SOAP receiver / SSL

Hello,
I have the following scenario : R/3 -> XI -> SOAP with SSL.
When accessing the target URL with a browser I don't have any problems. The SSL handshake is working correctly,I can download all certifcates from the chain and they are all valid.
I imported the CA certficates into the keystore. But XI is unable to create the socket. In the logs I have the following message :
"Attempting to create outgoing ssl connection without trusted certificates".
We have other partners using the same scenario working correctly. I checked and the partners that are working correctly are using a 1024 public key and the new one that causes error is using only a 512 public key.
Thanks,
Bela

Hi Bela,
Did you ever solve the issue I'm currently facing a similar problem when trying to use SSL to call a web service

Similar Messages

SOAP RECEIVER SSL Problems

Dear Community,
I have configured a SOAP Receiver to an external web service (https://server:7002/service). I have use IE to get the certificate of the server and have imported it into the keystore of the j2ee (using VA). I have imported it to the all current views available. We have SAP PI 7.0 SP18. The problem is that the SSL handshaking is not performed correctly. I have placed a tcp gateway monitor tool to see the messages pass through. As soon as the first message is send to the above URL and a response is received, I get a XIAdapter/HTTP/ADAPTER.HTTP_EXCEPTION - HTTP 500 Internal Server Error. Also, in the default trace log I get a no private key found.... Do I need extra steps to configure SSL in the SOAP Receiver? The service does not required a Client authentication certificate and has a certificate with o CA root certificate (since this is only a test system and has issued its own certificate). Any ideas? Any help will be appreciated.
Regards,
S.Socratous

Hello,
Generally it's a connectivity behaviour. Check if you have setup the connection to
the receiver and also check the explanation regarding 500 Internal Server Errors:
*Description: The server encountered an unexpected condition which prevented it from fulfilling the request.
Possible Tips: Have a look into SAP Notes u2013 804124, 807000*
It may be also a problem with the SSL certificate. So, check if it's not expired;
The correct server certificate may be not present in the TrustedCA keystore view of NWA .
Please ensure you have done all the steps described in these url (this is for 7.11):
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/d1c7e690d75430e100000
00a42189b/frameset.htm
You may have not imported the certificate chain in the correct order (Own -> Intermediate -> Root);
Last, if the end point of the SOAP Call(Server) is configured to accept
a client certificate(mandatory), then make sure that it is configured
correctly in the SOAP channel and it is also within validity period.
(This certificate is the one which is sent to Server for Client
authentication)
Hope that helps.
With regards,
Caio Cagnani

SSL in Soap receiver communication channel

Hi,
I have a webservices that works fine in Soap UI. The webservice provider uses the SSL, but works like a web browser, doesn´t need to install a certificate before access the webservice.
But when i try to use SAP PI using the soap receiver communication channel, the soap adater return the follow message:
"Peer certificate rejected by ChainVerifier"
I read some thing about using axis to solve this problem but I can´t find anything to configure this scenario.
If someone had this problem and solved it, i will apreciate the help.
Thanks
Fabricio

I Have 2 communication channel:
1) This works fine
Adapter Type: SOAP
Receiver
Transport Protocol: HTTP
Message Protocol: SOAP 1.1
Adapter Engine: Integration Server
Target URL: https://gw-homologa.serasa.com.br/wsacheixml/wsacheixml.asmx
SOAP Action: https://sitenet05.serasa.com.br/WSAcheiXML/WSAcheiXML/ConsultaAchei
2) This doesn´t work
Adapter Type: SOAP
Receiver
Transport Protocol: HTTP
Message Protocol: SOAP 1.1
Adapter Engine: Integration Server
Authentication: Basic
User/Password
Target URL: https://treina.spc.org.br/spc/remoting/ws/consulta/consultaWebService
SOAP Action: blank
Both are https and the certificate is sent at communication time (There isn´t a certificate to install in the Key Store in Visual Administrator)
I read that Axis manage this kind of integration with webservices, because the certificate must be installed at the moment of sending http request.
I don´t know why the first interface works fine an the another doesn´t work, then I´m trying with Axis.
In the SOAP UI both interfaces work fine.
Thanks

