 |
| ||||||||
Issue Scenario:
SAP ECC --> SAP PI --> SAP Business Network
Customers are trying to send a purchase order (PO) from SAP ERP (Enterprise Resource Planning) to SAP Business Network, and the PO fails in Process Integration (PI) with the following error.
[Error Level] 2[Error Code] ECC103[Error Desc] Ariba SN Not Available[Error Message] Cannot connect to Ariba SNcom.ariba.asc.connector.exception.AribaSNException: Cannot connect to Ariba SN
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 30 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
The Error, “sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ...” generally means that the certificate chain is not complete. This can occur if there is no trusted Certificate Authority's root certificate installed in the Trusted Key Store or the certificates are not installed on the correct path.
We provided the following suggestions to the customers, and we need to ensure:
- That the certificates are installed properly on the JDK (Java Development Kit) KeyStore and the root certificate being used is a valid Certificate Authority (CA) that Ariba trusts.
- The CAs that Ariba trusts can be found at: https://connect.ariba.com/AC_Content_Details_Page/1%2C%2C161_142424%2C00.html
- Ariba-related Certificates & Third Party Certificates provided by CAs are to be installed in the Trust Store View, "TrustedCAs," and the Key Store view must have ALL Permissions. Ariba always recommends the use of"TrustedCAs" to import Ariba-related Certificates.
- The Key Store View, "TrustedCAs," needs to be mentioned in Process Integration (PI) Communication Channel.
Additionally, we provided the following solution, which resolved the issue.
The steps to import the security certificates for SAP NetWeaver Adapter follow:
- Download the VerisignCerts.zip, attached to the Case and unzip the contents. You find two certificates.
- On the NetWeaver application server, issue the following command from the command line : echo $JAVA_HOME, which gives you the location of your Java home.
- Go to your JAVA_HOME/bin and issue the following command: keytool –list –keystore /jre/lib/security/cacerts. (This is the location of the keystore in your JAVA_HOME directory).
- This command should list a number of certificates in the keystore. If none exist, this is not the correct keystore.
- If it has multiple certificates, this is likely the correct location to import the new certificates, and go to the next step.
- Issue the following command to import the certificates to the keystore :
- Go to Java_Home/bin; then, copy VeriSignClass3SecureServerCAG3.der and the VeriSignClass3PublicPrimaryCertificationAuthorityG5.der to bin directory.
- On the command line, enter:
keytool –import –trustcacerts –alias certfile –file VeriSignClass3SecureServerCAG3.der -keystore <JAVA_HOME>/jre/lib/security/cacerts - If everything is correct, it prompts you for a password; the password is "changeit".
- Repeat steps a and b for the sst certificate.
Next, you must restart the Ariba XI adapter. If you still have issues, restart the J2EE server by following these steps:
-
- From the ICM (Internet Communication Manager) Monitor, Admin menu, Restart > Yes.
- Send Hard Shutdown > With Restart.
Questions to ask to Troubleshoot Certificate Issues:
- Is the KeyStore (cacerts) value configured properly in the Configuration Properties?
- Do the KeyStore / Trust Store View have all Permissions needed?
- Check, validate the Certificates and ensure that all the Certificates are available in TrustedCAs. Afterward try testing with a PO / Invoice.
- Are latest certificates being used?
- Does PROD and other Non-PROD Environments work properly?
- Could you, please, compare the Network, (Ports) Firewall and Connectivity Settings for the customer? Has anything changed?
- Could you, please, check so see if any Network-/ Firewall-related changes are there? Any changes happened to JDK Key Store or JVM?
- When was the last successful PO / Invoice sent to AN / received from AN?
- Have any recent SAP PI Upgrade or any other upgrades been done?
- Restart the SAP Business Network Adapter for SAP, and do a full PI restart if required.
Note:
1) PI Upgrade / Changes in PI Communication Channel would overwrite the Certificate Information, and it is advisable to check the certificates and configurations after System / OS Upgrades.
2) Changes in Network / Firewall would also result in the same error, and customers need to check and validate whether the certificates are imported, necessary configurations are in place, and ports are opened from SAP PI to connect to SAP Business Network.
SAP Business Network for Procurement & Supply Chain