ELM send SOAP distributor - SSLCertificateException: certificate rejected

Similar Messages

• ** SOAP - Receiver CC - Sync - Error - certificate rejected by ChainVerifie

  Hi Friends,
  In our interface BPM - SOAP call (Sync), in the receiver SOAP CC, we are getting the below error. 
  SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  In the SOAP CC, we use HTTP protocol.  In the target URL, it starts with https://...... and soapAction is mentioned.
  Previously, this channel was working fine. No issues.
  For testing, I copied and pasted the target URL in Internet Explorere, it did not ask any certificate, I am able to execute the wsdl. i.e call the soapAction - sent the request and got the response.
  Friends, could you tell me why the above error is coming now ?
  Kind regards,
  Jegathees P.

  Hi,
  https service is running?
  Check: SMICM -> Services
  Also check  with the named SAP note inside.
  Cheers,
  André
  Edited by: André Schillack on Apr 28, 2010 5:37 PM

• Error PI 7.31 RFC-SOAP Certificate Rejected

  Hi Experts,
  I'm facing an error last days.
  The scenario is, an interface was working fine in DEV, but in QAS stopped.
  DEV and QAS has the same configuration, same endpoint, user, etc....
  In QAS the error in PI 7.31 was:
  com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  So, I saw the certificate and it was expired. The server updated the certified.
  And now DEV and QAS stopped working, and both return the message above in PI.
  The certificate is a auto-signed, and according to the documentation there was no certificate installation in development.
  The communication is an RFC to SOAP synchronous.
  Using Proxy, and authentication.
  The communication channel was not changed, and they don't have certificate authentication.
  I requested de basis team to install the certificate in NWA, but the view does not appeard in the configuration in PI.
  So... any idea what's my problem?
  Thanks.

  Hi,
  Thanks all for the answers.
  I already requested the installation of certificate, but they don't appear in configuration of channel communication on PI:
  the certificate installed:
  Any Ideia?

• Error:iaik.security.ssl.SSLCertificateException: Peer certificate rejected

  Hi,
  I am getting error com.sap.engine.interfaces.messaging.api.exception.MessagingException:
  iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  When i test for digital signing and encryption using soap receiver CC
  we passed all the values for soap CC
  Created key store view and in that view I have generated private certificate and generated CSR using SAP CA(test ssl for 8 weeks) for the private key and also imported public key for encryption given by reciver
  When i test i get the error message
  I check certificates validity dates
  I restarted java engine and ICM
  I added the public key in trusted CA in NWA
  I re created the view and added the certifcates
  still the same error
  how and where to check to check IAIK in NWA and how to deploy it in java engine using NWA, we are using PI7.11 (no VA)
  any suggestions?

  Hi,
  The main causes for this kind of problem are:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it and if it's the case renew it or extend the validation.
  3. The certificate chain was not in correct order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
  (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio Cagnani

• Communication using Sender soap adapter using secured certificates

  Hi All,
  For sender soap scenario,
  We have installed 3rd party certificate on XI and we have give them XI SSL certificate to 3rd party.
  We are getting handshake error when they send message using XI URL.Can you please tell me in which location on webserver where 3rd party has to install certificate and what all settings
  I need to give in communication channel and sender agreement?
  thanks a lot.
  Best Regards,
  Harleen Kaur Chadha

  Can you please tell me in which location on webserver where 3rd party has to install
  certificate and what all settings I need to give in communication channel and sender agreement?
  Check this link to know more:
  http://help.sap.com/saphelp_nwpi71/helpdata/en/32/1c1041a0f6f16fe10000000a1550b0/frameset.htm
  Also there is a Blog by Alexander on Principal Propagation....you can refer it to know more on how, where to include the certificates..
  Regards,
  Abhishek.

• SAP PI 7.3 Peer certificate rejected by ChainVerifier

  Hi
      We upgraded the PI systems(Dev and Quality) from 7.0 to v7.3 Before the upgrade https scenario was working fine. Important thing is we were not using any certificates to transfer files to our vendor.  All the SOAP receiver adapter with HTTPS url is working fine in production. The production is still with PI 7.0
      After basis upgrade the PI system to v7.3  when I send a messaage to the below url with SOAP receiver adapter i see the below error. This is not a webservice interface.
  https://staging.napa-ibiz.com/..........
  The error is:
  SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.
  The strange part is, after the upgrade it is working fine with one vendor. The SOAP receiver adapter configuration is no different from other scenerios.
  We even restarted  the JAVA engine still no luck.
  I didn't get answer for my below questions:
  1. When I'm not using any certificates to send files to my vendor, why/how I see the above certificates related error.
  2. If it is really a certificate related error, how i'm able to successfully send to one vendor with the similar SOAP receivier configuration.
  3. Why only after the upgrade i see this error?
  Can you please throw some lights on this?
  Thanks,

