SOAP Receiver over SSL - server certificate troubles

Hello all,
I have a scenario with SOAP receiver communication channel with comunnication over SSL. In the URL there is a IP address for a reason I will not mention ... simply there must be IP address in URL and not a host name.
When I access the SOAP server with internet browser it gives me a server certificate with HOST NAME in CN. I placed this certificate to the "trusted container" in J2EEVisAdmin - Key Storage.
Now you might already suspect the trouble: the certificate CN doesn't match with URL. This is obvios error we got many times on the internet (even in e-banking sector .. but we are able to skip it with our internet browsers' possibilities.
Could I set up something in J2EE server as same as in internet browser ???
Thank you in advance.
Rgds
Tom

Got it,
SAP Note : 791655
HTTPS/SSL Properties
Property Name = [default]
messaging.ssl.httpsHandler=iaik.protocol.https.Handler
messaging.ssl.securityProvider=iaik.security.provider.IAIK
messaging.ssl.trustedCACerts.viewName=TrustedCAs
messaging.ssl.serverNameCheck=false
Description:
The properties "httpsHandler" and "securityProvider" specify the class names of the HTTPS handler and Security provider used. The AF only supports IAIK. Never change these values! To activate HTTP/SSL, you must install the IAIK libraries on your J2EE Engine as described in the Installation Guide.
The property "trustedCACerts.viewName" defines which J2EE keystore is used during the SSL Handshake for trusted CA certificates. You should never change this value either. With "serverNameCheck" you can specify whether the host name in outbound HTTPS requests should be checked against the host name in the certificate of the server.
Regards,
Bhavesh

Similar Messages

  • Step by Step : How to Create an SSL Server Certificate (Part 3)

    How to Create an SSL Server Certificate (Part 3)
    In the previous part you have completed step 10, now you are almost there.
    Step 11:
    This is another very important step.
    Leave the settings as is or tick more options if you know what you do.
    Step 12:
    Again leave as it is.
    Step 13:
    Another important step !
    In the DNS Name field enter the host name(s) separated by spaces (or commas), e.g.
    myserver.name.private myserver.dyndns.org
    You can enter your local IP if you wish.
    Step 14:
    Certificate Assistant now procedes to create your certificate. Within a few seconds you should see the new certificate in your Keychain.
    Switch to Server App (if at this stage Server App has crashed, don't worry , re-open Server App and proceed.
    Repeat step 2 described in Part 1 and select the new certificate from the drop-down menu of available certificates.
    You may want to use this certificate for all services (iChat, iCal, Mail, Web) or create different ones.
    If you use the same certificate for all services the name of the certificate is diplayed next to "SSL Certificate", if you don't you will see "Custom" instead.
    Addendum:
    1. Do not forget to open port 443 in your router to enable https connections.
    2. Enable SSL in your iCal account settings if you wish.
    Enjoy your server !

    Hi,
    Are you talking about the Mercedes leaderboard ad?  Because that look a lot more complicated than "fade in - fade out" images?
    Anyway... I am looking at the easiest way to create a banner ad with fade in - fade out images that I have created in illustrator.
    This tutorial helped me alot.
    http://www.youtube.com/watch?v=gFw-1D8yaMs&NR=1
    cheers

  • Weblogic server 9.2 and SSL server certificate for the wrong site

    I turned on SSL service for a weblogic 9.2 server and later on changed the hostname of the machine that weblogic was running on. So the hostname that my SSL server certificate was issued to has now became an invalid hostname. But my weblogic server continues to run SSL service without any exception. I can still access my web applications thru the SSL port (except of course I get a warning for the server certificate every time that it is for the "wrong site"). My question is this: should weblogic 9.2 verify the hostname in the server certificate and stop SSL service if the certificate is for the wrong site? Or is verifying the certificate strictly the job of the browser? Just want to make sure there is nothing wrong with my SSL configuration. Thanks.

    So you are saying that something is wrong with my weblogic 9.2 ssl configuration? And that given a server certificate issued to a different hostname, my weblogic server should NOT be servicing ssl request and/or it should throw some sort of exception during startup? Thanks for clarifying.

