SAP Knowledge Base Article - Preview

1758780 - iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier - Best Practices for Troubleshooting

Symptom

  • You have configured the User Management Engine (UME) of the Application Server Java to use one or more LDAP directory servers as its datasource(s).

  • When the UME uses a non-SSL connection to the LDAP server(s), typically to port 389, everything works as expected and objects from the LDAP datasource(s) are accessible to the UME. For example, users from the LDAP datasource are visible in the User Administration UI of the AS Java.

  • When you change the UME LDAP configuration so that the UME uses an SSL connection to the LDAP server(s), typically to port 636, the connection test fails.

  • If you restart the AS Java with this configuration in place, the UME service starts but objects from the LDAP datasource(s) are not visible in the UME. For example users from the LDAP datasource cannot log on to applications such as Netweaver Administrator, Enterpise Portal etc while users stored in the local database such as the Adminstrator user can.

  • On examining the server defaultTrace (usr/sap/<SID>/<InstanceID>/j2ee/cluster/server#/log) you find the following error written at the time of the connection test or the startup of the AS Java if you restarted the AS after saving the configuration for a SSL connection to the LDAP server:

No connection to the ldap server, recheck configuration or availability of directory server
[EXCEPTION]
java.security.PrivilegedActionException: javax.naming.CommunicationException: <LDAP server hostname> 636 [Root exception is iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier]
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.security.core.persistence.datasource.imp.LDAPDataSourceConnectionPool.newConnection(LDAPDataSourceConnectionPool.java:905)

Caused by: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
at iaik.security.ssl.r.checkIsTrusted(Unknown Source)
at iaik.security.ssl.x.b(Unknown Source)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.r.d(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)

  • You would like to get more information about why the SSL connection to the LDAP server failed.


Read more...

Environment

SAP NetWeaver Application Server Java

Product

SAP NetWeaver 2004 ; SAP NetWeaver 7.0 ; SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver Composition Environment 7.1 ; SAP NetWeaver Composition Environment 7.2 ; SAP enhancement package 1 for SAP NetWeaver 7.0 ; SAP enhancement package 1 for SAP NetWeaver 7.3 ; SAP enhancement package 1 for SAP NetWeaver Composition Environment 7.1 ; SAP enhancement package 2 for SAP NetWeaver 7.0 ; SAP enhancement package 3 for SAP NetWeaver 7.0

Keywords

KBA , BC-JAS-SEC , Security, User Management , BC-JAS-SEC-UME , User Management Engine , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.