SAP PI 7.3 Peer certificate rejected by ChainVerifier

Similar Messages

• Error:iaik.security.ssl.SSLCertificateException: Peer certificate rejected

  Hi,
  I am getting error com.sap.engine.interfaces.messaging.api.exception.MessagingException:
  iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  When i test for digital signing and encryption using soap receiver CC
  we passed all the values for soap CC
  Created key store view and in that view I have generated private certificate and generated CSR using SAP CA(test ssl for 8 weeks) for the private key and also imported public key for encryption given by reciver
  When i test i get the error message
  I check certificates validity dates
  I restarted java engine and ICM
  I added the public key in trusted CA in NWA
  I re created the view and added the certifcates
  still the same error
  how and where to check to check IAIK in NWA and how to deploy it in java engine using NWA, we are using PI7.11 (no VA)
  any suggestions?

  Hi,
  The main causes for this kind of problem are:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it and if it's the case renew it or extend the validation.
  3. The certificate chain was not in correct order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
  (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio Cagnani

• FTPS error: Peer Certificate Rejected by Chain Verifier

  Hi,
  This scenario is a File to File - Outbound Async Interface. Receiver is configured FTPS with mostly the default parameters.
  However FTPS again haunted us with "Peer Certificate Rejected by Chain Verifier  " error.  We have configured one communication channel with FTPS and tested in DEV, QA clients and moved to production. The weird behavior is it works only certain time. Overall it works 50% of time ok and 50% of time failed with the above error.
  We kept opened all ports on the firewall for outgoing messages.
  We cannot understand the dual behavior. Appreciate any help to resolve this issue.
  Dharmasiri Amith

  Hi Amith,
  The main reasons for this error follows:
  1. The correct server certificate could not be present in the TrustedCA
  keystore view of NWA. Please ensure you have done all the steps
  described in these two URLs:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for
  it (that was the cause for other customers as well) and if it's the case
  renew it or extend the validation.
  3. Some other customers have reported similar problem and mainly the
  problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate
  is A which is issued by an intermediate CA B and then B's certificate is
  issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to
  have the right order of certificate in the chain. If the order is B
  first followed by A followed by C, then the IAIK library used by PI
  cannot verify the server as trusted. Please generate the certificate in
  the right order and then import this certificate in the TrustedCA
  keystore view and try again. Please take this third steps as the
  principal one.
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has
  to have certificate with CN equal to the requested site.  I mean if I
  request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in
  the ftp request. This can be the IP address or the full name of the
  host.
  Request the url with the IP of the SSL Server and the certificate to be
  with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio Cagnani

• Server certificate rejected by ChainVerifier

  Hi,
  I have written a java program for connecting to an HTTPS URL and get the response from the site.
  The HTTPS URL works well when I typed the URL in browser. But the same URL is failing while connecting using my program. I am getting the following exception while connecting to my HTTPS page "iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier"
  I am attaching the code below for your reference.
          String s = new String();
          s = "MyRequest=" + s;
          IAIK.addAsJDK14Provider(true);
          IAIK.addAsJDK14Provider();
          KeyStore keystore = Utils.getJavaDefaultKeystore();
          /* Giving "SUN version 1.5" as a provider */
          System.out.println("keystore provider:"+keystore.getProvider());
             FileInputStream fis = new FileInputStream("mycertificatefile");
             BufferedInputStream bis = new BufferedInputStream(fis);
             CertificateFactory cf = CertificateFactory.getInstance("X.509");
             Certificate cert = null;
             while (bis.available() > 0) {
                 cert = cf.generateCertificate(bis);
             keystore.setCertificateEntry("service_ssl",cert);
          SecureConnectionFactory secureconnectionfactory = new SecureConnectionFactory(keystore);
          secureconnectionfactory.setIgnoreServerCertificate(false);
          HttpURLConnection httpurlconnection = secureconnectionfactory.createURLConnection(url);
          httpurlconnection.setRequestMethod("POST");
          BufferedWriter bufferedwriter = new BufferedWriter(new OutputStreamWriter(httpurlconnection.getOutputStream()));
          bufferedwriter.write(s, 0, s.length());
          bufferedwriter.close();
          Utils.setBasicAuthenticationHeader(httpurlconnection, user, password);
          try
              httpurlconnection.connect();
          catch(ConnectException connectexception)
              error("Connection timeout");
              System.exit(1);
          catch(Exception exception)
              exception.printStackTrace();
              error("Connection exception");
              System.exit(1);
          int i = httpurlconnection.getResponseCode();
          System.out.println("http Response Code = " + i);
  If I pass the setIgnoreServerCertificate(true), then I am getting the following exception
  java.io.IOException: Fatal SSL handshake error: java.lang.RuntimeException: Unable to create cipher AES/CBC/NoPadding: java.security.InvalidKeyException: Illegal key size
  Thanks & Regards,
  Santhosh.C