  • SSL Server Certificate

    Hi All,
    I am configuring Maintenance Optimizer in SAP Solution Manager 7.1 SP3.
    Is it mandatory to have SSL Server Certificate ?
    And if yes why SSL Server Certificate is needed?
    And if no can i proceed with the Configuration of Maintenance Optimizer?
    Kindly Suggest.
    Thanks
    Ishan

    Hi ishansangai1
    i) Is it mandatory to have SSL Server Certificate ?
    No, you dont required SSL for MOPZ ,
    SSL is different and MOPZ is different
    SSL - is for trusted certificate
    MOPZ- is used to approve support packages to download
    ii) And if no can i proceed with the Configuration of Maintenance Optimizer?
    yes proceed to configuration of MOPZ , find docs in service market place or SDN

  • SOAP Receiver with HTTPS(without certificate)

    Hi experts
    Receiver system not using any certificate.  Without certificate How PI can send message through HTTPS using SOAP.
    How to choose HTTPS transport protocol. (Here Target Url have Https://.....)
    Here I am using PI7.1 EHP1.
    I configured Receiver SOAP CC as
    Transport protocol as HTTP
    Taget Url https://api-demo.e-xact.com/transaction
    It will work? if not how to enable Https in SOAP receiver
    but I am getting below error In adapter
    Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
    Thank you
    Srini

    Hi Srini,
    The main reasons for this error "Peer certificate rejected..." be appearing are the following:
    1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
    Security Configuration at Message Level
    http://help.sap.com/saphelp_nwpi711/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
    2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
    3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
    order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
    Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
    4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
    (This certificate is the one which is sent to Server for Client authentication)
    As a resource, you may need to create a new SSL Server key.
    The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
    In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
    Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
    In any other case the SSL communication will not work.
    Regards,
    Caio

  • Soap RECEIVER adapter ssl config

    we are consuming a web service in sap ECC system via XI using SSL. So I configured receiver soap adapter. Imported the certificate provided by web service provider to J2EE visual admin key store. However I am not able to see my ceritificates popluated in my communication channel selection list.
    Could you please provide steps to configure SSL in receiver soap adapter not for Sender adapter.
    Thanks.
    Bijay

    Okay, so this is a client certificate and not a CA certificate, right?
    In this case, you need to import the client certificate under ICM_SSL_xxx and you can find SSL_Provider if you scroll completly down. You need to import the private key of the client certificate under ICM_SSL_xxx.
    Only CA certificates goes in TrustedCA view. You can create a new view ICM_SSL_xxx or put the certificate under any existing ICM_SSL_xxx view, it doesn't matter.
    Do this step and let me know if it works. Might be, there is no requirement for private key at this point of time. It completely depends how the receiving system will accept and verify the call from PI server.
    Since it's a client certificate, they must be having public and private keys. But this certificate has to be signed by some one like VeriSign and they provide a different key to make it more secured. But anyways, you don't need to go in so much of details right now.
    Follow the steps that I mentioned above and hopefully, it should work.
    Regards,
    Neetesh

  • How to Import Self-signed SSL server certificates in Adobe AIR applications

    Hi,
    I am using secure AMF endpoints for remote object communication from AIR client.
    since i am using a self signed SSL certificate on the server, i am getting a certificate warning message on the AIR client, when ever a remote call is done.
    Is there any mechanism to import the server certificate in AIR application..?
    Please provide suggestions.
    Thanks

    I have the same issue along with repeated prompts to accept cert when I am just trying to access the page internally on my network.. Any help here RIM????????

  • SOAP Receiver Adapter problem (client certificate required)

    My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
    PI Server AXD - (Client) - Receiver SOAP adapter
    PI Server AXQ - (Server) - Sender SOAP Adapter.
    Steps in AXD
    1. I have created a certificate of AXD in the service_ssl view of key storage.
    2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
    Steps in AXQ
    1. I have created a certificate of AXQ in the service_ssl view of key storage.
    2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
    3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
    4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
    5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
    Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
    Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
    Any pointer to solve this problem is highly appreciated.
    Thanks
    Abinash

    Hi Hemant,
    I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
    As far as my scenario goes I am not using message level security.
    Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage.  I can see a view named just WebServiceSecuity though.
    Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
    Abinash

  • Soap request over ssl: certificate_unknown

    Hello everybody, I'm trying to call a webservice over an axis soap petition, it runs perfectly but it fails when I try to do the same over https, this is what I have done .
    First of all, I created a keystore with the certicicate provided by the webservice provider and the certificate ofthe CA (with -truscacerts ...), then I put the following lines on my code:
    System.setProperty("javax.net.ssl.trustStore", "MIB.keystore");
    System.setProperty("javax.net.ssl.keyStore", "MIB.keystore");
    System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
            java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
            System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
            System.setProperty("javax.net.ssl.trustStorePassword", "changeit");I got an SSLHandshakeException so I enabled all the debug lines, I don't understand what means everything in the log, so I hope anybody here can help me to understand it.
    It looks that it founds the certificates on the keystore but then it's not a trusted one, in the other hand when I try to acces to the service URL by a web browser, appears a dialog about security certificates, and then after pressing OK I can see the XML schema of the webservice.
    I put here a part of the log :
    2005-06-13 14:27:28,636 DEBUG org.apache.axis.i18n.ProjectResourceBundle  (ProjectResourceBundle.java:111) - org.apache.axis.i18n.resource::handleGetObject(enter00)
    2005-06-13 14:27:28,636 DEBUG org.apache.axis.transport.http.HTTPSender  (HTTPSender.java:103) - Enter:  HTTPSender::invoke
    keyStore is : MIB.keystore
    keyStore type is : jks
    init keystore
    init keymanager of type SunX509
    trustStore is: MIB.keystore
    trustStore type is : jks
    init truststore
    (my certs appears here as trusted certs)
    init context
    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie:  GMT: 1101888176 bytes = { 31, 177, 136, 125, 1, 123, 196, 9, 23, 166, 247, 114, 51, 130, 201, 150, 247, 201, 32, 9, 115, 104, 162, 93, 173, 33, 151, 42 }
    Session ID:  {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods:  { 0 }
    [write] MD5 and SHA1 hashes:  len = 73
    0000: 01 00 00 45 03 01 42 AD   7B B0 1F B1 88 7D 01 7B  ...E..B.........
    0010: C4 09 17 A6 F7 72 33 82   C9 96 F7 C9 20 09 73 68  .....r3..... .sh
    0020: A2 5D AD 21 97 2A 00 00   1E 00 04 00 05 00 2F 00  .].!.*......../.
    0030: 33 00 32 00 0A 00 16 00   13 00 09 00 15 00 12 00  3.2.............
    0040: 03 00 08 00 14 00 11 01   00                       .........
    Thread-2, WRITE: TLSv1 Handshake, length = 73
    [write] MD5 and SHA1 hashes:  len = 98
    0000: 01 03 01 00 39 00 00 00   20 00 00 04 01 00 80 00  ....9... .......
    0010: 00 05 00 00 2F 00 00 33   00 00 32 00 00 0A 07 00  ..../..3..2.....
    0020: C0 00 00 16 00 00 13 00   00 09 06 00 40 00 00 15  [email protected]
    0030: 00 00 12 00 00 03 02 00   80 00 00 08 00 00 14 00  ................
    0040: 00 11 42 AD 7B B0 1F B1   88 7D 01 7B C4 09 17 A6  ..B.............
    0050: F7 72 33 82 C9 96 F7 C9   20 09 73 68 A2 5D AD 21  .r3..... .sh.].!
    0060: 97 2A                                              .*
    Thread-2, WRITE: SSLv2 client hello message, length = 98
    Thread-2, READ: TLSv1 Handshake, length = 762
    *** ServerHello, TLSv1
    RandomCookie:  GMT: 1101888564 bytes = { 255, 172, 207, 216, 41, 56, 251, 149, 241, 233, 23, 102, 238, 172, 120, 153, 109, 98, 211, 247, 133, 251, 203, 3, 19, 38, 121, 52 }
    Session ID:  {66, 173, 124, 52, 243, 42, 10, 40, 114, 249, 55, 203, 186, 233, 91, 175, 97, 179, 131, 231, 250, 176, 233, 172, 157, 52, 225, 54, 176, 89, 194, 248}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    %% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    [read] MD5 and SHA1 hashes:  len = 74
    0000: 02 00 00 46 03 01 42 AD   7C 34 FF AC CF D8 29 38  ...F..B..4....)8
    0010: FB 95 F1 E9 17 66 EE AC   78 99 6D 62 D3 F7 85 FB  .....f..x.mb....
    0020: CB 03 13 26 79 34 20 42   AD 7C 34 F3 2A 0A 28 72  ...&y4 B..4.*.(r
    0030: F9 37 CB BA E9 5B AF 61   B3 83 E7 FA B0 E9 AC 9D  .7...[.a........
    0040: 34 E1 36 B0 59 C2 F8 00   04 00                    4.6.Y.....
    *** Certificate chain
    chain [0] = [
      Version: V1
      Subject: ....
    (omitted for privacity reasons)
      Algorithm: [MD5withRSA]
      Signature:
    0000: 3B 02 E6 29 01 88 AA B9   4F 81 D0 91 A0 0B 39 F1  ;..)....O.....9.
    0010: 4B A7 D1 65 0F 6B 8A E5   08 AC 48 04 F4 8F 60 3A  K..e.k....H...`:
    0020: ED E5 73 59 D4 04 AA A2   22 F4 44 33 B5 7A FE AE  ..sY....".D3.z..
    0030: 2B B1 46 0F 12 58 ED 18   2B 3E B5 54 9C AE CA 50  +.F..X..+>.T...P
    0040: 37 94 D2 DB C8 37 85 96   14 42 67 F5 99 CC 19 7C  7....7...Bg.....
    0050: A6 6C 11 1F 64 5E 31 FE   6D 80 FC C9 A3 38 00 74  .l..d^1.m....8.t
    0060: 14 2C DE F9 FB A3 C1 5D   E6 F2 53 83 8B 6C 7F AF  .,.....]..S..l..
    0070: CC 53 71 66 EA C5 CB B7   C3 3E D8 69 83 91 4E 44  .Sqf.....>.i..ND
    Thread-2, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
    Thread-2, WRITE: TLSv1 Alert, length = 2
    Thread-2, called closeSocket()
    Thread-2, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
    2005-06-13 14:27:29,011 DEBUG org.apache.axis.transport.http.HTTPSender  (HTTPSender.java:130) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate foundSorry for the message length, but I thought it was necessary.
    Thank you

    Got it,
    SAP Note : 791655
    HTTPS/SSL Properties
    Property Name = [default]
    messaging.ssl.httpsHandler=iaik.protocol.https.Handler
    messaging.ssl.securityProvider=iaik.security.provider.IAIK
    messaging.ssl.trustedCACerts.viewName=TrustedCAs
    messaging.ssl.serverNameCheck=false
    Description:
    The properties "httpsHandler" and "securityProvider" specify the class names of the HTTPS handler and Security provider used. The AF only supports IAIK. Never change these values! To activate HTTP/SSL, you must install the IAIK libraries on your J2EE Engine as described in the Installation Guide.
    The property "trustedCACerts.viewName" defines which J2EE keystore is used during the SSL Handshake for trusted CA certificates. You should never change this value either. With "serverNameCheck" you can specify whether the host name in outbound HTTPS requests should be checked against the host name in the certificate of the server.
    Regards,
    Bhavesh

  • ** SOAP - Receiver CC - Sync - Error - certificate rejected by ChainVerifie

    Hi Friends,
    In our interface BPM - SOAP call (Sync), in the receiver SOAP CC, we are getting the below error. 
    SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
    In the SOAP CC, we use HTTP protocol.  In the target URL, it starts with https://...... and soapAction is mentioned.
    Previously, this channel was working fine. No issues.
    For testing, I copied and pasted the target URL in Internet Explorere, it did not ask any certificate, I am able to execute the wsdl. i.e call the soapAction - sent the request and got the response.
    Friends, could you tell me why the above error is coming now ?
    Kind regards,
    Jegathees P.

    Hi,
    https service is running?
    Check: SMICM -> Services
    Also check  with the named SAP note inside.
    Cheers,
    André
    Edited by: André Schillack on Apr 28, 2010 5:37 PM

  • Do you have to request a SSL server certificate using the iPlanet Java console?

    I have an SSL certificate that was signed by a CA. The original certificate
    request was made external to the iPlanet Directory server. I believe it was
    made using OpenSSL. Is there a way that I can take this signed certificate
    along with the private key (base64 encoded) and install it for use with
    iPlanet Directory server?
    Or, do I have to make the certificate request directly through the iPlanet
    Java Console application?
    Jon

    pls refer this site to enter your host name and your details they will provide free certificates for directory server and web server in 60 days trial.select Netscape commerce server its under dircetory server.
    http://freecerts.entrust.com
    once you get encripted code from CA then installing into your directory server.

  • Using SSL in SOAP Receiver Adapter

    Hello,
    We need to execute a web service that requires using SSL connection. We have done following:
    1. Deployed SAP Java Cryptographic Toolkit
    2. Uploadted the Server certificates chain(Root, Intermediate, and the Server certficate itself)  in TrustedCAs view
    But I can't see the certificate from the Communication Channel screen.
    Could anybody who has done this before please let us know if we are missing anything. I appreciate if anybody can tell us the trouble points/pit falls in this process.
    Any help is greately appreciated.
    Regards
    Venu

    Hi,
    You need to setup SSL layer for HTTPS endpoint.
    Possible HTTP security levels are (in ascending order):
    HTTP without SSL
    HTTP with SSL (= HTTPS), but without client authentication
    HTTP with SSL (= HTTPS) and with client authentication
    HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network
    Please go through below link for referance (above information is from below link)
    SAP Network Blog: How to use Client Authentication with SOAP Adapter
    /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
    SSL useage
    Step by step guide for SSL security
    step by step guide to implement SSL
    http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
    General guide
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
    Message level security
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
    Regarding message level you can encrypt the message using certificates.
    For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
    Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
    Check the following links.. you will get the information all about the securities...
    http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
    Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
    Also find soeminformation in these links
    http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
    /people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
    Thanks
    Swarup
    Edited by: Swarup Sawant on Apr 9, 2008 7:42 PM

  • Connecting to a remote OpenLDAP server over SSL.

    I've been trying for several weeks now to get a remote OpenLDAP server up and running; configured in such a way that it only allows SSL and requires certificate validation.
    I've created a CA with a self-signed certificate.
    I used that CA to create a server and client certificate.
    The server certificate is in /etc/ssl/certs, has a link by the name of its hash.0 pointing to it; permissions are all correct and /etc/ssl/slapd.conf point to it and the CA certificate.
    The client certificate is on my MacBook Pro in /etc/ssl/certs along with the CA certificate; each of which also has its hash linked to it. /etc/ssl/ldap.conf is set up properly, the permissions are correct, and the following test command ran as my user produces a successful result:
    ldapsearch -v -x -H ldaps://ldap.foo.org -b "dc=foo,dc=org" -d -1
    Now the problem part. I open Directory Utility; go to Services with Advanced Settings enabled. After unlocking it, I click the LDAPv3 and the pencil icon.
    I hit New... in the window that pops up and use ldap.foo.org as servername, SSL box ticked. I hit Continue, and behold; nothing happens.
    It is to say; Directory Utility hangs for a while; after which it goes back to the box I clicked Continue in without any error or warning popping up; but obviously hasn't advanced.
    The server logs indicate my Mac had actually connected; received the server certificate; but didn't send a client certificate at which point the TLS connection got aborted for some reason and the session ended.
    My Mac Console shows something even more bizare, though:
    11/09/08 23:09:22 com.apple.DirectoryServices[97123] Assertion failed: (ld != NULL), function ldapsearchext, file search.c, line 76.
    My suspicion is that Directory Utility can't verify the server certificate and aborts the TLS connection. I expect it also uses /etc/openldap/ldap.conf? How can I diagnose the root of this problem?
    Thanks a lot for your assistance; I just can't figure this out and any hint or pointer would be greatly appreciated. It now just looks like OSX does not support a secure LDAP over SSL configuration.
    Though it currently isn't set up to be that way, I'd like to have my client also provide a certificate (CN=lhunath.foo.org) and have the server validate that. For now I've got the server set to:
    TLSVerifyClient never
    (And of course, the client:)
    TLS_REQCERT demand
    Message was edited by: lhunath

    By the way; about the assertion error I get in Console; here's the relevant source of ldap.c. Looks like ld is not set; probably something going wrong before that with setting up the TLS connection, perhaps? Or not?
    * ldapsearchext - initiate an ldap search operation.
    * Parameters:
    * ld LDAP descriptor
    int
    ldapsearchext(
    LDAP *ld,
    assert( ld != NULL );

  • SSL in Soap receiver communication channel

    Hi,
    I have a webservices that works fine in Soap UI. The webservice provider uses the SSL, but works like a web browser, doesn´t need to install a certificate before access the webservice.
    But when i try to use SAP PI using the soap receiver communication channel, the soap adater return the follow message:
    "Peer certificate rejected by ChainVerifier"
    I read some thing about using axis to solve this problem but I can´t find anything to configure this scenario.
    If someone had this problem and solved it, i will apreciate the help.
    Thanks
    Fabricio