  >When I'm not using any certificates to send files to my vendor, why/how I see the above certificates related error.
  The URL shows that you are using https transport communication. So you might be sharing the certificate or anonymous ssl with different vendors.  PLease go to STRUST and see whether  you have certificates in the keystore for the different vendors. As you production environment behaves different from pre production in terms of security.
  >If it is really a certificate related error, how i'm able to successfully send to one vendor with the similar SOAP receivier configuration
  You might share certificate correctly for one vendor and keystore might not have for the other vendors.  This is nothing related to soap receiver channel configuration. Certificates can be maintained either java stack level or abap stack.
  >Why only after the upgrade i see this error?
  PI 7.1 and above are 64 bit OS products. There are plenty of changes in the installation and security standards.  Talk to BASIS,

• SOAP Receiver Adapter Certificate issue

  Hello Gurus,
  i m working on RFC to SOAP scenario on SAP PI 7.3 and need help about SSL credentials.
  We have been testet with SOAP UI Tool successfully (without Certifcates). Why not with PI? 
  Now we are facing an issue like
  "iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier".
  What should we do to solve this issue?
  Target SOAP Url; https://www.xxx.com/PartnerCard/Partner.asmx
  Kind Regards,
  PM

  Hi,
  One more thing to check: while testing the connection from SOAP UI, did you use the same URL with https? Because, for instance for the web services generated in PI, you get two separate bindings: for http and https connections. So if using the secure https channel is not your requirement, you could just use the http binding from PI in your scenario.
  Hope this helps,
  Greg

• Sender SOAP (Scenario)

  Hi Guys,
  Here is my scenario where client has a Java Web Aplication to get connected to my Backend System using RFC.This happens through XI.
  I produce the Outbound Interface in the Form of WebService (By generating WSDL file)
  Here we use Sender SOAP Adapter. I want to implement security level using key / certificates.
  Now important thing here is the people who are going to login donot have username on PI box.
  Now how can assign the certificate to the users who are external in my visual admin.
  Hope my scenario is clear . Kindly post u r views on this.
  With regards
  Srini

  Hi,
  I guess the Service user which you would have created will be in XI abap stack only.You need to provide the url and the userId, pwd to the web service client so that they will be bale to invoke your webservice.. you don't have to give the service user details in Soap Sender Adapter. It is just for ypur web client to acesss your webservice.
  The url will be like this:
  http://<serverhost>:<port>/XISOAPAdapter/MessageServlet?channel=<party>:<ServiceName>:<Channel Name>
  I hope it clears your doubt.
  Thanks
  Amit
  Edited by: Craig Cmehil on Jul 3, 2008 3:30 PM

• SMIME in sender soap adapter

  Hi,
  I'd like to know the proper format of the POST request to a sender soap adapter with SMIME activated. I've found almost no documentation about it.
  I'm trying to send a document ciphered to PI via soap adapter (HTTP POST). I've done the following steps
  1. I activate SMIME in the sender soap adapter, and I specify "Decrypt" as the security procedure in the sender agreement. I also incorporate the private key in the keystore DEFAULT and reference to it in the sender agreement.
  2. I use OpenSSL to cipher an xml document like this (I use the public certificate associated to the previous private key) :
  --> openssl smime -encrypt -in fich.txt -out fich_encrypted.txt certTesting.pem
  What I get is:
  MIME-Version: 1.0
  Content-Disposition: attachment; filename="smime.p7m"
  Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
  Content-Transfer-Encoding: base64
  MIIC....[base64 content of the file encrypted]
  3. I use CURL to send the HTTP POST request to PI. Previously I get the binary file from the base64 content.
  > POST /XISOAPAdapter/MessageServlet?senderParty=&senderService=BC_1[...]
  > Authorization: Basic c2U[...]
  > Host: pi.[...].com:50000
  > Accept: /
  > Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=fich_encrypted.der
  > User-Agent: Jakarta Commons-HttpClient/3.1
  > Accept-Encoding: text/xml
  > Content-Disposition: attachment; filename=fich_encrypted.der
  > Content-Length: 620
  > Expect: 100-continue
  but I get this error from the SOAP Adapter:
  --> java.io.IOException: invalid content type for SOAP: APPLICATION/PKCS7-MIME.
  I also get the same error if I remove the header Content-Disposition.
  4. If I send the xml file without ciphering (header Content-Type: text/xml;charset=UTF-8) I get the error:
  com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: call failed: java.lang.SecurityException: Exception in Method: VerifySMIME.run(). LocalizedMessage: SecurityException in method: verifySMIME( MessageContext, CPALookupObject ). Message: IllegalArgumentException in method: verifyEnvelopedData( ISsfProfile ). Wrong Content-Type: text/xml;charset=UTF-8. *Expected Content-Type: application/pkcs7-mime or application/x-pkcs7-mime*. Please verify your configuration and partner agreement
  PROBLEM --> I really don't know what the SOAP sender channel is expecting when SMIME is activated. I've tried to send the binary file encripted as an attachment and also directly, but the soap adapter complains.
  Thanks