  VS,
  I am not sure, how far this will solve my problem. Let me try this. BTW, I have solved the issue on my own.
  I generated keystore and truststore from the generated certificates and supplied the certificate as input to my program.
  Here is the program for your reference.
             HttpClient client = new HttpClient();
             client.getParams().setAuthenticationPreemptive(true);
             Credentials defaultcreds = new UsernamePasswordCredentials(USER, PASSWORD);
             client.getState().setCredentials(new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM), defaultcreds);
           Protocol authhttps = new Protocol("HTTPS",
                  (ProtocolSocketFactory) new AuthSSLProtocolSocketFactory(
                          urlkeystore, PASSWORD,
                          urltruststore, PASSWORD), TARGET_HTTPS_PORT);
           Protocol.registerProtocol("https", authhttps);
            PostMethod filePost = new PostMethod(FINAL_URL);
           STATUS = client.executeMethod(filePost);
            String responseString = filePost.getResponseBodyAsString();
            if (responseString != null && responseString.length() > 0)
                 System.out.println("Response String : " + responseString);
  Thanks & Regards,
  Santhosh.C

• ** SOAP - Receiver CC - Sync - Error - certificate rejected by ChainVerifie

  Hi Friends,
  In our interface BPM - SOAP call (Sync), in the receiver SOAP CC, we are getting the below error. 
  SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  In the SOAP CC, we use HTTP protocol.  In the target URL, it starts with https://...... and soapAction is mentioned.
  Previously, this channel was working fine. No issues.
  For testing, I copied and pasted the target URL in Internet Explorere, it did not ask any certificate, I am able to execute the wsdl. i.e call the soapAction - sent the request and got the response.
  Friends, could you tell me why the above error is coming now ?
  Kind regards,
  Jegathees P.

  Hi,
  https service is running?
  Check: SMICM -> Services
  Also check  with the named SAP note inside.
  Cheers,
  André
  Edited by: André Schillack on Apr 28, 2010 5:37 PM

• Error PI 7.31 RFC-SOAP Certificate Rejected

  Hi Experts,
  I'm facing an error last days.
  The scenario is, an interface was working fine in DEV, but in QAS stopped.
  DEV and QAS has the same configuration, same endpoint, user, etc....
  In QAS the error in PI 7.31 was:
  com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  So, I saw the certificate and it was expired. The server updated the certified.
  And now DEV and QAS stopped working, and both return the message above in PI.
  The certificate is a auto-signed, and according to the documentation there was no certificate installation in development.
  The communication is an RFC to SOAP synchronous.
  Using Proxy, and authentication.
  The communication channel was not changed, and they don't have certificate authentication.
  I requested de basis team to install the certificate in NWA, but the view does not appeard in the configuration in PI.
  So... any idea what's my problem?
  Thanks.