SOAP Receiver over SSL - server certificate troubles

Hello all,
I have a scenario with SOAP receiver communication channel with comunnication over SSL. In the URL there is a IP address for a reason I will not mention ... simply there must be IP address in URL and not a host name.
When I access the SOAP server with internet browser it gives me a server certificate with HOST NAME in CN. I placed this certificate to the "trusted container" in J2EEVisAdmin - Key Storage.
Now you might already suspect the trouble: the certificate CN doesn't match with URL. This is obvios error we got many times on the internet (even in e-banking sector .. but we are able to skip it with our internet browsers' possibilities.
Could I set up something in J2EE server as same as in internet browser ???
Thank you in advance.
Rgds
Tom

Got it,
SAP Note : 791655
HTTPS/SSL Properties
Property Name = [default]
messaging.ssl.httpsHandler=iaik.protocol.https.Handler
messaging.ssl.securityProvider=iaik.security.provider.IAIK
messaging.ssl.trustedCACerts.viewName=TrustedCAs
messaging.ssl.serverNameCheck=false
Description:
The properties "httpsHandler" and "securityProvider" specify the class names of the HTTPS handler and Security provider used. The AF only supports IAIK. Never change these values! To activate HTTP/SSL, you must install the IAIK libraries on your J2EE Engine as described in the Installation Guide.
The property "trustedCACerts.viewName" defines which J2EE keystore is used during the SSL Handshake for trusted CA certificates. You should never change this value either. With "serverNameCheck" you can specify whether the host name in outbound HTTPS requests should be checked against the host name in the certificate of the server.
Regards,
Bhavesh

SOAP Receiver Adapter using SSL - PI 7.0

Hi all,
i am currently faced with a .net WCF webservice integration using https via SOAP Receiver Adapter in PI 7.0.
Can anybody tell me into which Visual Administrator view i have to import my certificate in order to get https working ?
Thanks in advance,
Martin

It must be the View you have created for your partners. There is usually a Trusted view where you have your own certificate. And there are other views where partners cerificates are stored. There you have to store the certificate.
Regards,
Prateek

Using SSL in SOAP Receiver Adapter

Hello,
We need to execute a web service that requires using SSL connection. We have done following:
1. Deployed SAP Java Cryptographic Toolkit
2. Uploadted the Server certificates chain(Root, Intermediate, and the Server certficate itself) in TrustedCAs view
But I can't see the certificate from the Communication Channel screen.
Could anybody who has done this before please let us know if we are missing anything. I appreciate if anybody can tell us the trouble points/pit falls in this process.
Any help is greately appreciated.
Regards
Venu

Hi,
You need to setup SSL layer for HTTPS endpoint.
Possible HTTP security levels are (in ascending order):
HTTP without SSL
HTTP with SSL (= HTTPS), but without client authentication
HTTP with SSL (= HTTPS) and with client authentication
HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network
Please go through below link for referance (above information is from below link)
SAP Network Blog: How to use Client Authentication with SOAP Adapter
/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
SSL useage
Step by step guide for SSL security
step by step guide to implement SSL
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Regarding message level you can encrypt the message using certificates.
For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
Check the following links.. you will get the information all about the securities...
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Also find soeminformation in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
Thanks
Swarup
Edited by: Swarup Sawant on Apr 9, 2008 7:42 PM

SOAP Receiver with HTTPS(without certificate)

Hi experts
Receiver system not using any certificate. Without certificate How PI can send message through HTTPS using SOAP.
How to choose HTTPS transport protocol. (Here Target Url have Https://.....)
Here I am using PI7.1 EHP1.
I configured Receiver SOAP CC as
Transport protocol as HTTP
Taget Url https://api-demo.e-xact.com/transaction
It will work? if not how to enable Https in SOAP receiver
but I am getting below error In adapter
Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Thank you
Srini

