How to troubleshoot, import/renew and monitor java Keystore certificates in SAP PI 7.5 – Part 2

In the previous blog, we have discussed about Keystore views and renewing Server SSL certificate in SAP NW Java. In this part, let us see role of keystore views in PI communications.

Basically, the communication between PI and third party systems can be considered as two types,

• Inbound (Sending Messages to the Advanced Adapter Engine) – Sender Adapter
• Outbound (Sending Messages to an External System) – Receiver Adapter

Inbound

For inbound communications, when a message is to be sent to the Advanced Adapter Engine, AS Java serves as the SSL Server and presents its server certificate to the client as part of the SSL handshake procedure. For such cases, the SSL server certificate of PI should be trusted by the third party(client side) system. This allows the SSL client to accept the certificate of the server in the SSL handshake. From PI side, If basic authentication is used, no additional configuration is required on server side, but if client certificate authentication is requested or required by configuration of the ClientCertLoginModule , additional configuration steps are required. For more information about client certificate authentication configuration in Sender adapter, I would suggest to read this excellent blog by Aashish Sinha.

Outbound

For outbound communication, when you send messages from the Advanced Adapter Engine to an external system, AS Java acts as the SSL client. In this scenario, depending on the authentication type we have maintained two different types of certificates in two different Keystore views.

Above table will give quick information of the which certificates and keystores are required for successful communication. Let’s take a look at example for each type with screenshots. For step by step instructions for importing certificate in to a keystore view, please check SAP note 2056672 – How to import server certificates in PI system

Example 1: HTTPS connection with No Authentication.

SOAP Receiver adapter communication channel connecting with SSL but no authentication as shown below.

In this case, only the server certificate of the Target URL in TrustedCAs will be enough.

Example 2: HTTPS connection with Client certificate Authentication.

SOAP Receiver adapter communication channel connecting with HTTPS and client certificate authentication.

Keystore entry of the Keystore view as chosen in the communication channel should contain the Private key of the certificate.

In some cases, the communication might still fail with SSL error, in such cases, try importing the server certificate of the target URL in TrustedCAs, if the issue still persists, try troubleshooting the communication channel connectivity using XPI inspector tool.

That is all for this part, in the next part, we will see how to configure alerting for Java keystore certificate expiry. Thank you.