Error:iaik.security.ssl.SSLCertificateException: Peer certificate rejected
Hi,
I am getting error com.sap.engine.interfaces.messaging.api.exception.MessagingException:
iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
When i test for digital signing and encryption using soap receiver CC
we passed all the values for soap CC
Created key store view and in that view I have generated private certificate and generated CSR using SAP CA(test ssl for 8 weeks) for the private key and also imported public key for encryption given by reciver
When i test i get the error message
I check certificates validity dates
I restarted java engine and ICM
I added the public key in trusted CA in NWA
I re created the view and added the certifcates
still the same error
how and where to check to check IAIK in NWA and how to deploy it in java engine using NWA, we are using PI7.11 (no VA)
any suggestions?
Hi,
The main causes for this kind of problem are:
1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
0a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for it and if it's the case renew it or extend the validation.
3. The certificate chain was not in correct order. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again.
4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
(This certificate is the one which is sent to Server for Client authentication)
As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.
In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
In any other case the SSL communication will not work.
Regards,
Caio Cagnani
Similar Messages
-
Iaik.security.ssl.SSLCertificateException - the mother of all errors
Hi,
We're experiencing this error:
Error occurred while connecting to the FTP server "whatever:whichever": iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
when connecting to the FTPS server.
What was done by the teams:
1) Every single certification was checked, there is pretty much no way this is a certificate problem
2) Nothing was changed in the systems, this is an overnight error than kept persisting
3) We restarted both involved servers, this keeps on bugging us
4) No relevant traces are in SMICM, ST11, ST22, SM21, anywhere
5) NOTHING was changed on any of the two servers.
6) In addition, also the development PI server tries to connect to the same FTPS server and the same error appears.
This is an overnight problem that just didn't disappear whatever we did.
From my experience with this precise error which I can say it is now of more than a year is that it kept popping up in our system and it was triggered from causes as vast as some FTPs processes hanging on the FTPS server requiring restart, to filling the space on the server, not updated DNS cache on the PI server, you name it.
I'm really amazed the amount of times this error pops up in the CC monitor and the cause is everything else BUT a certification issue.
Do you have any idea worth sharing on why this might happen out of the blue?
Best regards,
GeorgeHi George,
I have a similar issue here and have tried out all the possible options.
1) Imported certificate into Trusted CA's from a server where the connectivity is working fine.
2)Restarted the Java stack.
You Mentioned about FTPS server. Can you please confirm where else do we need to import the certificate? -
File Adapter FTPS: Error - iaik.security.ssl.SSLException
I'm trying to use FTPS to communicate from XI ( SP 15 ) . FTPS system Admin provided CA Certificate and we installed same in key Storage as trusted CAs.
However when I try to send file It was throwing message " Error: Message processing failed: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: illegal parameter " In the Adapter Monitoring .
However same Certificates installed on recent versions of XI ( PI 7.0) works just fine.
Any ideas will be appreciated.Hi S T,
Check these..
Details for 'Is Web service security available?'
HTTPS Error
All the best!
cheers,
Prashanth
P.S Please mark helpful answers -
SAP PI 7.3 Peer certificate rejected by ChainVerifier
Hi
We upgraded the PI systems(Dev and Quality) from 7.0 to v7.3 Before the upgrade https scenario was working fine. Important thing is we were not using any certificates to transfer files to our vendor. All the SOAP receiver adapter with HTTPS url is working fine in production. The production is still with PI 7.0
After basis upgrade the PI system to v7.3 when I send a messaage to the below url with SOAP receiver adapter i see the below error. This is not a webservice interface.
https://staging.napa-ibiz.com/..........
The error is:
SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.
The strange part is, after the upgrade it is working fine with one vendor. The SOAP receiver adapter configuration is no different from other scenerios.
We even restarted the JAVA engine still no luck.
I didn't get answer for my below questions:
1. When I'm not using any certificates to send files to my vendor, why/how I see the above certificates related error.
2. If it is really a certificate related error, how i'm able to successfully send to one vendor with the similar SOAP receivier configuration.
3. Why only after the upgrade i see this error?
Can you please throw some lights on this?
Thanks,>When I'm not using any certificates to send files to my vendor, why/how I see the above certificates related error.
The URL shows that you are using https transport communication. So you might be sharing the certificate or anonymous ssl with different vendors. PLease go to STRUST and see whether you have certificates in the keystore for the different vendors. As you production environment behaves different from pre production in terms of security.