  HI,
  for XI EP
  Please see the below links so that you can have clear Idea..
  /people/saravanakumar.kuppusamy2/blog/2005/02/07/interfacing-to-xi-from-webdynpro
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webas/java/integrating%20web%20dynpro%20and%20sap%20xi%20using%20jaxb%20part%20ii.article
  Consuming XI Web Services using Web Dynpro – Part II-/people/riyaz.sayyad/blog/2006/05/08/consuming-xi-web-services-using-web-dynpro-150-part-ii
  Consuming XI Web Services using Web Dynpro – Part I -/people/riyaz.sayyad/blog/2006/05/07/consuming-xi-web-services-using-web-dynpro-150-part-i
  /people/sap.user72/blog/2005/09/15/creating-a-web-service-and-consuming-it-in-web-dynpro
  /people/sap.user72/blog/2005/09/15/connecting-to-xi-server-from-web-dynpro
  Regards
  Chilla..

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• Sender SOAP Adapter with HTTPs call

  Hello,
  Our scenarion is ..  we will have a sender SOAP adater .. but it needs to be called using HTTPs(SSL).
  Now considering we have the certificate generated and installed ..and that integration server is HTTPs enabled....What URL should the sending system call..?
  For normal HTTP call the inbound address for inbound Adapter is: http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel
  For the case of HTTPs just changing the htttp to https and the port number in in the calling system will suffice? Or is there other configurations that needs to be done??
  Thanks and Regards,
  Himadri

  Hi Himadri,
  Firstly as suggested by others you can call using https and give the https port in the soap adapter servler URL. Secondly you need to do the following configurations:
  1) If its PI 7.0/3.0, deploy the latest version of the SAP Java cryptography toolkit.
  2) Configure SAP PI as the server for HTTPS calls. In short
        Using the SSL Provider service:
                              a.      Select whether the J2EE Engine should:
                                 ■      Request (but not require) that the user presents a client certificate for authentication.
                                 ■      Require that client certificates are to be used for authentication.
                              b.      Import the CAu2019s root certificate into the Trusted Certification Authorities list. (Choose Add.) using the following For all the steps, link is mentioned below for XI 3.0, you can find similar ones for PI 7.0
  http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/content.htm
  3) If you want to enable client authentication then you would need to add the client certificate in the TrustedCA keystore view of the SAP J2EE engine.
  4) In the SOAP Adapter sender channel, configure Inbound Security level as HTTPS or HTTPs with client authentication based on your scenario.
  Best Regards,
  Pratik

• Error using Sender SOAP adapter over HTTPS

  Hi experts,
  Few weeks ago, i developed an interface as follows: SOAP <-> XI <-> RFC.
  I tested the functionality using Altova and everything went well, with HTTP.
  However, when i use HTTPS it fails throwing these error messages (pop ups):
  <i>"HTTP error: could not post file"......
  "Error sending the soap data"</i>
  I have reviewed the SSL certificates installation and everything seems to be ok, but currently i am stuck and do not know how to fix this.
  I have also change the ID comm channel from HTTP to HTTPS with client aut.
  Is there any special service i have to activate? (XI services and SPIGATE are already done)
  Could you please assist?
  Thanks in advance and best regards,
  David

  David,
  have a look @ these threads...u may get some help!!!
  Sender Soap with HTTPS
  https Soap Adapter
  Regards
  Biplab

• Dynamic sender SOAP Adapter

  Hi,
  i need to define a web service that could be consumed by any sender system, how could i do this if i need to define the BS in the URL when i create the WSLD undel menu tool-->Define web service
  http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel
  in case its migth be possible, how could i identify which system consume the service, is there any system information where i could get at least the host name or the IP???
  Thanks
  Rodrigo

  >> how could i do this if i need to define the BS in the URL when i create the WSLD undel menu tool-->Define web service
  http://host:port/XISOAPAdapter/MessageServlet?channel=party:service:channel in case its migth be possible
  Create Webservice using Sender SOAP adapter. Go to sender agreeement, click display wsdl. Save the file . That is your wsdl and it contains all your webservice details that includes sender business system, interface, URL etc.
  >>how could i identify which system consume the service, is there any system information where i could get at least the host name or the IP???
  You create valid service users of PI to communicate and distribute for different consuming systems. When they invoke your webservice they have to use your login credentials. Also you can go with client authentication certifcate(SSL) so that only trusted partners with client certificate can communicate your webservice.
  >>where i could get at least the host name or the IP???
  You dont get those informations. You allow only trusted trading partners to consume your webservice using client authentication and certificate credentials.