Hi Srini,
The main reasons for this error "Peer certificate rejected..." be appearing are the following:
1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi711/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
(This certificate is the one which is sent to Server for Client authentication)
As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.
In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
In any other case the SSL communication will not work.
Regards,
Caio

Connection closed by remote host on SOAP Receiver Scenario

Hi Experts,
I implemented a RFC to SOAP Receiver scenario, consuming an external
Web Service with SSL security, using SAP PI 7.1. I configured the SOAP
Receiver Adapter with Proxy e Proxy User, and it shows the
message u201CConnection closed by remote hostu201D. I have checked with
Network team, about the firewall restrictions, and they told me it was
pass by firewall. I installed the SOAP UI on the PI DEV Server to test
the SOAP Requets and it worked. Only on the PI it shows this error
message. I traced log at SLL service in the Sap Netweaver Administrator
and I didnu2019t get success.
Long text error:
com.sap.engine.interfaces.messaging.api.exception.MessagingException:
java.io.EOFException: Connection closed by remote
Please, could you help me about this error?
Fábio Ferri

Hi Fabio,
You need to set higher trace level in order to get more information in your trace file.
If you think it is related to security then set logging level of components com.sap.aii.security.lib and com.sap.aii.af.security to DEBUG in Visual Admin's log configurator. Also set com.sap.aii.af.mp.soap and com.sap.aii.messaging to DEBUG level.
And then try sending messages and see whether you have received more informaiton in trace file, but don't forget to revert back the change once you finish testing otherwise it will filled up your diskspace.
Best regards,
Pinkle

Inconsistency of Status (SOAP Receiver)

Hi Experts,
Currently we have a design in PI 7.1 ehp1 sending messages to partners via SOAP (receiver). The first issue I've encountered is ChainLinkVerifier for SSL cert. Then it was resolved by uploading the RootCA of systems in TrustedCAs Keystore. If i send 1 message, the status is successful. But when I'm sending let say 5 messages, alternatively the status is Successful, System Error, Successful..etc etc.
What would be an alternative way to make those message all Successful. Do I have to add timeout settings?
Regards,
R-jay

Hi,
I did similar requirement (PI 7.0) but i didn't get any problem and no poll intervel. I think somwhere configuration settings is problem better to recheck again meanwhile configure certificate on java stack.

SOAP Receiver security settings

Hi,
1) Could you please kindly tell me what settings I need to do for the security of SOAP receiver adapter ? Should my third party install or do some setting like installin ssl if I make these settings at PI side.
2) In the soap receiver communication channel there is user name and password, what credentials are these and Where should the third party create these user name and password ?
Thanks

Please review the documentation below for information on what is required to be imported for the Certificates to work
FEATURED EVENTS
2) You can use only the SSL certificates for secure connection, no user/pass must to be configured if it is not required.

Enable communication HTTPS in SOAP Receiver Adapter

Hi gurus,
I have configured the soap receiver adapter with the URL:
"https://www.xxxx.com/yyyyyyyyyy.asmx" without the user authentication.
I have executed the webservice since SOAP-UI and works well. But if I run the webservice from SAP XI does not work. In the transaction SXMB_MONI shows the following error:
<SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
<SAP:Category>XIAdapterFramework</SAP:Category>
<SAP:Code area="MESSAGE">GENERAL</SAP:Code>
<SAP:P1 />
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText>com.sap.aii.af.ra.ms.api.DeliveryException: Connection closed by remote host.</SAP:AdditionalText>
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack />
<SAP:Retry>M</SAP:Retry>
</SAP:Error>"
What is happening?
Thanks,
Jose.