>If it is really a certificate related error, how i'm able to successfully send to one vendor with the similar SOAP receivier configuration
You might share certificate correctly for one vendor and keystore might not have for the other vendors. This is nothing related to soap receiver channel configuration. Certificates can be maintained either java stack level or abap stack.
>Why only after the upgrade i see this error?
PI 7.1 and above are 64 bit OS products. There are plenty of changes in the installation and security standards. Talk to BASIS, -
Error PI 7.31 RFC-SOAP Certificate Rejected
Hi Experts,
I'm facing an error last days.
The scenario is, an interface was working fine in DEV, but in QAS stopped.
DEV and QAS has the same configuration, same endpoint, user, etc....
In QAS the error in PI 7.31 was:
com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
So, I saw the certificate and it was expired. The server updated the certified.
And now DEV and QAS stopped working, and both return the message above in PI.
The certificate is a auto-signed, and according to the documentation there was no certificate installation in development.
The communication is an RFC to SOAP synchronous.
Using Proxy, and authentication.
The communication channel was not changed, and they don't have certificate authentication.
I requested de basis team to install the certificate in NWA, but the view does not appeard in the configuration in PI.
So... any idea what's my problem?
Thanks.Hi,
Thanks all for the answers.
I already requested the installation of certificate, but they don't appear in configuration of channel communication on PI:
the certificate installed:
Any Ideia? -
FTPS error: Peer Certificate Rejected by Chain Verifier
Hi,
This scenario is a File to File - Outbound Async Interface. Receiver is configured FTPS with mostly the default parameters.
However FTPS again haunted us with "Peer Certificate Rejected by Chain Verifier " error. We have configured one communication channel with FTPS and tested in DEV, QA clients and moved to production. The weird behavior is it works only certain time. Overall it works 50% of time ok and 50% of time failed with the above error.
We kept opened all ports on the firewall for outgoing messages.
We cannot understand the dual behavior. Appreciate any help to resolve this issue.
Dharmasiri AmithHi Amith,
The main reasons for this error follows:
1. The correct server certificate could not be present in the TrustedCA
keystore view of NWA. Please ensure you have done all the steps
described in these two URLs:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
0a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for
it (that was the cause for other customers as well) and if it's the case
renew it or extend the validation.
3. Some other customers have reported similar problem and mainly the
problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate
is A which is issued by an intermediate CA B and then B's certificate is
issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to
have the right order of certificate in the chain. If the order is B
first followed by A followed by C, then the IAIK library used by PI
cannot verify the server as trusted. Please generate the certificate in
the right order and then import this certificate in the TrustedCA
keystore view and try again. Please take this third steps as the
principal one.
As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has
to have certificate with CN equal to the requested site. I mean if I
request URL X then the CN must be CN=X.
In other words, the CN of the certificate has to be equal to the URL in
the ftp request. This can be the IP address or the full name of the
host.
Request the url with the IP of the SSL Server and the certificate to be
with CN = IP of the server.
In any other case the SSL communication will not work.
Regards,
Caio Cagnani -
** SOAP - Receiver CC - Sync - Error - certificate rejected by ChainVerifie
Hi Friends,
In our interface BPM - SOAP call (Sync), in the receiver SOAP CC, we are getting the below error.
SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
In the SOAP CC, we use HTTP protocol. In the target URL, it starts with https://...... and soapAction is mentioned.
Previously, this channel was working fine. No issues.
For testing, I copied and pasted the target URL in Internet Explorere, it did not ask any certificate, I am able to execute the wsdl. i.e call the soapAction - sent the request and got the response.
Friends, could you tell me why the above error is coming now ?
Kind regards,
Jegathees P.Hi,
https service is running?
Check: SMICM -> Services
Also check with the named SAP note inside.
Cheers,
André
Edited by: André Schillack on Apr 28, 2010 5:37 PM -
ELM send SOAP distributor - SSLCertificateException: certificate rejected
Hi,
I try to configure the Swiss income tax scenario ELM via our PI 7.11. The sending step produces the failure: SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVeri-fier
Usually I have to install the certificates from the https page, but I have already installed the them (from the https side of the distributor: https://distributor.swissdec.ch/services/elm-pucs-puns/SalaryDeclaration/20051002 ). I still get this error.
Is anybody else using transferring the ELM via PI and facing the same problem?
