Skip to end of metadata
Go to start of metadata

Symptom

While trying to invoke a web service over HTTPS, an exception is thrown with an error message stating Peer certificate rejected by ChainVerifier

Problem

You have not configured the client and server certificates properly or they are invalid/not trusted

Keywords

HTTPS, SSL

Description

When accessing a web service over HTTPS, two types of certificates can be used - client and server ones. The client certificates are sent by the web service client and can be used for authentication (e.g. by configuring an authentication method via X509 certificates). The server certificates are sent by the web service (or the server it is deployed on) and can be used for establishing a proper SSL communication. Usually you get that exception, when the web service client does not trust the server certificates sent by the web service or if the client does not sent any certificate for authentication, although the web service requires it.

Solution

Depending on your scenario, you might have to configure different settings on different places

You use a Destination Template

In SAP NetWeaver Administrator, under Destination Template Management (http://<host>:<port>/nwa/DestinationTemplates), you have to configure:

  • In case you need client authentication with X509 certficates, you have to upload the certificate in a certain keystore view and select it
  • In case you want to ignore server certificates, select Ignore Server Certificates under SSL Server Certificates
  • In case you want to explicitly check if the server certificate is a valid one and trusted, make sure you have imported as trusted the whole certificate authority (CA) chain of the server certificate.

You use a Service Group

Make sure you have done the settings required for a destination template but in a user account.

You use a Single Configuration

In SAP NetWeaver Administrator, under Single Service Administration (http://<host>:<port>/nwa/ssadmin) > Consumer Proxies > Configuration, you have to configure security in the same way as for Destination Templates.

You use Web Services Navigator for testing such a web service

WS Navigator does not support testing a web service via HTTPS, when the service requires client authentication. WS Navigator ignores all server certificates and does not check if they are valid or not. If you want to test such a service, you would have to create a test application.

  • No labels