cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Peer certificate rejected by ChainVerifier ERROR on SOAP Channel

Go to solution
susan_pfab
Participant

on ‎08-04-2011 2:28 PM

0 Kudos

We are using a SOAP receiver channel (HTTP) in PI 7.1. We have imported the SSL certificate into the TrustedCAs keystore of the NWA. The certificate is NOT expired. We are getting this error. The only thing I noticed is the Subject Name/CN has a wildcard (*) in it and therefore doesn't match the URL exactly. I have read the CN must equal the URL address. Will it work with a wildcard? Why else could I be receiving this error?

SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member854360
Active Contributor
‎08-04-2011 2:31 PM
0 Kudos

Hi,

its a common issue.

You need to import the total certificate chain in NWA with the intermediate CA certificate and the root CA certificate.

Please refer sap note 694290 to import the certificate chain

Also see

http://wiki.sdn.sap.com/wiki/display/TechTSG/PeercertificaterejectedbyChainVerifier

Please let me know if it works.

Show replies
Show replies
susan_pfab
Participant
‎08-04-2011 4:50 PM
0 Kudos

The note mentioned above talks about Verisign (J2EE Servers 6.20 and 6.3). We don't use Verisign anymore. We are on PI 7.1. We are trying to send a file TO the vendor.

Answers (2)

Answers (2)

former_member4985
Employee
Employee
‎08-04-2011 5:52 PM
0 Kudos

Hello,

The main causes of such an issue like that are:

1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:

Security Configuration at Message Level

http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm

2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.

3. Check if the certificate chain was not imported in an incorrect order. Basically the server certificate chain should be in order

Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again.

4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.

(This certificate is the one which is sent to Server for Client authentication)

As a resource, you may need to create a new SSL Server key.

The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.

In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.

Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.

In any other case the SSL communication will not work.

Regards,

Caio Cagnani

Show replies
Show replies
Former Member
‎08-04-2011 3:47 PM
0 Kudos

Apart from adding all the certificates in the chain (you can check them in Certification Path tab), you must ensure that those certificates are also within expiry dates. Also, check with the Trading Partner and confirm that they are using the same certificates.

Show replies
Show replies
susan_pfab
Participant
‎08-04-2011 4:03 PM
0 Kudos

I'm a little confused about the certificate chain idea. The SSL cert I am referring to is from the trading partner. Why would I contact them to ensure we are using the same one?

Ask a Question