Thanks a lot,
ThomasHello,
The main reasons for why you are receiving this error can be checked below:
1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in these two URLs:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bb487e28674be10000000a421937/frameset.htm
2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period. (This certificate is the one which is sent to Server for Client authentication)
As a resource, you may need to create a new SSL Server key.
The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site. I mean if I request URL X then the CN must be CN=X.
In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
In any other case the SSL communication will not work.
Hope that is useful for your case too!
Regards,
Caio Cagnani -
Server certificate rejected by ChainVerifier
Hi,
I have written a java program for connecting to an HTTPS URL and get the response from the site.
The HTTPS URL works well when I typed the URL in browser. But the same URL is failing while connecting using my program. I am getting the following exception while connecting to my HTTPS page "iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier"
I am attaching the code below for your reference.
String s = new String();
s = "MyRequest=" + s;
IAIK.addAsJDK14Provider(true);
IAIK.addAsJDK14Provider();
KeyStore keystore = Utils.getJavaDefaultKeystore();
/* Giving "SUN version 1.5" as a provider */
System.out.println("keystore provider:"+keystore.getProvider());
FileInputStream fis = new FileInputStream("mycertificatefile");
BufferedInputStream bis = new BufferedInputStream(fis);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = null;
while (bis.available() > 0) {
cert = cf.generateCertificate(bis);
keystore.setCertificateEntry("service_ssl",cert);
SecureConnectionFactory secureconnectionfactory = new SecureConnectionFactory(keystore);
secureconnectionfactory.setIgnoreServerCertificate(false);
HttpURLConnection httpurlconnection = secureconnectionfactory.createURLConnection(url);
httpurlconnection.setRequestMethod("POST");
BufferedWriter bufferedwriter = new BufferedWriter(new OutputStreamWriter(httpurlconnection.getOutputStream()));
bufferedwriter.write(s, 0, s.length());
bufferedwriter.close();
Utils.setBasicAuthenticationHeader(httpurlconnection, user, password);
try
httpurlconnection.connect();
catch(ConnectException connectexception)
error("Connection timeout");
System.exit(1);
catch(Exception exception)
exception.printStackTrace();
error("Connection exception");
System.exit(1);
int i = httpurlconnection.getResponseCode();
System.out.println("http Response Code = " + i);
If I pass the setIgnoreServerCertificate(true), then I am getting the following exception
java.io.IOException: Fatal SSL handshake error: java.lang.RuntimeException: Unable to create cipher AES/CBC/NoPadding: java.security.InvalidKeyException: Illegal key size
Thanks & Regards,
Santhosh.CVS,
I am not sure, how far this will solve my problem. Let me try this. BTW, I have solved the issue on my own.
I generated keystore and truststore from the generated certificates and supplied the certificate as input to my program.
Here is the program for your reference.
HttpClient client = new HttpClient();
client.getParams().setAuthenticationPreemptive(true);
Credentials defaultcreds = new UsernamePasswordCredentials(USER, PASSWORD);
client.getState().setCredentials(new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM), defaultcreds);
Protocol authhttps = new Protocol("HTTPS",
(ProtocolSocketFactory) new AuthSSLProtocolSocketFactory(
urlkeystore, PASSWORD,
urltruststore, PASSWORD), TARGET_HTTPS_PORT);
Protocol.registerProtocol("https", authhttps);
PostMethod filePost = new PostMethod(FINAL_URL);
STATUS = client.executeMethod(filePost);
String responseString = filePost.getResponseBodyAsString();
if (responseString != null && responseString.length() > 0)
System.out.println("Response String : " + responseString);
Thanks & Regards,
Santhosh.C -
ERROR :IAIK REJECTED BY CERTICATE
Hi,
secnario rfc>soap(Digitally sign and encrypt)
error: IAIK REJECTED BY CERTICATE
we are trying to test signing and encryption using soap1.1 in pi7.11 system
we created test interface ,we checked mapping it is ok
i created private certificate and generated CA using service.sap.com/tcs and copied and pasted the response to same txt file which pem and renamed it as crt
now,i loaded the crt file to default Q in NWA as x.509 certificate
I have selected only sign option in reciver agreement ,activated and tested with triggering rfc ,error iaik peer certificate rejected
Tried all possible ways:
1)tried with custom view and default view/no go
2)tried by putting the x509 certificate in trusted CA,as it is a test certificate generated from service,sap.com/tcs,no orginal CA
3)Restarted java engine,icm,checked all settings like rfc etc
4)Followed all the instructions by forums,blogs,wikis
Need step by step advise and help,by an sr Expert in ForumHi All,
We are having same issue with the FTPS in our SAP PI systems. On the Target FTP server side we are using the Proftpd software for the FTPS installed and configuration on port 990 and generated Certificate on FTP Server using Proftpd software.