  Hi,
  Thanks all for the answers.
  I already requested the installation of certificate, but they don't appear in configuration of channel communication on PI:
  the certificate installed:
  Any Ideia?

• ELM send SOAP distributor - SSLCertificateException: certificate rejected

  Hi,
  I try to configure the Swiss income tax scenario ELM via our PI 7.11. The sending step produces the failure: SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVeri-fier
  Usually I have to install the certificates from the https page, but I have already installed the them (from the https side of the distributor: https://distributor.swissdec.ch/services/elm-pucs-puns/SalaryDeclaration/20051002 ). I still get this error.
  Is anybody else using transferring the ELM via PI and facing the same problem?
  Thanks a lot,
  Thomas

  Hello,
  The main reasons for why you are receiving this error can be checked below:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in these two URLs:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bb487e28674be10000000a421937/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
  3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period. (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Hope that is useful for your case too!
  Regards,
  Caio Cagnani

• Client Certificate Rejected, repeatedly +with great vigor

  Hi all --
  Perhaps you can give me a hand. I recently got a new Macbook Pro -- my first new CPU since the ole' clamshell back in 2001. Very happy with it as a whole but also finding that I am a bit behind the times in terms of my understanding of the software. Here is the problem: Yesterday I tried to access a page using Safari (2.0.3) from my history. I do not believe that it was a secure page as it was part of the dartmouth.edu website but it may have been. Anyway, a dialouge box popped up asking for my to use FileVaultMaster keychain. I did not know that I had such a thing but I typed in my master password. The page still did not open, but Safari displayed a text box saying that there was an error -- this particular error, in fact:
  <begin quote>
  The error was: “client certificate rejected” (NSURLErrorDomain:-1205) Please choose Report Bug to Apple from the Safari menu, note the error number, and describe what you did before you saw this message
  <end of quote>
  Now, when I try to access the basic Dartmouth homepage of http://www.dartmouth.edu, Safari converts it automatically to https://www.dartmouth.edu and asks for the keychain and then displays the error. I tried emptying the cache and resetting Safari (and even restarting the computer, although I understand that that is no longer necessairy with OS X) but to no avail. Can anyone clue me as to what is happening, and why?
  Thanks much in advance,
  -Sparco03
  MacBook Pro   Mac OS X (10.4.5)  

  I emailed [email protected] about this problem and here is the response. The solution of getting a valid Dartmouth certificate doesn't apply to non Dartmouth users, so I'm not sure what to do in that case.
  "You need to check your Keychain. The reason you are getting that error is because Safari is sending a Client Certificate back to the web server (which asked for it), but the web server can't verify that it's a good certificate. This usually happens when you have an expired certificate, or you have a non-Dartmouth certificate that Safari is likely sending because it can't find a Dartmouth one."
  "Whichever of these is the case, the solution is to get a valid Dartmouth certificate, which you can generate by going to https://collegeca.dartmouth.edu/ and following the directions on the web page. If you have an expired Dartmouth cert, you will need to delete that before you import your new, valid certificate."
  "The reason all of this is happening is specific to Intel Macs. The mechanism that Dartmouth has used, better than 7+ years, to authenticate browser users to web site (Kerberos) uses the SideCar helper application. This application doesn't run on Intel Macs, and it most likely never will. Fortunately, Dartmouth installed client certificates as an additional/alternate solution for web site authentication a few years ago. Since client certs work great on Intel Macs, we had to force Intel Macs to always use HTTPS when connecting to any site on www.dartmouth.edu. That way we can always be able to ask for your client cert, so that we don't break your ability to access protected sites that live on the www.dartmouth.edu server."