Jose,
client certificate is the "top" authentication mechanism during SSL handshake, like this :
- XI authenticate the SSL certificate (server) issued by target server against a (trusted) list of known certification authority, then target will ask XI to present its own certificate (client) and it will make sure this client certificate can be trusted (verifying it has been certified by a known authority). Handshake is "done"
but you can also have
- "anonymous" mode (XI will make sure SSL cert provided by the target has been issued - and so can be trusted - by a (well)known certification authority), that's it. Target does not expected any other security feature
- user/pwd over a SSL connection (like above, but you'll also have to provide a user and pwd for authentication at target level)
Hope this helps
Chris

SOAP: Invalid SSL message, peer seems to be talking plain!

Hi All,
we have configured an SOAP Receiver Adapter to send the message to external thrid system from PI 7.11.
In the configuration we have imported the thrid party system certificate into NWA.
In the receiver agreement we have sleected the adpater specific Parameters.
after executing the scenario we are getting the following error in Runtime Workbench.
*SOAP: call failed: iaik.security.ssl.SSLException: Invalid SSL message,
peer seems to be talking plain!*
please let us know if we have missed any configuration.
thanks,
Lalitkumar.

Hi Rahul,
Actually the path provided by the third party is some what like this;
https://xyz.abc.com:443/TRSimpleAgent.Process:receive
let me rephrase the scenario
IDOC -> PI -> Soap.
The data which is flowing in IDOC have to be mapped and XML file has to be posted to url which i have mentioned above.
The data has to be posted outside the landscape of the SAP Systems.
As if now we are able to get the file as a o/p of receiver mail adapter. now to post this file we have to ping the third party system using the soap receiver adapter. In the meanwhile we have configured the certificate which we got from them in out PI java stack.
When we execute the scenario we are getting the following error
Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLException: Invalid SSL message, peer seems to be talking plain!
SOAP: call failed: iaik.security.ssl.SSLException: Invalid SSL message, peer seems to be talking plain!
please help us in the following to resolve the issue.
Thanks in Advance.
Lalitkumar.

Erro SOAP Receiver: handshake failure

Pessoal, boa tarde.
Tenho um Canal de Comunicação SOAP Receiver, com autenticação por usuário e senha.
Ao enviar a requisição para o Channel, é gerado o seguinte erro:
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
<SAP:Category>XIAdapterFramework</SAP:Category>
<SAP:Code area="MESSAGE">GENERAL</SAP:Code>
<SAP:P1 />
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText>com.sap.aii.af.ra.ms.api.RecoverableException: Peer sent alert: Alert Fatal: handshake failure: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure</SAP:AdditionalText>
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack />
<SAP:Retry>M</SAP:Retry>
</SAP:Error>
mencionando problema de handshake.
No log Java, encontrei as seguintes mensagens:
p.aii.af.soapadapter#co
ssl_debug(6603): Sending v3 client_hello message, requesting version 3.1...
ssl_debug(6603): Received v3 server_hello handshake message.
ssl_debug(6603): Server selected SSL version 3.1.
ssl_debug(6603): Server created new session CA:23:B4:0E:C7:16:0A:8F...
ssl_debug(6603): CipherSuite selected by server: TLS_RSA_WITH_AES_256_CBC_SHA
ssl_debug(6603): CompressionMethod selected by server: NULL
ssl_debug(6603): Received certificate handshake message with server certificate.
ssl_debug(6603): Server sent a 1024 bit RSA certificate, chain has 1 elements.
ssl_debug(6603): ChainVerifier: No trusted certificate found, OK anyway.
ssl_debug(6603): Received server_hello_done handshake message.
ssl_debug(6603): Sending client_key_exchange handshake message (1024 bit)...
ssl_debug(6603): Sending change_cipher_spec message...
ssl_debug(6603): Sending finished message...
ssl_debug(6603): Received alert message: Alert Fatal: handshake failure
ssl_debug(6603): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure
ssl_debug(6603): Shutting down SSL layer...
Alguém já viu este erro e teria alguma informação a respeito?
Desde já agradeço.
Pedro Baroni

Carlos,
Em nosso cenário não utilizamos Certificado, porém em contato com o Fornecedor dos WebServices, identificamos o problema na aplicação dele, pois haviam configurado para somente aceitar conexões com Certificado. Porém o problema já foi corrigido na aplicação dele e a Interface voltou a funcionar.
Obrigado.

