SAP Knowledge Base Article - Preview

3509106 - Peer certificate rejected by ChainVerifier - java.security.KeyStore@<...>, <null>

Symptom

  • An SSL/TLS connection to an external server from the AS Java fails with "Peer certificate rejected by ChainVerifier", although the correct backend certificates are imported to TrustedCAs keystore view of AS Java as SSL client.
  • Ping operation from an HTTP destination works properly from AS Java towards remote SSL server, but SSL connection fails if it is initiated by a specific application (e.g. SAP MII Workbench).
  • An SSL trace with IAIK debug records (see SAP KBA 2673775) shows the following messages:

[...]
with (java.security.KeyStore@743f6a9d, <null>, java.security.KeyStore@<...>, <null>)
[...]
 with (https://<hostname of the SSL server>/, <null>)
~ecureConnectionFactory.initFactory    ⇦ with (java.security.KeyStore@<...>, <null>, java.security.KeyStore@743f6a9d, <null>)
[...]
[...]
ssl_debug(3): Starting handshake (iSaSiLk 5.106)...
ssl_debug(3): Sending v3 client_hello message to <hostname of the SSL server>:<port>, requesting version 3.3...
ssl_debug(3): Sending extensions: renegotiation_info (...), signature_algorithms (..)
ssl_debug(3): Received v3 server_hello handshake message.
[...]
ssl_debug(3): Received certificate handshake message with server certificate.
[...]
ssl_debug(3): ChainVerifier: No trusted certificate found, rejected.
Chain rejected by default verifier. IAIK log has more details.
[...]
ssl_debug(3): Sending alert: Alert Fatal: bad certificate
ssl_debug(3): Shutting down SSL layer...
ssl_debug(3): SSLException while handshaking: Peer certificate rejected by ChainVerifier
ssl_debug(3): Closing transport...
java.lang.RuntimeException: Error while silently connecting: org.w3c.www.protocol.http.HttpException: Peer certificate rejected by ChainVerifier
[...]


Read more...

Environment

SAP NetWeaver Application Server Java using SSL for outgoing connection

Product

SAP NetWeaver Application Server for Java all versions

Keywords

~ecureConnectionFactory.initFactory, ~erver.https.SecureConnectionFactory, ~nectionFactory.createURLConnection, SecureConnectionFactory.initFactory, Server.https.SecureConnectionFactory, ConnectionFactory.createURLConnection, ME, MII , KBA , BC-JAS-SEC-CPG , Cryptography , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.