In SAP PI server Communication Channel Configuration we use below FTP configuration.
FTP Connection Parameters.
Server : xxxxx
Port :990
Data Connection : Passive
Connection Security : FTPS (FTP Using SSL/TLS) for Control Connection
Command Order : AUTH TLS,USER,PASS,PBSZ,PROT
We are not using any [ ] X.509 Certificate for Clinet Authentication
The above Parameter settings for FTPS working fine without any issues, CC Polling process successfully finishing for every 60 seconds as defined.
ISSUE
When we change the Connection Security : FTPS(FTP Using SSL/TLS) for Control and Data connection
and start the CC its geting errors "........ Certificate rejected by Chain Verifier".
We tried with couple of options on the Proftpd FTP client configuration file
with TLSRequired <on> <auth+data> but getting same error, but its working fine with the option
TLSRequired ctrl.
Please let us know your suggestions whether we can continue withe the Control Connection option or any solution if we use Control and Data Connection.
Thanks in advance
Gary. -
SOAP Receiver via https - Error: Invalid SSL message, peer seems to be tal
Hi,
I have a SOAP Adapter that send a message to a HTTPS WebService.
I'm having the following error:
Message processing failed. Cause: com.sap.aii.af.ra.ms.api.RecoverableException: Invalid SSL message, peer seems to be talking plain!: iaik.security.ssl.SSLException: Invalid SSL message, peer seems to be talking plain!
If I check the URL via Internet Explorer it showme a confirmation dialog with a security Alert, and ask me if I want to continue, then, I can reach the WS with any problem (from de IE).
I checked the steps of this PDF:
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
and all seems to be right.
Any bode can help me with this problem?
Thanks
MartinHello,
finally you run your request from your ERP System about your ICF.
To establish a SSL Connection to the Web Service target system about an SAP WebAS and ICF, it is necessary to create a certificate on client site about Internet explorer using target URL and importing it on STRUST. Take the junction "SSL-Client (Anonym)" to include your certificate for your system.
Take a reboot of ICM Monitor.
Then create a HTTP Connection to rhe external server via SM59 (Typ G).
Don't forget to configure the following points:
Under the menu tab Registration&Security:
- Registration Process: No Registration
- status of security protocols: activ and ANONYM SSL-Client (Anonym)
In most cases, you don't need to edit your user data.
Mostly only then one can usually connect about SAP XI or PI to some servers with SSL method. -
Error "Invalid SSL message, peer seems to be talking plain" receiver SOAP
Hello All,
I have configured the AXIS as the receiver adapter, and sending an invoice over HTTPS protocol. The Call is a synchronous process where I get a response back from the service provider.
Getting the error message as below, the authentication is a simple user ID and password authentication. The same URL works well in Test environment but having this problem on deploying to production.
- <SAP:Error SOAP:mustUnderstand="1" xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SAP:Category>XIAdapterFramework</SAP:Category>
<SAP:Code area="MESSAGE">GENERAL</SAP:Code>
<SAP:P1 />
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText>com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLException: Invalid SSL message, peer seems to be talking plain!</SAP:AdditionalText>
<SAP:Stack />
<SAP:Retry>M</SAP:Retry>
</SAP:Error>
Any suggestions where I should be checking the configuration.
PrashanthHi Glenn,
My scenario is a File-to-SOAP scenario, the receiver communication channel is an synchronous external webservice call over SOAP adapter.
Screen shots of the communication channel config are as below
[CC Parameters|http://yfrog.com/h0bx67j]
[CC Modules|http://yfrog.com/h025s5j]
--Prashanth -
SOAP: Invalid SSL message, peer seems to be talking plain!
Hi All,
we have configured an SOAP Receiver Adapter to send the message to external thrid system from PI 7.11.
In the configuration we have imported the thrid party system certificate into NWA.
In the receiver agreement we have sleected the adpater specific Parameters.
after executing the scenario we are getting the following error in Runtime Workbench.
*SOAP: call failed: iaik.security.ssl.SSLException: Invalid SSL message,
peer seems to be talking plain!*
please let us know if we have missed any configuration.
thanks,
Lalitkumar.Hi Rahul,
Actually the path provided by the third party is some what like this;
https://xyz.abc.com:443/TRSimpleAgent.Process:receive
let me rephrase the scenario
IDOC -> PI -> Soap.
