cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

File Adapter FTP SSL SSL Certificate Exception

Go to solution
Former Member

on ‎09-29-2010 6:11 AM

0 Kudos

After reviewing the results of searching on this error, I do not find anything that fits my situation:

SAP File Adapter (PI 7.1) using FTP with FTPS connection security.

I am not using X.509 certificate for client authentication.

My connection is using a non-public certificate.

I have added the SSL certificate to TrustedCAs and DEFAULT keystores.

I am getting the following error:

Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error when getting an FTP connection from connection pool: com.sap.aii.af.lib.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Since I am using an non-public certificate, it will not validate. Even adding to the TrustedCAs and DEFAULT keystore it seems the configuration is still attempting to validate the certificate.

Any recommendations?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-29-2010 10:59 AM
0 Kudos

this error is a more generic error and doesnt tell the root cause.

in our case, the error was the same but the root cause was a recent SP upgrade and it dint update a jar file automatically with new version. it was provided to us in response to OSS.

Show replies
Show replies

Answers (4)

Answers (4)

Former Member
‎10-05-2010 10:37 PM
0 Kudos

So in the end, the solution was two fold:

1. Required IAIK_SSL.jar from SAP to support TLS 3.1 handshake. From SAP support:

The attached iaik_ssl contains the SSL handshake up to version 3.1.

In the newer PI versions, it runs both 3.1 and 3.2 handshake. This

means that the partner must be compliant with TLS1.1 in order to have

the scenarios running successfully. However, if the partner implements

only 3.1, this downgrade must be performed.

Also, please ensure to always replace the file after updating PI

components, as it will overwrite the IAIK_SSL file again. In order to

completely fix this issue, the partner must implements TLS1.1 security

checks.

2. After you add a certificate to the keystore, you need to STOP and START the communication channel(s) that rely on that certificate. Thanks to Nathan Miller in post to providing that assistance.

Thanks to the community for the support. Issue is resolved.

Show replies
Show replies
Former Member
‎09-30-2010 12:16 AM
0 Kudos

Thank you for the feedback. I have imported all the certs, including the intermediate and CA without any change. What I did not notice the first time (since I just saw the error first) is that the data is actually being sent! Although the component shows "Message processing failed" the data IS GETTING SENT. So I will open customer message to see if I can get some help from SAP on why it says failure when it is actually processing correctly.

Show replies
Show replies
former_member4985
Employee
Employee
‎09-29-2010 1:22 PM
0 Kudos

Hi,

The main reasons for this error are:

1. The correct server certificate could not be present in the TrustedCA

keystore view of NWA. Please ensure you have done all the steps

described in these two URLs:

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000

0a1550b0/frameset.htm

2. The server certificate chain contains expired certificate. Check for

it (that was the cause for other customers as well) and if it's the case

renew it or extend the validation.

3. Some other people have reported similar problem and mainly the

problem was that the certificate chain was not in correct

order. Basically the server certificate chain should be in order

Own->Intermedite->Root. To explain in detail, if your server certificate

is A which is issued by an intermediate CA B and then B's certificate is

issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to

have the right order of certificate in the chain. If the order is B

first followed by A followed by C, then the IAIK library used by PI

cannot verify the server as trusted. Please generate the certificate in

the right order and then import this certificate in the TrustedCA

keystore view and try again. Please take this third steps as the

principal one.

Hope it solves your querie.

Regards,

Caio Cagnani

Show replies
Show replies
RKothari
Contributor
‎09-29-2010 11:06 AM
0 Kudos

Hi,

After importing the certificate, please check the following setting:

Goto Integration Builder->Administration tab->Exchange profile->Connections folder->com.sap.aii.connect.secure_connections

Click it. There should be no value present for this parameter. IF present(generally "Messages" is present), please delete it.

Save the changes and re-start your Java Stack.

-Rahul

Show replies
Show replies
Ask a Question