1/8/2016 Document343799.

PunchoutToOracleExchangeOrSupplierSiteReceiveErrorCode:201forCertificatenot
Updated,IncludingInstructionsofHowtoaddtheMissingCertificates(DocID343799.1)

InthisDocument

Symptoms
Cause
Solution
References

APPLIESTO:

OracleiProcurementVersion11.5.10to12.1.3[Release11.5to12.1]
Informationinthisdocumentappliestoanyplatform.

SYMPTOMS

iProcurementpunchouttoExchangeortosuppliersitesfailswithError.
Duetothisissue,usersareunabletouseiProcurementpunchouttocreaterequisitions.

Error

Errorreceivedbytheuserisasfollows:

Error
Theconnectiontothesupplierwebsitecannotbeestablished.
Clickheretoviewadditionaltechnicaldetailsofthisfailure.
ReturntoShoppingHome

Exceptiondetailsareasfollows:

ErrorCode:201UnableToReachSupplierSite
UnabletosendtheLoginRequestXML.
SupplierLoginURL:https://<punchoutsupplier.domain>/cxmllogin/index.cgi
...

ProcessorException
ProxyHost:null
ProxyPort:1
CACertificationFileLocation:/oracle/apps/<sid>/iAS/Apache/Apache/conf/ssl.crt/ca.crt

URL:https://<punchoutsupplier.domain>/cxmllogin/index.cgi
java.io.IOException:javax.net.ssl.SSLException:SSLhandshakefailed:X509CertChainInvalidErr

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=134u1hrr45_877&id=343799.1 1/3
1/8/2016 Document343799.1

StepsToReproduce
1.SSLcertificationexpires.
2.UpdatetonewSSLcertificate.
3.LogintoiProcurement.
4.SelectExchangeoraSuppliersiteforpunchout.
Theerrorsoccur.

CAUSE

Thecabundle.crtfileontheserverdoesnotcontaintherootcertificateauthoritydetailsforthecertificateauthority
usedbythesupplier.

1.Fromthesuppliersite:https://<punchoutsupplier.domain>/,doubleclickonthepadlockiconatthebottomofthe
browserwindow.

2.ThenviewtheCertificationPathasfollows:

VeriSignClass3PublicPrimaryCA(ROOTLevel)

www.verisign.com/CPSIncorp.byRef.LIABILITYLTD.(c)97VeriSign(INTERMEDIATEParent
Level)

<punchoutsupplier.domain>(BASEChildLevel)

Comparethedetailsofthecertificatewiththecabundlefileontheserver(referencedintheprofileoption:'POR:CA
CertificateFile').Thecabundle.crtontheserverdoesnotcontaintheVeriSignrootcertificateusedbythesupplier.

SOLUTION

Toimplementthesolution,executethefollowingsteps:

1.Navigatetothesuppliersite,e.g.:https://<punchoutsupplier.domain>/

2.Doubleclickonthepadlockiconatthebottomofthebrowserwindow.(orinIE8clickthepadlockiconatthetopof
thebrowserintheaddressbar,andchooseViewCertificates)

3.ClicktheDetailstab.

4.ClicktheCopyToFilebutton.

5.Exportthe(Chain)CertificatesfromIEinBase64encoding.

6.Opentheexportedfileusingatexteditor(suchasNotepad).

7.Updatethecertificatefile(usuallycabundle.crt)referencedbytheprofile'POR:CACertificateFile'bycopyingthe
detailsoftheexportedcertificatetothetopofthecertificatefileasdescribedin

Note137145.1HowtoconfigureOraclePortalwithSSLandGlobalServerCertificates:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=134u1hrr45_877&id=343799.1 2/3
1/8/2016 Document343799.1

NOTE1:Thecertificateauthorityusedbythesuppliermustbeincludedinthecabundle.crtfileontheserver.The
cabundle.crtdirectswhichsigningauthoritiesareacceptedbytheserver.

IfthesupplierusesTLSitisnecessarytoincludeALL3levels(Root,Intermediate,andBase)oftheCertificatein
thebundlefile.ItisagoodpracticetoalwaysincludeALL3levels.

NOTE2:Inadditiontoaddingthecertificatesasmentionedabove,ifthesupplierhasalreadymigratedfromSSL
toTLS,thesearetheoptionsavailablefortheEBSiProcurementpunchoutcustomertohavecompatibleaccessto
thepunchoutsite

EitherA)upgradethedatabasetoenableuseoftheTLSprotocol,orB)askthesuppliertoallowbothSSLandTLS
iftheycandoso.

A.Upgradethedatabaseto12cor11gversionandapplythepatchtocommunicatewithsupplierswithTLS.
Asmentionedin[Note1937646.1CVE20143566InstructionstoMitigatetheSSLv3Vulnerability("POODLE
Attack")inOracleEBusinessSuite],OracleEBusinessSuitehastestedseveralversionsofOracleDatabase.
OracleDatabase12c(12.1.0.1andlater)enablesTLSv1andlater.OracleDatabase11gRelease2(11.2.0.4and
11.2.0.3)enablesTLSv1.OracleDatabase11gRelease1(11.1.0.7)mayrequirepatch6973000tosupportTLSv1

or

B.AskthepunchoutsupplierstokeeptheSSLprotocolopened,eveniftheyuseTLS.(Although,duetosecurity
issueswithSSLthesuppliersmaystillprefertoonlyallowTLSconnectiontotheirpunchoutsite)

REFERENCES

NOTE:137145.1HowtoconfigureOraclePortalwithSSLandGlobalServerCertificatesinPortal3.0.9
NOTE:230607.1SSLhandshakefailed:X509CertChainIncompleteErrwithGlobalServerCertificates
NOTE:473525.1HowToDiagnoseProblemsWithSSLDuringPunchout
NOTE:1937646.1CVE20143566InstructionstoMitigatetheSSLv3Vulnerability("POODLEAttack")inOracleE
BusinessSuite
NOTE:1938985.1SecuringOMSwithCustomCertificatesfailwitherrorInvalidtrustedcert
NOTE:1999543.1WhichTypeOfCertificatesAreSupportedByOracleExchangeAndiProcurementPunchout.DoesIt
SupportSHA256RSA?
NOTE:1926905.1PunchoutWithSHA2CertificateResultsInSSLHandshakeFailed:X509CertChainInvalidErrError
NOTE:1937220.1PunchoutinOracleiProcurementandExchangeFailsAfterSupplierSiteMigratesFromSSLv3toTLS
Protocol(withSSLHandshakeSSLIOClosedOverrideGoodbyeKiss)
NOTE:1969779.1PunchouttoSupplierThatisUsingSHA2CertificateGetsIECannotDisplaytheWebPage,and
PointingDirectlytothePunchoutSiteGetsInvalidSecurityCertificateErrorsec_error_unknown_issuer
NOTE:1520258.1ReturningTheCartInPunchoutGoesToLoginPageAndAnErrorOccurs
Didn'tfindwhatyouarelookingfor?

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=134u1hrr45_877&id=343799.1 3/3