 |
| ||||||||
When connecting to the Managed Gateway for Spend&Network, I receive a Handshake Failure error like the one below:
Connection Closed, Handshake Failure while attempting to perform HTTP Post of a document to https://acig-us.ariba.com/as2/as2
Logs show errors: "ERR_CERT_CHAIN_UNTRUSTED" and "Signature does not match"
US data center:
EU data center:
- Test: https://testacig.ariba.com
- Prod: https://acig.ariba.com
The middleware/system you are using to connect is not compatible with Server Name Indication (SNI) protocol. If your middleware is not SNI compatible, then the authentication certificate you use with Managed Gateway for Spend&Network endpoints is the cf domain certificate. If your middleware is SNI enabled, then the authentication happens directly with the acig domain certificates instead of the cf domain certificates.
BTP renewed the certificates for the following domains that impacted non-SNI enabled connections:
- US data center
- Region: US East (VA) AWS
- End point: https://api.cf.us10.hana.ondemand.com/
- EU data center
- Region: Europe (Frankfurt) AWS
- End point: https://api.cf.eu10.hana.ondemand.com/
Permanent solution (Recommended):
You must enable SNI on your middleware/systems used to connect with the Managed Gateway for Spend&Network to ensure seamless connectivity. As the cf domain certificates are not recommended, we do not notify customers when these certificates are updated, so enabling SNI will prevent future handshake failure issues whenever cf domain certificates are updated.
Temporary workaround to reestablish the connection (Not Recommended):
You must load the renewed root and intermediate certificate in your PI Trusted CAs key-store. Loading this new certificate will resolve the connection issue for now, but if you do not implement the permanent solution of enabling SNI for your middleware/system, then you will experience handshake failures whenever cf domain certificates are updated in the future.
- If using the US data center, you can download the new certificate by going to the URL https://api.cf.us10.hana.ondemand.com/ in your browser and following these steps:
- To the left of the URL in your browser, click the [View site information] icon.
- Click Connection is Secure.
- Depending on your browser, click the [View certificate] icon, Certificate is valid link, or More Information > View Certificate buttons to view the certificate to be loaded.
- If using the EU data center, you can download the new certificate by going to the URL https://api.cf.eu10.hana.ondemand.com/ in your browser and following these steps:
- To the left of the URL in your browser, click the [View site information] icon.
- Click Connection is Secure.
- Depending on your browser, click the [View certificate] icon, Certificate is valid link, or More Information > View Certificate buttons to view the certificate to be loaded.
For details related to certificate replacement done in the SAP BTP, Cloud Foundry Environment, see Root Certificate Replacement in the SAP BTP, Cloud Foundry Environment.
For more information on certificate replacement, see What are the customer specific changes required for SAP Integration Suite, managed gateway for spend management and SAP Business Network - Certificate Replacement on supplier side?
To view the information shared previously by SAP regarding the change to require SNI compatibility, see FAQ - Managed Gateway for Spend & Network Certificate Change US DC– October 26 2020.and FAQ - Managed Gateway for Spend & Network Certificate Change EU DC– October 26 2020
SAP Integration Suite Managed Gateway
SAP Integration Suite Managed Gateway > Managed Gateway for Procurement
SAP Integration Suite Managed Gateway > Managed Gateway for Supplier Addon