• 2-way SSL when WL7 is client; get "Required peer certificates not supplied by peer"

  Background: WL7 is properly configured to use 2-way SSL, and works fine whenever
  its acting as the Server; i.e., I have 2-way SSL working between a Web Browser
  and WL7, or between Tomcat and WL7. However, when trying to get 2-way SSL (mutual
  authentication) working between a WL7 server acting as a client and another server
  such as Tomcat, acting as the server, I get a "Required peer certificates not
  supplied by peer" error. The initial ServerHello handshake is fine; the problem
  arises when the Tomcat server, for example, then requests WL7 to serve up its
  client certificate. It's as if WL7 does not know where to locate its "client"
  certificate.
  I had the same problem with Tomcat initially, where it would also not know how
  to locate its "client" certificte. I resolved the problem by setting the following
  system properties:
  javax.net.ssl.keyStore=...
  javax.net.ssl.keyStorePassword=...
  javax.net.ssl.trustStore=...
  javax.net.ssl.trustStorePassword=...
  Are their analogous system properties I need to set on the WL7 side of things,
  as I noticed that WL7 seems to use its own proprietary version of JSSE API's?
  How do I configure WL7 to locate its "client" certificate?
  Thanks! Your help is greatly appreciated.
  -Dan

  Weblogic uses Certicom SSL implementation which has classes that conflict with
  JSSE classes. As a result opening SSL connection from WLS over JSSE or API like
  SOAPConnection that uses JSSE does not work as expected. The javax.net.ssl properties
  are not supported and there is no replacement for the default identity keystore
  property.
  The best workaround I can think of in this case is to pass as the second parameter
  to SOAPConnection.call() method a URL instance created with a custom URLStreamHandler
  extending the weblogic.net.http.Handler. This handler can override the Handler.openConnection(URL)
  method and use the HttpsURLConnection.loadLocalIdentity method to initialize identity
  of the returned connection. For example:
  public class MyHandler extends weblogic.net.http.Handler {
  protected URLConnection openConnection(URL u) throws IOException {
  URLConnection c = super.openConnection();
  if (c instanceof weblogic.net.http.HttpsURLConnection) {
  // initialize ssl identity
  ((weblogic.net.http.HttpsURLConnection) c).loadLocalIdentity(certChain,
  privateKey);
  return c;
  URL someHTTPSUrlEndpoint = new URL("https", "localhost", 7002, "myfile", new MyHandler());
  replyMessage = con.call(someSOAPMessageInstance, someHTTPSUrlEndpoint);
  Pavel.
  "ddumitru" <[email protected]> wrote:
  >
  Thanks, Pavel, for replying,
  I've been reading and re-reading that page for quite a while now. Unfortunately,
  the examples given are for when WL7 is acting as the "server" and not
  the "client";
  i.e., when some other server, such as Tomcat, WebSphere, or Oracle 9IAS,
  reaches
  out to the WL7 instance first, or when one WL7 instance talks to another
  WL7 instance
  via JNDI.
  In my case, my WL7 instance needs to initiate a Web Service call; i.e.,
  needs
  to reach out to another server via a SAAJ (SOAP with Attachments) API
  call. My
  sending servlet uses the SAAJ (SOAP with attachments) API to make a Web
  Service
  call to another server, as follows:
  SOAPConnectionFactory scf = SOAPConnectionFactory.newInstance();
  SOAPConnection con = scf.createConnection();