• Client Certificate Rejected, repeatedly +with great vigor

  Hi all --
  Perhaps you can give me a hand. I recently got a new Macbook Pro -- my first new CPU since the ole' clamshell back in 2001. Very happy with it as a whole but also finding that I am a bit behind the times in terms of my understanding of the software. Here is the problem: Yesterday I tried to access a page using Safari (2.0.3) from my history. I do not believe that it was a secure page as it was part of the dartmouth.edu website but it may have been. Anyway, a dialouge box popped up asking for my to use FileVaultMaster keychain. I did not know that I had such a thing but I typed in my master password. The page still did not open, but Safari displayed a text box saying that there was an error -- this particular error, in fact:
  <begin quote>
  The error was: “client certificate rejected” (NSURLErrorDomain:-1205) Please choose Report Bug to Apple from the Safari menu, note the error number, and describe what you did before you saw this message
  <end of quote>
  Now, when I try to access the basic Dartmouth homepage of http://www.dartmouth.edu, Safari converts it automatically to https://www.dartmouth.edu and asks for the keychain and then displays the error. I tried emptying the cache and resetting Safari (and even restarting the computer, although I understand that that is no longer necessairy with OS X) but to no avail. Can anyone clue me as to what is happening, and why?
  Thanks much in advance,
  -Sparco03
  MacBook Pro   Mac OS X (10.4.5)  

  I emailed [email protected] about this problem and here is the response. The solution of getting a valid Dartmouth certificate doesn't apply to non Dartmouth users, so I'm not sure what to do in that case.
  "You need to check your Keychain. The reason you are getting that error is because Safari is sending a Client Certificate back to the web server (which asked for it), but the web server can't verify that it's a good certificate. This usually happens when you have an expired certificate, or you have a non-Dartmouth certificate that Safari is likely sending because it can't find a Dartmouth one."
  "Whichever of these is the case, the solution is to get a valid Dartmouth certificate, which you can generate by going to https://collegeca.dartmouth.edu/ and following the directions on the web page. If you have an expired Dartmouth cert, you will need to delete that before you import your new, valid certificate."
  "The reason all of this is happening is specific to Intel Macs. The mechanism that Dartmouth has used, better than 7+ years, to authenticate browser users to web site (Kerberos) uses the SideCar helper application. This application doesn't run on Intel Macs, and it most likely never will. Fortunately, Dartmouth installed client certificates as an additional/alternate solution for web site authentication a few years ago. Since client certs work great on Intel Macs, we had to force Intel Macs to always use HTTPS when connecting to any site on www.dartmouth.edu. That way we can always be able to ask for your client cert, so that we don't break your ability to access protected sites that live on the www.dartmouth.edu server."

• I am trying to email pictures from my ipad to my email address on my computer and I have been going along nice but now I get a message that says "cannot send mail the message was rejected by the server"  can't see to figure out why it stopped sending now.

  I have been emailing pictures from my ipad to my computer and have been going along nicely and now when I went to send 5 pictures to my computer from my ipad I am getting a message that says " cannot send mail The message was rejected by the server"  cannot understand why this is happening and have not been able to fix.  Now when I try to send pictues even to another email address I am getting the same message.
  Help.

  Email may not be the best way to move pictures.
  There are lots of ways of moving files.
  A simple and popular way to copy files and share files among your devices.
  https://www.dropbox.com/
  "Box lets you store all of your content online, so you can access, manage and share it from anywhere. Integrate Box with Google Apps and Salesforce and access Box on mobile devices" Rated the most secure cloud storage by SkyHigh Networks.
  https://www.box.com/
  Using iTunes to transfer files:
  http://support.apple.com/kb/HT4094?viewlocale=en_US&locale=en_US
  Files Connect -- "Cloud Storage services like Dropbox, MobileMe iDisk, Google Docs/Picasa, Facebook photos, FTP, SFTP, WebDAV ... AFS (Apple File Shares) SMB (Windows shares)  protocols"
  https://itunes.apple.com/us/app/files-connect/id404324302?mt=8
  Windows File server
  http://itunes.apple.com/us/app/filebrowser-access-files-on/id364738545?mt=8
  "The kiteworks mobile file sharing solution provides secure creation, viewing, and sharing of enterprise content on smartphones and tablets while providing IT and security teams the administrative controls to manage user privileges and access rights necessary to ensure enterprise security and compliance."  " Includes choice of private cloud on-premise."
  http://www.accellion.com/solutions/mobile-enablement/mobile-file-sharing
  "Dukto is a simple application that allows you to share files between devices connected to the same (wireless) LAN network."
  http://www.tidal.it/?page_id=309&lang=en
  http://www.msec.it/blog/?page_id=11