The data which is flowing in IDOC have to be mapped and XML file has to be posted to url which i have mentioned above.
The data has to be posted outside the landscape of the SAP Systems.
As if now we are able to get the file as a o/p of receiver mail adapter. now to post this file we have to ping the third party system using the soap receiver adapter. In the meanwhile we have configured the certificate which we got from them in out PI java stack.
When we execute the scenario we are getting the following error
Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLException: Invalid SSL message, peer seems to be talking plain!
SOAP: call failed: iaik.security.ssl.SSLException: Invalid SSL message, peer seems to be talking plain!
please help us in the following to resolve the issue.
Thanks in Advance.
Lalitkumar. -
2-way SSL when WL7 is client; get "Required peer certificates not supplied by peer"
Background: WL7 is properly configured to use 2-way SSL, and works fine whenever
its acting as the Server; i.e., I have 2-way SSL working between a Web Browser
and WL7, or between Tomcat and WL7. However, when trying to get 2-way SSL (mutual
authentication) working between a WL7 server acting as a client and another server
such as Tomcat, acting as the server, I get a "Required peer certificates not
supplied by peer" error. The initial ServerHello handshake is fine; the problem
arises when the Tomcat server, for example, then requests WL7 to serve up its
client certificate. It's as if WL7 does not know where to locate its "client"
certificate.
I had the same problem with Tomcat initially, where it would also not know how
to locate its "client" certificte. I resolved the problem by setting the following
system properties:
javax.net.ssl.keyStore=...
javax.net.ssl.keyStorePassword=...
javax.net.ssl.trustStore=...
javax.net.ssl.trustStorePassword=...
Are their analogous system properties I need to set on the WL7 side of things,
as I noticed that WL7 seems to use its own proprietary version of JSSE API's?
How do I configure WL7 to locate its "client" certificate?
Thanks! Your help is greatly appreciated.
-DanWeblogic uses Certicom SSL implementation which has classes that conflict with
JSSE classes. As a result opening SSL connection from WLS over JSSE or API like
SOAPConnection that uses JSSE does not work as expected. The javax.net.ssl properties
are not supported and there is no replacement for the default identity keystore
property.
The best workaround I can think of in this case is to pass as the second parameter
to SOAPConnection.call() method a URL instance created with a custom URLStreamHandler
extending the weblogic.net.http.Handler. This handler can override the Handler.openConnection(URL)
method and use the HttpsURLConnection.loadLocalIdentity method to initialize identity
of the returned connection. For example:
public class MyHandler extends weblogic.net.http.Handler {
protected URLConnection openConnection(URL u) throws IOException {
URLConnection c = super.openConnection();
if (c instanceof weblogic.net.http.HttpsURLConnection) {
// initialize ssl identity
((weblogic.net.http.HttpsURLConnection) c).loadLocalIdentity(certChain,
privateKey);
return c;
URL someHTTPSUrlEndpoint = new URL("https", "localhost", 7002, "myfile", new MyHandler());
replyMessage = con.call(someSOAPMessageInstance, someHTTPSUrlEndpoint);
Pavel.
"ddumitru" <[email protected]> wrote:
>
Thanks, Pavel, for replying,
I've been reading and re-reading that page for quite a while now. Unfortunately,
the examples given are for when WL7 is acting as the "server" and not
the "client";
i.e., when some other server, such as Tomcat, WebSphere, or Oracle 9IAS,
reaches
out to the WL7 instance first, or when one WL7 instance talks to another
WL7 instance
via JNDI.
In my case, my WL7 instance needs to initiate a Web Service call; i.e.,
needs
to reach out to another server via a SAAJ (SOAP with Attachments) API
call. My
sending servlet uses the SAAJ (SOAP with attachments) API to make a Web
Service
call to another server, as follows:
SOAPConnectionFactory scf = SOAPConnectionFactory.newInstance();
SOAPConnection con = scf.createConnection();
SOAPMessage replyMessage = con.call( someSOAPMessageInstance, someHTTPSUrlEndpoint
With the SAAJ API, as illustrated above, I don't see a direct way of
configuring
(using URLConnection, SSLContext, SSLSocketFactory, etc.) the SSL connection
prior
to making a call, as suggested in the link you mentioned. Also, the
receiving
server may implement its Web Services using a non-BEA application server
that
may not even use the J2EE platorm. As such, I don't believe I can use
the JNDI
solution provided in that same link.
