected.  Please confiigure the system to make http POST instead.  The response to your requst logged is http 409 ("conflict"), this normally mean that the system you are trying to connect to will not handle that type of request (GET in this case).  Please try reposting after reconfiguring your system.

What is the get and post ... where we can find the get and post option in PI system?

What king of setting i have to do in PI side.

Regards,

Kesava

former_member303666
Active Participant
‎12-15-2012 11:33 AM
0 Kudos

again

out business process is Invoice..> PI ...>WS

in PI system, the certificates are uploaded in ABAP stack STRUST T- code.

My Questions:

in this case where i need to upload the client certificates? in ABAP stack( strust) or NWA  ?

in my system NWA is not working .... it is showing NWA is not configured for accessing the current status value.

Receiver communication is SOAP (WS)

Please....

Regards,

Kesava

former_member303666
Active Participant
‎12-15-2012 1:27 PM
0 Kudos

Any suggestions?

Regards,

Kesava

former_member303666
Active Participant
‎12-17-2012 3:38 AM
0 Kudos

Thanks for all,

I have resolve my issue.

I have changed the adopter type from SOAP to HTTP and  I have tested the scenario it's working fine now.

Regards,

Kesava

Answers (3)

Answers (3)

Former Member
‎12-14-2012 7:36 AM
0 Kudos

Hi Kesava,

Check this discussion, may be this will be helpful for you to resolve this issue : "http://scn.sap.com/message/6973343#6973343"

Then some additional: http://wiki.sdn.sap.com/wiki/display/TechTSG/Peer+certificate+rejected+by+ChainVerifier

Regards,

Sagarika

Show replies
Show replies
Former Member
‎12-13-2012 8:39 PM
0 Kudos

Hi Kesava,

The error indicates that PI is not trusting the caller web service

EX:When you go to www.bankofamerica.com the server throws back its server certificate to the browser ex IE and IE has some predefined Root certificates installed in IE and then the verification takes place, as bank of america server root certificate is already trusted by IE a  successful SSL connection establishes

In same way you have to load the web service intermediate and root certificates in the PI NWA key store view of trusted CA , by doing this PI will able to trust the web service, get the certicates from the server admin or you can directly copy to file from the URL itself

Just behind the webservice URL in the address bar, you will find certificate information. click on it and select certification path and then select the intermediate certificate and click on details and copy it to desktop and repeat the same step for root certificate and them import it to Trusted CA in NWA key store and re-satrt java engine

Sudheer

Show replies
Show replies
Former Member
‎12-13-2012 8:41 PM
0 Kudos

Strust is only for ABAP stack, you have to work on JAVA stack NWA key store

former_member303666
Active Participant
‎12-14-2012 5:13 AM
0 Kudos

Hi jains and sudheer,

Does the endpoint URL of the web service you are calling provide a trusted certificate.

Those certificates are valid. i have checked in PI System. using STRUST T- Code.

One thing here : webservive (end point) they are maintaining ceritifacte.. have to maintain same certificats in PI system in STRUST. is it right please currect me.

did you import the certificate to the PI's keystore?

we have to do this activity in NWA is right ( for importing the end point certificats in PI (NWA)

If yes, while open the NWA in PI system it is showing below error page.

Did you select the mentioned certificate within the SOAP communication channel?

No i have not select the mentioned certificates in Rceiver SOAP CC ( Configure certificates authentication)( what they mentioned in NWA)

I have selected that option ,again i have disable that option. due to basis team advise.

Regards,

Kesava

JaySchwendemann
Active Contributor
‎12-14-2012 6:10 PM
0 Kudos

Unfortunately I cannot see the attached image of your error. Anyhow, as of my understanding, one of the following should apply:

1. The webservice you call (e.g. https:example.com/wheather) is providing a certificate that is trusted by some root CA like Verisign. Then you should be all settled and should not have to import anything in keystore

2. The webservice you call (e.g. https:exmaple.com/wheather) is only providing a self signed certificate. In this case, opening the URL in your browser would warn you for example that the certificate is not safe. If that's the case, you probably will need to import the endpoints self created certificate to your PI's keystore, hence enabling a trust relationship to the endpoint.

Maybe I'm incorrect on this because I actually never communicated with an untrusted endpoint (figure 2.) So please correct me if I'm wrong.

Cheers

Jens

JaySchwendemann
Active Contributor
‎12-13-2012 8:09 PM
0 Kudos

Just some basic thoughts here:

does the endpoint URL of the web service you are calling provide a trusted certificate (e.g. signed by verisign or thawte) or is it a self signed certificate. If latter (and no other trust relationship is existing) did you import the certificate to the PI's keystore? Did you select the mentioned certificate within the SOAP communication channel?

Cheers

Jens

Show replies
Show replies
Ask a Question