?
Solved

SSL Cert mismatch error

Posted on 2013-12-05
14
Medium Priority
?
73 Views
Last Modified: 2016-07-13
Hi..

In order to have a secured  and trusted communication between our SAP PI system and our partner, we bought the public SSL Cert and sent to our partner for import to their system (which is to be able to connect to our server and drop some files). When the partner is browsing the URL that we gave him, he is saying that our server is not sending the actual SSL cert that we shared with the partner. That means the Cert mismatch error is found which is halting the further testing. During the handshake our server, seems like, is sending the self signed cert by default, instead of the SSL cert that we bought. Our side of OS is AIX and SAP is installed on it.
0
Comment
Question by:gauravshar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39700053
The certificate needs to be installed on the server hosting the service.  Anyone accessing that service will be presented with the certificate (containing the public key) automatically.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 39700351
You need to install the SSL cert on your server.
0
 
LVL 64

Expert Comment

by:btan
ID: 39700716
the server certificate should have the subject name stating the server fqdn or website domain including hostname. this ssl server also need to ensure it is performing server authentication purpose as stated in the certificate. I do suspect the certificate is not in the SAP service server or user has browsed through some proxy which is why the actual server cert is not send over ... may have to also check its browser if there is any proxy plugin etc
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:gauravshar
ID: 39700984
The cert is already installed on the server..
0
 

Author Comment

by:gauravshar
ID: 39701013
It looks like the cert is not installed at the right place somewhere. when I browse the site internally too, it shows the self signed cert, not the SSL cert.

The issuesd to and issued by are the same entity here.. that is server itself.
0
 
LVL 64

Expert Comment

by:btan
ID: 39701095
Minimally the cert need to be in the machine certificate store e.g.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/16/1bb23bdb0d0156e10000000a11402f/content.htm
0
 
LVL 64

Expert Comment

by:btan
ID: 39701114
0
 
LVL 9

Expert Comment

by:gtkfreak
ID: 39733305
If you bought the certificate from an authority like Verisign, check if your server has them as a provider. Many times, we find smaller providers like ncode etc, that are not accepted as these authorities certificates are not added to the servers or authorities certificate list. You can check if the authority that issued you the certificate is on your server if you have internet explorer or firefox. Go to Edit -> Preferences -> Advanced -> Certificates -> View Certificates in firefox to find out.
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 41703622
I rather take a step back to address the question since author no longer exist - looking at the profile activities...

Each SAP System is supplied with a public-key pair, which includes a public-key certificate, that is stored in its own system Personal Security Environment (PSE). It also supports the Secure Sockets Layer (SSL) protocol, which provides for authentication between communication partners and encrypted communications. In your case, it is likely the SSL use case applies.

So to go into deploying the SSL certificate, we take reference from SAP provided step through on configuring the SAP Web AS for Supporting SSL as an example - specially on Step (3)
Create and maintain the SSL Server PSEs as follows:
  a.  Create the SSL server PSEs.
  b.  Generate a certificate request for each SSL server PSE.
  c.  Send the certificate requests to a CA to be signed.
  d.  Import the certificate request responses into the server's SSL server PSEs.
  e.  Maintain the SSL server PSE's certificate list.

In this case of mismatch, we need t to ensure the above steps are followed through whereby the CSR is generated and eventually send to 3rd party CA or internal CA to get the SSL cert that can be imported and bind to SAP server to use it for all SSL exchanges. The emphasis is on step 3(d) and 3(e)
3(d) Import the certificate request responses into the server's SSL server PSEs.

From the Trust Manager screen:
Expand the
> SSL server PSE node.

For each application server that is to receive a signed certificate:

Select the application server with a double-click.
> The application server's SSL server PSE is displayed in the PSE maintenance section.
In the PSE maintenance section, choose This graphic is explained in the accompanying text Import Cert. Response.

The dialog for the certificate request response appears.
> Insert the contents of the certificate request response into the dialog's text box (using This graphic is explained in the accompanying textPaste) or select the response from the file system by using This graphic is explained in the accompanying text Load local file.

The signed public-key certificate is imported into the server's SSL server PSE, which is displayed in the PSE maintenance section. You can view the certificate by selecting it with a double-click. The certificate information is then shown in the certificate maintenance section.

Save the data.
3(e) Maintaining the SSL Server PSE's Certificate List

You have access to the CA's root certificate. For example, the SAP CA's certificate is available in the SAP system. If you use a different CA, then you must obtain its public-key certificate and store it in one of the available storage locations (for example, in the certificate database). If you have already imported the CA's certificate to a different PSE on the application server, then you can also use the trust manager to copy it from the PSE into the SSL server PSE.

Importing the CA's Root Certificate From the File System
If the CA's public-key certificate is located in the file system:
In the certificate section, choose This graphic is explained in the accompanying textImport certificate.
>The Import Certificate dialog appears.

Enter the corresponding file name from the file system.

Select the certificate's file format.

Note - If you are not sure which format to select, open the certificate in a text browser that does not use formatting, for example, Notepad. If the contents are readable (although encoded), then the format is Base 64. Otherwise the format is binary.

Choose Enter.
> The certificate appears in the certificate maintenance section.

Choose This graphic is explained in the accompanying textAdd to Certificate List.
> The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.

Save the data.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm?frameset=/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm¤t_toc=/en/6a/44b2420e71c511e10000000a1550b0/plain.htm&node_id=798&show_children=false
0
 
LVL 64

Expert Comment

by:btan
ID: 41703628
I proposed http://#ID:41703622 as the solution to this question since it run through the proper steps by SAP guide in importing of SSL certificate into SAP web server. The link has more details on the guidance.
0
 
LVL 64

Expert Comment

by:btan
ID: 41704412
Noted thanks for the advice and will consider it. just that my writing skills for article has been below acceptable level of the editorial team..maybe is because of the topic that I chose.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question