3139964 - PI/PO - REST Adapter - iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

While sending message from PO/PO system to external server by REST Adapter, you are facing following errors which can be found from XPI Inspector traces.

Sun Nov 28 13:58:23 AST 2021 Message processing failed. Cause: java.io.IOException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Sun Nov 28 13:58:23 AST 2021 Error while processing outbound message. iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier: Peer certificate rejected by ChainVerifier

Found Certificate chain with 4 elements:
Certificate: #0
    SubjectDN: CN=testA.com
    IssuerDN: CN=XX,OU=XX,O=XX,C=US

Begin IAIK Examination:
  ERROR:     The default IAIK chain verifier does not trust this chain!
End IAIK Examination.

Catching java.security.GeneralSecurityException: Error retrieving certificates:
at com.sap.aii.adapter.rest.ejb.security.IAIKSSLContextFactory.generateSSLContentxt(IAIKSSLContextFactory.java:166)
at com.sap.aii.adapter.rest.ejb.security.IAIKSocketFactory.<init>(IAIKSocketFactory.java:30)
at com.sap.aii.adapter.rest.ejb.receiver.RESTReceiverChannel.initalizeSSLfactory(RESTReceiverChannel.java:246)
at com.sap.aii.adapter.rest.ejb.receiver.RESTReceiverChannel.getSecureSocketFactory(RESTReceiverChannel.java:231)
at com.sap.aii.adapter.rest.ejb.receiver.RESTReceiverChannel.channel_test(RESTReceiverChannel.java:365)
at com.sap.aii.adapter.rest.ejb.common.AbstractPIAdapter.testChannel(AbstractPIAdapter.java:176)
...
Caused by: java.lang.NullPointerException: CertificateChain and PrivateKey must not be null!
at iaik.security.ssl.KeyAndCert.<init>(SourceFile:109)
at com.sap.aii.adapter.rest.ejb.security.IAIKSSLContextFactory.generateSSLContentxt(IAIKSSLContextFactory.java:105)
... 103 more

Begin IAIK Debug:
ssl_debug(13812): Starting handshake (iSaSiLk 5.2)...
ssl_debug(13812): Sending v3 client_hello message to testB.com:443, requesting version 3.3...
ssl_debug(13812): Sending extensions: elliptic_curves (10), renegotiation_info (65281), signature_algorithms (13), server_name (0), ec_point_formats (11)
ssl_debug(13812): Received v3 server_hello handshake message.
ssl_debug(13812): Server selected SSL version 3.3.
ssl_debug(13812): Server created new session 42:B7:4A:15:AB:81:BD:85...
ssl_debug(13812): CipherSuite selected by server: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
...
ssl_debug(13812): ChainVerifier: No trusted certificate found, rejected.
ssl_debug(13812): Received server_key_exchange handshake message.
ssl_debug(13812): Verifying SHA512withRSA signature of server_key_exchange message...
ssl_debug(13812): Server sent a secp256r1 ECDH key.
ssl_debug(13812): Received server_hello_done handshake message.
ssl_debug(13812): Sending client_key_exchange handshake (secp256r1 ECDH)...
ssl_debug(13812): Sending change_cipher_spec message...
ssl_debug(13812): Sending finished message...
ssl_debug(13812): Received change_cipher_spec message.
ssl_debug(13812): Received finished message.
ssl_debug(13812): Session added to session cache.
ssl_debug(13812): Handshake completed, statistics:
ssl_debug(13812): Read 5498 bytes in 6 records, wrote 314 bytes in 4 records.
ssl_debug(13812): Shutting down SSL layer...
ssl_debug(13812): Sending alert: Alert Warning: close notify
ssl_debug(13812): Read 0 bytes in 0 records, 0 bytes net, 0 average.
ssl_debug(13812): Wrote 0 bytes in 0 records, 0 bytes net, 0 average.
ssl_debug(13812): Closing transport...
ssl_debug(13812): Closing transport...

End IAIK Debug.

Per ssl_debug traces above, we can see "ChainVerifier: No trusted certificate found, rejected". The target external server to which PO system is trying to connect by REST receiver channel is [testB.com:443]. However, the certificate shows you "CN=testA.com" which is different from target server name. You have already imported the correct and whole certificate chain in TrustedCAs, configured the same in REST receiver channel. However, the message processing seems still to select incorrect certificate [SubjectDN: CN=testA.com, IssuerDN: CN=XX,OU=XX,O=XX,C=US] which is not existing at all on PO system. It's not working even though customer do a dummy change and perform CPACache refresh.

• SAP NetWeaver
• SAP Process Integration

Process Integration, PI, Process Orchestration, PO, NetWeaver, XI, AEX, SSLCertificateException, Peer certificate rejected by ChainVerifier, GeneralSecurityException, Error retrieving certificates, CertificateChain and PrivateKey must not be null , KBA , BC-XI-CON-RST , Rest Adapter , Problem