  SOAPMessage replyMessage = con.call( someSOAPMessageInstance, someHTTPSUrlEndpoint
  With the SAAJ API, as illustrated above, I don't see a direct way of
  configuring
  (using URLConnection, SSLContext, SSLSocketFactory, etc.) the SSL connection
  prior
  to making a call, as suggested in the link you mentioned. Also, the
  receiving
  server may implement its Web Services using a non-BEA application server
  that
  may not even use the J2EE platorm. As such, I don't believe I can use
  the JNDI
  solution provided in that same link.
  Again, I was able to make 2-way SSL (Mutual Authentication) connections
  between
  Tomcat and WL7 instances using the SAAJ API's when Tomcat was the client
  initiating
  the SAAJ call. In this scenario, Tomcat requested WL7 for its certificate,
  WL7
  served it up, and Tomcat then verified it. Then, in turn, WL7 asked
  Tomcat for
  its certificate, Tomcat presented it, and WL7 was able to verify Tomcat's
  certificate.
  I suppose I was able to make it all work under this scenario because
  I was able
  to configure Tomcat, which is using native JSSE API's, to locate its
  "client"
  certificate by setting the following system properties, as mentioned
  previously:
  javax.net.ssl.keyStore=...
  javax.net.ssl.keyStorePassword=...
  javax.net.ssl.trustStore=...
  javax.net.ssl.trustStorePassword=...
  Based upon your feedback, I now understand that WL7 cannot be configured
  in a
  similar manner because WL7 uses its own version of the JSSE API's. Any
  ideas
  on what I might try next?
  Thanks!
  -Dan
  "Pavel" <[email protected]> wrote:
  WLS SSL API does not support any system properties for SSL identity.
  The client's
  identity has to be configured via methods of SSL API. The trust configuration
  of SSL client running on WL server and using WLS SSL API will be the
  same as of
  the WL server.
  See http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1019570
  for more information on this. "Writing Applications that Use SSL" contains
  code
  examples that use different SSL APIs to connect over two-way SSL.
  Pavel.
  "ddumitru" <[email protected]> wrote:
  Background: WL7 is properly configured to use 2-way SSL, and worksfine
  whenever
  its acting as the Server; i.e., I have 2-way SSL working between a
  Web
  Browser
  and WL7, or between Tomcat and WL7. However, when trying to get 2-way
  SSL (mutual
  authentication) working between a WL7 server acting as a client andanother
  server
  such as Tomcat, acting as the server, I get a "Required peer certificates
  not
  supplied by peer" error. The initial ServerHello handshake is fine;
  the problem
  arises when the Tomcat server, for example, then requests WL7 to serve
  up its
  client certificate. It's as if WL7 does not know where to locate its
  "client"
  certificate.
  I had the same problem with Tomcat initially, where it would also not
  know how
  to locate its "client" certificte. I resolved the problem by setting
  the following
  system properties:
  javax.net.ssl.keyStore=...
  javax.net.ssl.keyStorePassword=...
  javax.net.ssl.trustStore=...
  javax.net.ssl.trustStorePassword=...
  Are their analogous system properties I need to set on the WL7 sideof
  things,
  as I noticed that WL7 seems to use its own proprietary version of JSSE
  API's?
  How do I configure WL7 to locate its "client" certificate?
  Thanks! Your help is greatly appreciated.
  -Dan