R3 (rfc-sender) - XI - Webservice ( soap-receiver)

Hi,
I am getting below error whenever webservice(target system) is unavailable.
HTTP 404 Not Found
Then RFC got failed in R3, due to this error in XI
R3 (rfc-sender) <-> XI <-> Webservice ( soap-receiver) Synch
User will enter the request data in R3 and waiting for the response, but webservice is down(i.e not available)
Request is reached to XI box and XI is trying to send data when webservice is down( i,e not available), RFC is waiting for the response from XI box.
how we will handle this kind of situation,how should i give response back to RFC( because RFC sent the request and waiting for the response, XI could not send any response back as Webservce is down, Please advice me how should XI inform to the end user r R3 abt webservice.
I am getting this error to my mail box as i have configured ALERTS. i do not want to change existing RFC.
is there any chance to send response to R3 even webservice is down, please can any one suggest.
Thanks,
SIva
Edited by: Siva Grandhi on Jun 18, 2008 1:12 PM

Hi siva,
check this blog on HTTP errors.
/people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
May be the URL you have given in SOAP at receiver adapter is wrong.Check that once.
Error: 404 Not Found
Description: The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Possible Tips:- for HTTP_RESP_STATUS_CODE_NOT_OK 404
u2022 404 is an HTTP response code that indicates that the resource in question couldn't be found. Usually this is due to an incorrect URL, so it is better to cross check all URLs. Check pipeline URL in the SLD in the business system of the Integration Server For this go to SLD->Business System-><yourIntegrtaion Server>->Pipeline URL: It should be like this http://<host>:<port>/sap/xi/engine?type=entry Where host is the host name of the Integration Server and port is the HTTP(8xxx) port. To verify this in Integration Server you can do like this. Go to SXMB_ADM->Integration Engine Configuration->Choose Edit from Menu -> Change Global Configuration Data to switch to change mode. Then select System Landscape - Load Configuration. (This is not required always)
u2022 Check that the port really is the ICM HTTP Port and not the J2EE port i.e SMICM then menu GOTO --> SERVICES and check the port number for HTTP. It should be HTTP port
u2022 If the error is Page cannot be displayed, cannot find server in https configurations Check and correct the SSL configuration for the ABAP and the J2EE side of the system
u2022 If the error is because of integration server when using Proxy communications then check these. i.e SXMB_ADM->Integration Engine Configuration->Corresponding Integration Server enrty should be dest://<Http Integration server-Destination> Where < Http Integration server -Destination > is the RFC destination (SM59) of type HTTP connection (type H) to the Integration Server. In this case, host name, port, and path prefix are saved in the RFC destination.
Thanks,
Vijaya.

No Payload in the soap receiver call adapter ?

Hi Guys,
configured Proxy-SOAP Asynchronus process and in the sxmb_moni, i am unable to see the payload under call adapter in sxmb_moni, but i am able to see the payload under RWB in MDT. The message is checked successful in monitor.
I am not understanding why i am unable to see the payload under call adapter in sxmb_moni. I am not getting the data into my receiver system.
Do i need to mention the QOS as EO in the soap url in the soap receiver adapter configuration ?
any help would be really appreciated
Thanks,
srini

Hi,
You can only see the Payload(both with and without transformation) in MONI. message that is handling by adapter can only seen in Adapter Framework using RWB-Message Monitoring or using Communication Channel Monitoring.
Regards,
Farooq.
<b>
Rewards points if you find it usefull.</b>

SOAP receiver / SSL

Similar Messages

Maybe you are looking for