SAP Knowledge Base Article - Preview

3139964 - PI/PO - REST Adapter - iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Symptom

While sending a message from the PO system to an external server via the REST Adapter, the following errors were encountered, as revealed in the XPI Inspector traces:

#####

Sun Nov 28 13:58:23 AST 2021 Message processing failed. Cause: java.io.IOException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Sun Nov 28 13:58:23 AST 2021 Error while processing outbound message. iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier: Peer certificate rejected by ChainVerifier

Found Certificate chain with 4 elements:
Certificate: #0
    SubjectDN: CN=testA.com
    IssuerDN: CN=XX,OU=XX,O=XX,C=US

Begin IAIK Examination:
  ERROR:     The default IAIK chain verifier does not trust this chain!
End IAIK Examination.

Catching java.security.GeneralSecurityException: Error retrieving certificates:
at com.sap.aii.adapter.rest.ejb.security.IAIKSSLContextFactory.generateSSLContentxt(IAIKSSLContextFactory.java:166)
at com.sap.aii.adapter.rest.ejb.security.IAIKSocketFactory.<init>(IAIKSocketFactory.java:30)
at com.sap.aii.adapter.rest.ejb.receiver.RESTReceiverChannel.initalizeSSLfactory(RESTReceiverChannel.java:246)
at com.sap.aii.adapter.rest.ejb.receiver.RESTReceiverChannel.getSecureSocketFactory(RESTReceiverChannel.java:231)
at com.sap.aii.adapter.rest.ejb.receiver.RESTReceiverChannel.channel_test(RESTReceiverChannel.java:365)
at com.sap.aii.adapter.rest.ejb.common.AbstractPIAdapter.testChannel(AbstractPIAdapter.java:176)
...
Caused by: java.lang.NullPointerException: CertificateChain and PrivateKey must not be null!
at iaik.security.ssl.KeyAndCert.<init>(SourceFile:109)
at com.sap.aii.adapter.rest.ejb.security.IAIKSSLContextFactory.generateSSLContentxt(IAIKSSLContextFactory.java:105)
... 103 more

Begin IAIK Debug:
ssl_debug(13812): Starting handshake (iSaSiLk 5.2)...
ssl_debug(13812): Sending v3 client_hello message to testB.com:443, requesting version 3.3...
ssl_debug(13812): Sending extensions: elliptic_curves (10), renegotiation_info (65281), signature_algorithms (13), server_name (0), ec_point_formats (11)
ssl_debug(13812): Received v3 server_hello handshake message.
ssl_debug(13812): Server selected SSL version 3.3.
ssl_debug(13812): Server created new session 42:B7:4A:15:AB:81:BD:85...
ssl_debug(13812): CipherSuite selected by server: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
...
ssl_debug(13812): ChainVerifier: No trusted certificate found, rejected.
ssl_debug(13812): Received server_key_exchange handshake message.
ssl_debug(13812): Verifying SHA512withRSA signature of server_key_exchange message...
ssl_debug(13812): Server sent a secp256r1 ECDH key.
ssl_debug(13812): Received server_hello_done handshake message.
ssl_debug(13812): Sending client_key_exchange handshake (secp256r1 ECDH)...
ssl_debug(13812): Sending change_cipher_spec message...
ssl_debug(13812): Sending finished message...
ssl_debug(13812): Received change_cipher_spec message.
ssl_debug(13812): Received finished message.
ssl_debug(13812): Session added to session cache.
ssl_debug(13812): Handshake completed, statistics:
ssl_debug(13812): Read 5498 bytes in 6 records, wrote 314 bytes in 4 records.
ssl_debug(13812): Shutting down SSL layer...
ssl_debug(13812): Sending alert: Alert Warning: close notify
ssl_debug(13812): Read 0 bytes in 0 records, 0 bytes net, 0 average.
ssl_debug(13812): Wrote 0 bytes in 0 records, 0 bytes net, 0 average.
ssl_debug(13812): Closing transport...
ssl_debug(13812): Closing transport...

End IAIK Debug.

#####

According to the ssl_debug traces, the message "ChainVerifier: No trusted certificate found, rejected" indicates that the certificate was not accepted. The external server the PO system is attempting to connect to via the REST receiver channel is testB.com:443. However, the presented certificate shows CN=testA.com, which does not match the target server name.

Even though the correct and complete certificate chain has been imported into TrustedCAs and configured in the REST receiver channel, the message processing appears to select an incorrect certificate (SubjectDN: CN=testA.com, IssuerDN: CN=XX,OU=XX,O=XX,C=US)—a certificate that does not exist on the PO system. The issue persists despite performing a dummy change and refreshing the CPA cache.


Read more...

Environment

  • SAP NetWeaver
  • SAP Process Integration

Product

SAP NetWeaver all versions ; SAP Process Integration all versions

Keywords

SSL, TLS, SAP, PI, PO, XPI, HTTPS, Error, REST, Certificate, SSL handshake error, SAP PO REST adapter, certificate chain issue, XPI Inspector trace,
client certificate authentication, SSL configuration error, SAP TrustedCAs, REST receiver configuration, SAP PO REST receiver channel SSL certificate issue, Peer certificate rejected by ChainVerifier error, client certificate missing private key exception in SAP, configuring client certificate authentication in SAP PI, troubleshooting SSL errors using XPI Inspector, SAP PO connection failure due to untrusted certificate, external server presenting incorrect SSL certificate in SAP PI, REST adapter failing due to SSL trust issue in SAP PO. , KBA , BC-XI-CON-RST , Rest Adapter , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.