Again, I was able to make 2-way SSL (Mutual Authentication) connections
between
Tomcat and WL7 instances using the SAAJ API's when Tomcat was the client
initiating
the SAAJ call. In this scenario, Tomcat requested WL7 for its certificate,
WL7
served it up, and Tomcat then verified it. Then, in turn, WL7 asked
Tomcat for
its certificate, Tomcat presented it, and WL7 was able to verify Tomcat's
certificate.
I suppose I was able to make it all work under this scenario because
I was able
to configure Tomcat, which is using native JSSE API's, to locate its
"client"
certificate by setting the following system properties, as mentioned
previously:
javax.net.ssl.keyStore=...
javax.net.ssl.keyStorePassword=...
javax.net.ssl.trustStore=...
javax.net.ssl.trustStorePassword=...
Based upon your feedback, I now understand that WL7 cannot be configured
in a
similar manner because WL7 uses its own version of the JSSE API's. Any
ideas
on what I might try next?
Thanks!
-Dan
"Pavel" <[email protected]> wrote:
WLS SSL API does not support any system properties for SSL identity.
The client's
identity has to be configured via methods of SSL API. The trust configuration
of SSL client running on WL server and using WLS SSL API will be the
same as of
the WL server.
See http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1019570
for more information on this. "Writing Applications that Use SSL" contains
code
examples that use different SSL APIs to connect over two-way SSL.
Pavel.
"ddumitru" <[email protected]> wrote:
Background: WL7 is properly configured to use 2-way SSL, and worksfine
whenever
its acting as the Server; i.e., I have 2-way SSL working between a
Web
Browser
and WL7, or between Tomcat and WL7. However, when trying to get 2-way
SSL (mutual
authentication) working between a WL7 server acting as a client andanother
server
such as Tomcat, acting as the server, I get a "Required peer certificates
not
supplied by peer" error. The initial ServerHello handshake is fine;
the problem
arises when the Tomcat server, for example, then requests WL7 to serve
up its
client certificate. It's as if WL7 does not know where to locate its
"client"
certificate.
I had the same problem with Tomcat initially, where it would also not
know how
to locate its "client" certificte. I resolved the problem by setting
the following
system properties:
javax.net.ssl.keyStore=...
javax.net.ssl.keyStorePassword=...
javax.net.ssl.trustStore=...
javax.net.ssl.trustStorePassword=...
Are their analogous system properties I need to set on the WL7 sideof
things,
as I noticed that WL7 seems to use its own proprietary version of JSSE
API's?
How do I configure WL7 to locate its "client" certificate?
Thanks! Your help is greatly appreciated.
-Dan -
Unexpected Exception Error :Netbeans remote project on dev using secure SSL
I created the remote project for the Dev envirnment to debug the workflow activity,
I can set the identity manager external instance for this dev envirnment even while doing that
need to click the check box for secure connection other wise will get the error for connection,
Now when connection is set, and I tried to start the debuger on dev, I am getting the unexpected exception error,
Is this error is because of Dev envirnment is secure SSL, Can I still run the debugger on this dev envirment.
Thanks,Don't multipost and don't use the browser's back button to edit your posts as that creates multiple postings. I've removed the other thread you started with the same questio.
Also, don't post to long dead threads. I've blocked your post and locked the thread you resurrected.
db
Maybe you are looking for
-
How to export markers in Midi files?
For a multi media application I have export logic songs as midi files including markers. There is no checkbox like "Export Markers". Does anyone know how to do that?
-
Will Time Machine back up all?
I'm waiting for my new iMac to arrive in a few days and plan to install Win XP on a separate partition. I'm curious about one thing...when I use Time Machine to back up the computer, will it also back up everything on the Mac hard drive, including th
-
Including column from fact table reduces number of rows returned
Hello I am facing this issue where in a report I select 5 columns from a fact table. Out of these five columns one of the column is "Amount" for which the aggregation rule is defined as Sum in RPD. When I include these five column and filter results
-
I am trying to write the following prog to display the detail of the table prod (pname varchar2(20), price number(10)),using Positional Iterator. but couldnt write a simple program . here is the code, as I compile the code it says testpos.sqslj:45.2-
-
Airport Management Utility will not run
After having setup a new system computer for a while I have been updating some of my favorite utilities. One of them being the Airport Management Utility (not the admin utility). After finally finding the disk image for the Airport utlities on Apple'