SAP PI 配置SSL链接接口报错问题处理Peer certificate rejected by ChainVerifier

出现这种情况一般无非是没有正确导入证书或者证书过期的情况

第一种,如果没有导入证书的话,需要在NWA中的证书与验证-》CAs中导入管理员提供的证书,这里需要注意的是,需要导入完整的证书链。

第二种如果是证书过期的,可以直接导入新的证书,如果出现冲突的情况需要把对应的证书删除,然后再导入新的证书,以下是SAP提供的原因解释3076281:

  1. Make sure that backend server's certificate chain has correct hostname and does not include unsupported characters. Also make sure there is no other certificate with the same value of Subject existing in TrustedCAs. Two certificates with the same Subject value can't co-exist in one keystore view. If it exists, then at runtime, during SSL handshake, a lookup is done only once based on Subject value thus can results in titled error, finally cause SSL failure.
    For example:
    AS Java AAA is SSL client. AS ABAP BBB is SSL server and AS ABAP CCC is another SSL server. Both BBB and CCC has SSL certificate with same Subject value but the serial number is different. Such as:

    BBB:
    Subject: CN=*.test.sap.com OU=DE
    Serial Number: 00:01:02:03:04

    CCC:
    Subject: CN=*.test.sap.com OU=DE
    Serial Number:00:05:06:07:08

    Even though both BBB and CCC SSL certificates get imported into TrustedCAs, however at runtime when AAA try to communicate with BBB and CCC. Only one of them work, while the other one will always end with titled error.

  2. If server contains wildcard value "*", check hints from the resolution part of the KBA apart from the fact that it is PI system or not: 2222086 - Peer certificate rejected by ChainVerifier in PI File Adapter.

  3. Make sure that backend server's certificate chain's order is correct .
    For example:
    SSL server has certificate chain like following:
    [Cert 0] Subject: CN=*.test.sap.com; Issuer: CN=aaa
    [Cert 1] Subject: CN=aaa; Issuer: CN=bbb
    [Cert 2] Subject: CN=bbb; Issuer: CN=ccc
    [Cert 3] Subject: CN=ccc; Issuer: CN=ccc
    In this case, [Cert 1] [Cert 2] are intermediate certificates and [Cert 3] is root certificate. Thus need to import [Cert 1] [Cert 2] and [Cert 3] to make Certification Revocation Check get passed correctly.

  4. Make sure that backend server's certificate chain is complete and has root CA. Each CRL is digitally signed by its CA. Therefore, to verify the digital signature provided with the CRL, the corresponding CA root certificate needs to be imported into a keystore view on the AS Java. There should be at least a ServerCertChain[1] part that would include the root certificate as a subject.

  5. In AS JAVA, go toNetweaver Administrator -> Configuration tab -> Security -> Certificates and Keys -> Key Storage tab -> TrustedCAs.

  6. Select theTrustedCAs view and click Import Entry button.

  7. Import the certificate chain provided by the SSL server.

但需要注意的是,可能还会出现类似的报错情况,这个时候可以通过xpi_inspector工具对rest接口进行检测,查看具体的报错异常,如果还是由于证书不匹配的情况导致,可以在工具里面导出对应的证书2056672

相关推荐
mubeibeinv19 分钟前
项目搭建+图片(添加+图片)
java·服务器·前端
秋名山小桃子38 分钟前
Kunlun 2280服务器(ARM)Raid卡磁盘盘符漂移问题解决
运维·服务器
与君共勉1213839 分钟前
Nginx 负载均衡的实现
运维·服务器·nginx·负载均衡
努力学习的小廉1 小时前
深入了解Linux —— make和makefile自动化构建工具
linux·服务器·自动化
MZWeiei1 小时前
Zookeeper基本命令解析
大数据·linux·运维·服务器·zookeeper
Arenaschi1 小时前
在Tomcat中部署应用时,如何通过域名访问而不加端口号
运维·服务器
小张认为的测试1 小时前
Linux性能监控命令_nmon 安装与使用以及生成分析Excel图表
linux·服务器·测试工具·自动化·php·excel·压力测试
waicsdn_haha1 小时前
Java/JDK下载、安装及环境配置超详细教程【Windows10、macOS和Linux图文详解】
java·运维·服务器·开发语言·windows·后端·jdk
打鱼又晒网1 小时前
linux网络套接字 | 深度解析守护进程 | 实现tcp服务守护进程化
linux·网络协议·计算机网络·tcp
良许Linux2 小时前
0.96寸OLED显示屏详解
linux·服务器·后端·互联网