• Sap content server - error sending certificate - HTTPIO_PLG_NO_MPI_INIT

  Hello all,
  we have installed the SAP content server and created a new repository which has the status running.
  Now when we go to OAC0 and the send certificate button, we get an error message:
  Error in HTTP Access: IF_HTTP_CLIENT->RECEIVE 1 HTTPIO_PLG_NO_MPI_INIT
  Message no. CMS166
  Why can I not send the certificate?
  Thanks
  Anne

  What i mean is you need a user that has both local machine administration rights and local domain administration rights. This is due to the fact that it installs some web components that require domain admin. If you don't install with this, its likely you will be able to test connection fine but receive errors when trying to send the certificate. This issue cannot be resolved after the installation. i.e. if you install with the incorrect admin rights and then adjust these afterwards, it will still not work, and the only solution is to reinstall with the correct rights.

• SAP Web Dispatcher Configuration (SSL, certificates)

  Hi all,
  We're trying to configure the SAP Web Dispatcher for the use of SSL (terminated) and client authentication using x.509 certificates. All works (almost)fine. However, there's some strange behavior that I can not explain.
  The following access point have been specified in the profile:
  Description of the Access Points
  icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
  icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
  icm/HTTPS/verify_client = 2
  Basicly we only need users to access the web dispatcher using SSL. However, when I remove the line: icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
  The Web Dispatcher returns an error upon accessing it using HTTPS:
  Dispatching Error
  Error: -26
  Version: 6040
  Component: HTTP_ROUTE
  Date/Time: Tue Mar 14 07:19:38 2006 
  Module: http_route.c
  Line: 2383
  Server: sapvm1_DVS_26
  Detail: no valid destination server available for '!ALL' rc=13
  Any help would be highly appreciated. Thanks!
  Frodo

  Hi KS,
  Maybe you were right afterall I found a nice How to on the servce.sap.com (https://websmp203.sap-ag.de/~form/sapnet?_SHORTKEY=00200797470000073632&_SCENARIO=01100035870000000202) and it seems you do have to add the HTTP server_port parameter in case SSL is being terminated (no re-encryption).
  icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
  icm/server_port_1 = PROT=HTTP, PORT=0, TIMEOUT=15
  However, the trick is to set the port to zero (0), that way you can still only access the Web Dispatcher via HTTPS.
  All is working now.
  Frodo

• Restart of SAP after Renewal of SNC certificates

  Hi All,
  Can some body help me on the below Question.
  After renewal of SNC certificates, do we really require restart of SAP (CI & App servers) or is there any other way via online activity which we can do this with our restarting( no downtime)
  Thanks
  Raj

  Hello,
  If you use the CommonCryptoLib or Secure Login Library 2.0 as SNC library on the server and you manage your PSEs with STRUST, you do not have to restart the server for a PSE update.
  best regards
  Alexander Gimbel

• A2200220: Peer Certificate expired

  Hello All,
  The end user getting the error as mentioned above. does anybody know the exact problem. Which certificate got expired here? I have checked every certificate, none is expired.
  Kind Regards
  MAD

  Hello Manna,
  A2200200 means that the server´s SNC certificate is expired from the client´s perspective, which can be either not valid yet or not valid anymore.
  In your case, either the client side clock is out of sync, or your old Secure Login Library 1.0 was not able to successfully verify a certificate chain with PKIX trust model (i.e. correct calculation of overlapping validities of server and issuer certificate).
  There have been several fixes in CommonCryptoLib or Secure Login Library 2.0 that are not part of the outdated Secure Login Library 1.0. So moving to the latest patch version is a good approach.
  It´s even recommended to move from a stand-alone SLL to CCL.
  -- Stephan

• Calling web-service from non-SAP client

  Hi,
  Could anyone here help me with the code with which we can call the non-SAP service in java from a java client.
  I have the wsdl and service deployed on the server.
  Regards,
  Manoj

  Hi Eduardo,
  We are trying to consume a non-SAP webservice (https based) which uses a certificate issued by the non-SAP web service provider for authentication.
  We tried consuming the web service using the Web Dynpro Java's Adaptive WebService Model method. We configured the Logical Destinations with X.509 client certificate authentication and have added the certificate to the WebServicesSecurity keystore.
  However, when we run the application, we get the 'Peer certificate rejected by ChainVerifier' error.
  Could you guide us on how to resolve the same ? If possible would you also provide the step-by-step details of how to create the EJB application that you did to achine this ?
  Any help is greatly appreciated.
  Thanks.
  Melwyn.

• SOAP Receiver with HTTPS(without certificate)

  Hi experts
  Receiver system not using any certificate.  Without certificate How PI can send message through HTTPS using SOAP.
  How to choose HTTPS transport protocol. (Here Target Url have Https://.....)
  Here I am using PI7.1 EHP1.
  I configured Receiver SOAP CC as
  Transport protocol as HTTP
  Taget Url https://api-demo.e-xact.com/transaction
  It will work? if not how to enable Https in SOAP receiver
  but I am getting below error In adapter
  Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Thank you
  Srini

  Hi Srini,
  The main reasons for this error "Peer certificate rejected..." be appearing are the following:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi711/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
  3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
  (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio