on 2018 Sep 07 7:56 PM
Hello Experts,
We have SAP PO 7.5 AEX AS Java Only installed on a HEC environment as part of our enterprise network, currently we are facing an error when we run the initial configuration wizard for SAP PO.
All the steps apparently are completed succesfully but when we get to check the SLD configuration the XI Components are not totally registred (Adapter Engine, Intergration directory, Integration Repository) due to a Certificate Error that is being rejected when trying to registering them to the SLD.
The NWA log viewer shows an error while the configuration wizard is running and when we try to register this manually through the RWB and following SAP Notes.
Exception while pinging the SLD
Thrown:
com.sap.lcr.api.cimclient.CIMClientException: IO error: Unable to open SSL connection to host "xxx". Peer certificate rejected by ChainVerifier.
at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:371)
We already check that SSL is configured correctly in the AS Java and all certificates are in green status
We already check some other configurations including the AII properties but none give us a clue to know whats the reason for this error.
I appreciate your comments and help to get this issue solved.
Dear Danilo,
Peer certificate rejected by ChainVerifier" basically means that the ChainVerifier has not accepted certificate of JAVA system.
Please follow these guidelines as the issue here is somewhere in the configuration or the certificate chain itself:
-Ensure that all the certificates in the chain are added to Key Storage certificate.
-Check if any of the certificates in the chain has expired.
-Check if there is any difference in CN (Common Name) and the host name or IP address. If the CN contains IP address, maintain IPaddress in the channel else maintain the host name.
-If the call goes to ICM, add the certificates (in the chain) to Trust Manager using the transaction STRUST.
-Check if the certificates were corrupted. Ask for the certificates again and compare them.
-Check if the certificates were replaced with new ones at the sending or receiving system.
-The SSL cipher suites used by the client and server may not be compatible. Ex: The certificates may have been provided to youwith 3072-bit key strength. Ask for matching key strength certificates or upgrade your SAPCRYPTOLIB.
-As it can be seen that the system is refusing the certificate that you're using, performing the SSL configuration again and issuing a new certificate might help.
In case it does not help you can trace the scenario by yourself.
-Refer to ManagingIncidents.doc in ManagingIncidents.ZIP attached to note 1332726.
-Follow the steps 'Creating a new incident' to create a new incident in the troubleshooting wizard, name the new incident some arbitrary name.
-Follow the steps outlined in 'Adding a new trace location' to add trace location com.sap.security.core.server.https to the newly created incident.
-With the newly created incident chosen from the incident drop down box, select 'Start Diagnostics' to start collecting traces.
-Enter the configuration for the SSL connection and reproduce the scenario.
-Choose 'Stop Diagnostics' to stop collecting traces.
-Hit 'Download Zip archive', and you can analyze debug trace in your filesystems.
Best Regards,
Barnabás Paksi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Barnabas,
Many thanks for your very useful information, the SAP HEC team has solved the issue by importing a new certificate with the correct hostname for the specific SSL port, the CN was registered with a localhost value.
Before
After
After that all the PO components were successfully registered in the SLD.
hi Danilo Amaya,
Please import your certificate in TrustedCAs, And make sure that you imported the root certificate and its subsidiary certificates,
check this link which you are accessing is reachable from your XPI Inspector http://host:port/xpi_inspector/index.jsp with 11 (Authentication, SSL) Then use your link in "SSL Server URL Address: ".
Regards,
Khaja.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
69 | |
11 | |
10 | |
10 | |
9 | |
9 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.