Hello everybody,
I am tryining to establish a connection from SAP PI 7.0 to an external web service that requires SSL with client authentication. I am using the SOAP adapter for that. The private key of us and the public key of the web service were installed in the VA in the TrustedCAs view. In the corresponding receiver channel configuration I have ticked "Configure Certificate Authetication" and selected appropriate entries in "Keystore Entry" and "Keystore View".
Whenever I send a message through the channel I am getting though an error during the SSL handshake: Decrypt error.
Below is the SSL debug log
ssl_debug(15): Sending v3 client_hello message to services.bloomberg.com:443, requesting version 3.1...
ssl_debug(15): Received v3 server_hello handshake message.
ssl_debug(15): Server selected SSL version 3.1.
ssl_debug(15): Server created new session 81:ED:F8:61:3B:51:8E:70...
ssl_debug(15): CipherSuite selected by server: TLS_RSA_WITH_AES_256_CBC_SHA
ssl_debug(15): CompressionMethod selected by server: NULL
ssl_debug(15): Server does not supports secure renegotiation.
ssl_debug(15): Received certificate handshake message with server certificate.
ssl_debug(15): Server sent a 2048 bit RSA certificate, chain has 3 elements.
ssl_debug(15): ChainVerifier: No trusted certificate found, OK anyway.
ssl_debug(15): Received certificate_request handshake message.
ssl_debug(15): Accepted certificate types: RSA, DSA
ssl_debug(15): Accepted certificate authorities:
ssl_debug(15): CN=XXXXXXXXXXXXXXXXXXXXXXXX
ssl_debug(15): CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(15): CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(15): Received server_hello_done handshake message.
ssl_debug(15): Sending certificate handshake message with RSA client certificate...
ssl_debug(15): Sending client_key_exchange handshake...
ssl_debug(15): Sending certificate_verify handshake message...
ssl_debug(15): Sending change_cipher_spec message...
ssl_debug(15): Sending finished message...
ssl_debug(15): Received alert message: Alert Fatal: decrypt error
ssl_debug(15): SSLException while handshaking: Peer sent alert: Alert Fatal: decrypt error
ssl_debug(15): Shutting down SSL layer...
My first assumption was that it might be caused by missing public key of other side's server in the TrustedCAs view. Now I have assured that we have this key installed (although I am currious why there is still the "ChainVerifier: No trusted certificate found" message in the log).
Does somebody have an idea what could cause this SSL handshake failure?
Best regards,
Maxim