skip to main content

SAP NetWeaver Newbie

SSLException while handshaking

The following are among most common SSL errors we have noticed during support:
Error transmitting the message over HTTP. Reason: java.lang.RuntimeException: Error while silently connecting: org.w3c.www.protocol.http.HttpException: Peer certificate rejected by ChainVerifier.
Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Error SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Follow these guidelines to address the SSL errors

1. Ensure that all the certificates in the chain are added to Key Storage certificate.
2. If the interface was working earlier, the certificates may have expired. Check if any of the certificates in the chain has expired.
3. Check if there is any difference in CN (Common Name) and the host name or IP address. If the CN contains IP address, maintain IP address in the channel else maintain the host name.
4. If the call goes to ICM, add the certificates (in the chain) to Trust Manager using the transaction STRUST.
5. Check if the certificates were corrupted. Ask for the certificates again and compare them.
6. Check if the certificates were replaced with new ones at the sending or receiving system.
7. The SSL cipher suites used by the client and server may not be compatible. Ex: The certificates may have been provided to you with 3072-bit key strength. Ask for 1024-bit key strength certificates or upgrade your SAPCRYPTOLIB.

In case of Seeburger AS2 Adapter, apart from the above said reasons, the following also applies for Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: javax.net.ssl.SSLHandshakeException: unknown CA #

Check if a valid entry is maintained in Server Certificate (Keystore) parameter. The channel may have functioned with the parameter left blank, but if you notice errors, you need to maintain the parameter.


Tools
If you are still unsure on how to resolve the problem, use XPI Inspector with option "11  (Authentication & SSL)"

No comments:

Post a Comment

Email Subscription

Get every new post into your inbox by subscribing us.

Want a reason to subscribe?
1. This sitemap might convince you to subscribe.
2. We do not misuse email IDs. We respect privacy.

© 2008 - 2017 sapnwnewbie. All rights reserved.