Introduction
We recently had an issue with a new certificate we were trying to install. The certificate was used to encrypt and sign the messages sent to an external site. This was a new certificate and it’s understandable that it may have issues. However the most intriguing part was that the certificate was behaving very differently on different platforms. When the certificate didn’t work, we tried asking the business for a new certificate but their response was that the certificate works with a Microsoft based application and hence the issue will be on PI side.
Analysis:
We were using a Java map for encrypting and signing the messages and hence had some idea about which part in the certificate loading process the error was happening. Before we proceed, just a quick note about certificate aliases:
All key store entries ( keys and certificates ) are accessed via unique aliases. Further, aliases are case-insensitive — mycertalias and MYcertAlias would refer to the same entry.
The certificate key extraction from a keystore essentially involves three steps:
The certificate loading is fine. If we look at ks.size() it returns 1.
Enumerating over the aliases outputs the alias — so far so good
However, if we extract the certificate using the alias, we get a null back !
The error message we got from our logs . I have replaced the actual alias by <alias_guid>.
Tests to check certificate in different environments:
Tests in alternative environments:
Test1 : NWDS : Standalone test ( on Windows environment) : Default JVM / JCE
So we didn’t find any issues when testing on local PC. We thought that perhaps something is wrong with the JVM running on PI servers. We tried a second test in unix environment where our PI servers are hosted.
Test2 : NWDS : Standalone test ( on Unix environment) with IBM JCE
Then we thought that perhaps IAIK JCE is having issues .So did one more test.
Test3 : NWDS : Standalone test ( on Windows environment) using IAIK JCE provider.
By now we were suspecting IAIK JCE library to have issues. However, we couldn't get access to the version of JCE library running on PI server. We tested with IAIK version 5.51 which can be downloaded for tests.
Workaround:
As these tests were not conclusive where the error was but we had a fair idea that there was an issue with the certificate alias. As a workaround, we changed the certificate alias.
OpenSSL:
OpenSSL is a Swiss army knife for SSL tools and it came to our rescue when we came to realise that the only way to get the certificate working will be to modify it.
Some examples :
- To extract unencrypted key file
-Extract client certificate
-Extract CA certificate ( root and all intermediate certs)
So we were able to extract the client certificate . Sample screen shot with the alias name ( friendly name ).
Initial workaround:
To extract the private key, run the OpenSSL command:
To extract the certificate (public key), run the OpenSSL command:
We then used openssl to assemble the certifcate.
Example of adding alias for a certificate:
So this provided a workaround to use a new alias and get the messages working.
However, we were still not very sure why the difference is coming on different platforms.
I then copied the parts of Java map related to loading the certificate as an adapter module so that it can be easily tested in different PI versions . I then launched a SAP PO instance in SAP CAL library ( which has PO version PO 7.5 ) and surprisingly the issue persisted there as well.
Easier workaround
Raising a SAP incident and getting an easier workaround.
As the issue with the certificate was coming only in SAP PI application server and it was fine everywhere, we raised a SAP incident. The issue seems to be for the version of IAIK JCE library we are using in its handling of non printable characters in alias name. We were also suggested a workaround which is much easier to use then openssl.
The steps are very simple:
The certificate can be downloaded and has a different valid alias name.
Now it gets loaded .
Conclusion and key takeaways:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
11 | |
10 | |
7 | |
6 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 |