KB 223 - PO Connection Test fails with ChainVerifier error

KB 223 (JAVA): PO Connection Test fails with ChainVerifier error

Description

When clicking on the PI button under the Test Connectivity section in the PowerConnect Java UI Admin tab you receive an error similar to - Peer Rejected by ChainVerifier

Cause

The monitoring agent for SAP PI message monitoring relies on the AdapterMessageMonitoring web service to collect and forward data to platforms like Splunk or Dynatrace. If the web service is configured to be accessed only over HTTPS (i.e. the in the profile of the SAP system HTTP has been disabled and only HTTPS is configured), calls to it may fail due to SSL certificate validation issues.

This failure typically occurs because the agent calls the web service using localhost, while the SSL certificate is issued to a different hostname. This article explains why this issue occurs and provides solutions to resolve it.

Why HTTPS Calls to the Web Service Fail

When the monitoring agent calls the AdapterMessageMonitoring web service over HTTPS, it does so using localhost (e.g., https://localhost:50000/...). However, SSL certificates are issued for a specific hostname or domain. If the certificate does not include localhost as a Subject Alternative Name (SAN), the SSL validation fails, resulting in an error.

Why the Agent Uses Localhost
The monitoring agent runs on the same SAP PI/PO host. It reads the SAP profile parameters to discover the local http port, server name and protocol by examining the server_port configuration which contains:

PROT=HTTP(S)

PORT=<web port>

HOST=<hostname>

If the HOST has not been set then the agent defaults to localhost.

The agent will try to discover a non-ssl port first and will only use ssl if the non-ssl port has been disabled. If only SSL is enabled i.e.

PROT=HTTPS

This is where the issue appears since the hostname in the request (localhost) does not match the certificate, triggering the validation failure.

Solutions to Fix the Issue

Option 1

Re-enable HTTP for localhost only in the SAP profile.

In the SAP Profile file re-enable HTTP but set the HOST parameter to localhost e.g.:

This will allow the agent to communicate with the web service via HTTP on localhost and will not expose HTTP access outside of the local machine. This allows for more efficient and performant collection because the overhead of SSL is not present anymore but also keeps the environment secure because HTTP access is only available locally from the SAP hosts and not over the network. HTTPS access via the network is still enforced.

In the example above we have HTTP access enabled on port 50000 that can only be accessed via the local machine. We also have HTTPS access enabled on port 50001 that can be accessed over the network.

Option 2

If running PowerConnect Java 8.3 set the PO Connection to “EJB” rather than the default of “Web Service”.

In the PO configuration there is a setting called PO Message Connection Type which is set to Web Service by default. Change this to EJB and click Save:

This is a new mechanism for collecting PO messages that does not use the AdapterMessageMonitoring web service at all but rather a direct call using EJB and so does not suffer from the SSL issue. There is no change in the data format or filtering capabilities. Given this feature was only recently introduced it is recommended the PO filters and resulting data collection are validated in a pre-production environment to ensure all expected messages are collected.