on 09-29-2010 6:11 AM
After reviewing the results of searching on this error, I do not find anything that fits my situation:
SAP File Adapter (PI 7.1) using FTP with FTPS connection security.
I am not using X.509 certificate for client authentication.
My connection is using a non-public certificate.
I have added the SSL certificate to TrustedCAs and DEFAULT keystores.
I am getting the following error:
Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error when getting an FTP connection from connection pool: com.sap.aii.af.lib.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Since I am using an non-public certificate, it will not validate. Even adding to the TrustedCAs and DEFAULT keystore it seems the configuration is still attempting to validate the certificate.
Any recommendations?
this error is a more generic error and doesnt tell the root cause.
in our case, the error was the same but the root cause was a recent SP upgrade and it dint update a jar file automatically with new version. it was provided to us in response to OSS.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
So in the end, the solution was two fold:
1. Required IAIK_SSL.jar from SAP to support TLS 3.1 handshake. From SAP support:
The attached iaik_ssl contains the SSL handshake up to version 3.1.
In the newer PI versions, it runs both 3.1 and 3.2 handshake. This
means that the partner must be compliant with TLS1.1 in order to have
the scenarios running successfully. However, if the partner implements
only 3.1, this downgrade must be performed.
Also, please ensure to always replace the file after updating PI
components, as it will overwrite the IAIK_SSL file again. In order to
completely fix this issue, the partner must implements TLS1.1 security
checks.
2. After you add a certificate to the keystore, you need to STOP and START the communication channel(s) that rely on that certificate. Thanks to Nathan Miller in post to providing that assistance.
Thanks to the community for the support. Issue is resolved.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for the feedback. I have imported all the certs, including the intermediate and CA without any change. What I did not notice the first time (since I just saw the error first) is that the data is actually being sent! Although the component shows "Message processing failed" the data IS GETTING SENT. So I will open customer message to see if I can get some help from SAP on why it says failure when it is actually processing correctly.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
The main reasons for this error are:
1. The correct server certificate could not be present in the TrustedCA
keystore view of NWA. Please ensure you have done all the steps
described in these two URLs:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
0a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for
it (that was the cause for other customers as well) and if it's the case
renew it or extend the validation.
3. Some other people have reported similar problem and mainly the
problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate
is A which is issued by an intermediate CA B and then B's certificate is
issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to
have the right order of certificate in the chain. If the order is B
first followed by A followed by C, then the IAIK library used by PI
cannot verify the server as trusted. Please generate the certificate in
the right order and then import this certificate in the TrustedCA
keystore view and try again. Please take this third steps as the
principal one.
Hope it solves your querie.
Regards,
Caio Cagnani
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
After importing the certificate, please check the following setting:
Goto Integration Builder->Administration tab->Exchange profile->Connections folder->com.sap.aii.connect.secure_connections
Click it. There should be no value present for this parameter. IF present(generally "Messages" is present), please delete it.
Save the changes and re-start your Java Stack.
-Rahul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
9 | |
9 | |
7 | |
7 | |
7 | |
7 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.