    I Have 2 communication channel:
    1) This works fine
    Adapter Type: SOAP
    Receiver
    Transport Protocol: HTTP
    Message Protocol: SOAP 1.1
    Adapter Engine: Integration Server
    Target URL: https://gw-homologa.serasa.com.br/wsacheixml/wsacheixml.asmx
    SOAP Action: https://sitenet05.serasa.com.br/WSAcheiXML/WSAcheiXML/ConsultaAchei
    2) This doesn´t work
    Adapter Type: SOAP
    Receiver
    Transport Protocol: HTTP
    Message Protocol: SOAP 1.1
    Adapter Engine: Integration Server
    Authentication: Basic
    User/Password
    Target URL: https://treina.spc.org.br/spc/remoting/ws/consulta/consultaWebService
    SOAP Action: blank
    Both are https and the certificate is sent at communication time (There isn´t a certificate to install in the Key Store in Visual Administrator)
    I read that Axis manage this kind of integration with webservices, because the certificate must be installed at the moment of sending http request.
    I don´t know why the first interface works fine an the another doesn´t work, then I´m trying with Axis.
    In the SOAP UI both interfaces work fine.
    Thanks

  • SOAP RECEIVER SSL Problems

    Dear Community,
       I have configured a SOAP Receiver to an external web service (https://server:7002/service). I have use IE to get the certificate of the server and have imported it into the keystore of the j2ee (using VA). I have imported it to the all current views available. We have SAP PI 7.0 SP18. The problem is that the SSL handshaking is not performed correctly. I have placed a tcp gateway monitor tool to see the messages pass through. As soon as the first message is send to the above URL and a response is received, I get a XIAdapter/HTTP/ADAPTER.HTTP_EXCEPTION - HTTP 500 Internal Server Error. Also, in the default trace log I get a no private key found.... Do I need extra steps to configure SSL in the SOAP Receiver? The service does not required a Client authentication certificate and has a certificate with  o CA root certificate (since this is only a test system and has issued its own certificate). Any ideas? Any help will be appreciated.
    Regards,
    S.Socratous

    Hello,
    Generally it's a connectivity behaviour. Check if you have setup the connection to
    the receiver and also check the explanation regarding 500 Internal Server Errors:
    *Description: The server encountered an unexpected condition which prevented it from fulfilling the request.
    Possible Tips: Have a look into SAP Notes u2013 804124, 807000*
    It may be also a problem with the SSL certificate. So, check if it's not expired;
    The correct server certificate may be not present in the TrustedCA keystore view of NWA .
    Please ensure you have done all the steps described in these url (this is for 7.11):
    Security Configuration at Message Level
    http://help.sap.com/saphelp_nwpi711/helpdata/en/48/d1c7e690d75430e100000
    00a42189b/frameset.htm
    You may have not imported the certificate chain in the correct order (Own -> Intermediate -> Root);
    Last, if the end point of the SOAP Call(Server) is configured to accept
    a client certificate(mandatory), then make sure that it is configured
    correctly in the SOAP channel and it is also within validity period.
    (This certificate is the one which is sent to Server for Client
    authentication)
    Hope that helps.
    With regards,
    Caio Cagnani

Maybe you are looking for

  • How to create a dynamic SSIS package for multiple flat file destinations

    Hi, I have to create a ssis package which has single data flow task and inside that I have 23 source (sql- select * from - statements)- destination (flat files, 23 distinct) connection. Now for each product I have to create separate SSIS package (i.e

  • Macbook Pro Win 7 x64

    Hi, I have recently bought a MacBook Pro 2009 from a mate who sold it as faulty. The Apple store said it was a faulty Logic Board but couldn't say for certain what the problem was. Having experience with PCs I tried putting an old HDD in to test if i

  • Word Processing to Page Layout???

    I've just a whole 100 page document in word processing (with lots of pictures). Is there any way that I could change the formating of the document from 'word-document' to 'page-layout' after the fact? Like with ONE click maybe? Or am I dreaming? Ben

  • Unattended/silent install "oracle outlook email integration on demand"

    I am looking for how to create sms package for "oracle outlook email integration on demand" (unattended/silent/ install from command line setup.exe /s /v"/qb"????? no luck

  • I seem to be blocked from 3abn a few months now

    I seem to be blocked from 3abn a few months now since their upgrade I watch it on a hp laptop computer windows 7