Tips for Troubleshooting Certificate Authentication failures with the Integration Toolkit (ITK)

	English	
Deutsch - Machine Translation Español - Machine Translation Français (France) - Machine Translation Italiano - Machine Translation 日本語 - Machine Translation 한국어 - Machine Translation Português (Brasil) - Machine Translation Русский - Machine Translation 简体中文 - Machine Translation

Support Note KB0394858

Issue

There are times where the Integration Toolkit (ITK) Data Transfer Tool (DTT) may fail when using certificate based authentication with errors around SSL or handshake failures. This solution is meant for stand alone ITK instances installed on a server, not installed on the SAP NetWeaver PI.

Cause

The issue is typically due to incomplete certificate chains or incorrect certificates being used on the customer's keystore.

When troubleshooting, please check the following:

Ensure the customer is using public key/intermediate/root certificates that are issued by a certificate authority trusted by Ariba. Self-signed certificates cannot be used with the ITK and certificate based authentication.
Ensure that the customer has enabled the end point in the Ariba application to be an authentication method of Certificate,

(Upstream): Manage > Administration > Integration Manager > Integration Toolkit Security
(Downstream): Manage > Core Administration > Integration Manager > Integration Toolkit Security
In the options file (.bat/.sh), ensure the parameter urlPrefix is set correctly to https://xxxxx/Sourcing/filedownload or https://xxxxx/Buyer/fileupload, where xxxxx would be one of the sites listed in the Additional Information section and has to be used as appropriate. For example: set urlPrefix=https://s1-integration.ariba.com/Sourcing/filedownload orr set urlPrefix=https://s1-integration.ariba.com/Buyer/fileupload
In the options file (.bat/.sh), ensure the following parameters are set and un-commented:
clientKeystore
clientKeystorePassword
clientKeyPassword
Ensure that the keystore specified in the clientKeystore parameter contains the customer's private key and public certificates being used for the SSL communication with Ariba (public key, intermediate, root certificates).
If the HTTPS post is failing, the customer can enable the following parameters in the toolslib.bat/.sh file in the ITK bin directory to print debug information regarding the client/server hello and handshake information:

a) Go to <ITK_install_root>/bin
b) Edit the toolslib.bat/.sh file
c) Set the following arguments and save:

Windows: set _command="%JAVA_HOME%\bin\java" -Djavax.net.debug=ssl:handshake:verbose -Dhttps.protocols=TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" -jar "%CLASSESDIR%\aribafiletransfer.jar" %args%

Linux/Unix: _command="$JAVA_HOME/bin/java -Djavax.net.debug=\"ssl:handshake:verbose\" -Dhttps.protocols=\"TLSv1.1,TLSv1.2\" -Djdk.tls.client.protocols=\"TLSv1.1,TLSv1.2\" -jar \"$CLASSESDIR/aribafiletransfer.jar\" $_args"
The next time the ITK runs and attempts to post to Ariba, the log will show the SSL handshake/certificate information.

Check the Subject, Issuer, Validity Dates for the certificate(s) found for the customer's keystore. This information should be printed after the entry in the ITK log to HTTPS post to the Ariba URL. Check that the certificate(s) found match the same client certificate information they expect to be in the keystore.

a) A valid certificate should be found from the client's keystore.
Example:
****Running File Transfer Tool at Wed Nov 11 13:22:54 PDT 2020****
posting to https://certs1.ariba.com/Buyer/filedownload?realm=abcCompany
***
found key for : <clients_keystore>

b) The *** ClientHello, TLSv1 will be initiated
c) The *** ServerHello, TLSv1 will be initiated and the Ariba public key (certificate chain) will be sent to the client
d) A trusted certificate should be found
e) The *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 will be initiated where the client sends the key exchange signed with the Ariba public key
f) Ariba decrypts the PreMasterSecret. This is the point, where if a failure occurs, the user may see an error like the following. If so, the problem may lie with the certificates in the keystore: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Additional information

The valid realms are listed below,

service-2-eu.ariba.com
service-2-ru.ariba.com
s1-integration.ariba.com
certs1-integration.ariba.com
s3-integration.ariba.com
certs3-integration.ariba.com
s1-integration-eu.ariba.com
certs1-integration-eu.ariba.com
s1-integration-ru.ariba.com
certs1-integration-ru.ariba.com
service-2.ariba.com
certservice-2.ariba.com

Applies To

Purchasing
Strategic Contracts
Strategic Sourcing
Supplier Information & Performance Management