Академический Документы
Профессиональный Документы
Культура Документы
PunchoutToOracleExchangeOrSupplierSiteReceiveErrorCode:201forCertificatenot
Updated,IncludingInstructionsofHowtoaddtheMissingCertificates(DocID343799.1)
InthisDocument
Symptoms
Cause
Solution
References
APPLIESTO:
OracleiProcurementVersion11.5.10to12.1.3[Release11.5to12.1]
Informationinthisdocumentappliestoanyplatform.
SYMPTOMS
iProcurementpunchouttoExchangeortosuppliersitesfailswithError.
Duetothisissue,usersareunabletouseiProcurementpunchouttocreaterequisitions.
Error
Errorreceivedbytheuserisasfollows:
Error
Theconnectiontothesupplierwebsitecannotbeestablished.
Clickheretoviewadditionaltechnicaldetailsofthisfailure.
ReturntoShoppingHome
Exceptiondetailsareasfollows:
ErrorCode:201UnableToReachSupplierSite
UnabletosendtheLoginRequestXML.
SupplierLoginURL:https://<punchoutsupplier.domain>/cxmllogin/index.cgi
...
ProcessorException
ProxyHost:null
ProxyPort:1
CACertificationFileLocation:/oracle/apps/<sid>/iAS/Apache/Apache/conf/ssl.crt/ca.crt
URL:https://<punchoutsupplier.domain>/cxmllogin/index.cgi
java.io.IOException:javax.net.ssl.SSLException:SSLhandshakefailed:X509CertChainInvalidErr
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=134u1hrr45_877&id=343799.1 1/3
1/8/2016 Document343799.1
StepsToReproduce
1.SSLcertificationexpires.
2.UpdatetonewSSLcertificate.
3.LogintoiProcurement.
4.SelectExchangeoraSuppliersiteforpunchout.
Theerrorsoccur.
CAUSE
Thecabundle.crtfileontheserverdoesnotcontaintherootcertificateauthoritydetailsforthecertificateauthority
usedbythesupplier.
1.Fromthesuppliersite:https://<punchoutsupplier.domain>/,doubleclickonthepadlockiconatthebottomofthe
browserwindow.
2.ThenviewtheCertificationPathasfollows:
VeriSignClass3PublicPrimaryCA(ROOTLevel)
www.verisign.com/CPSIncorp.byRef.LIABILITYLTD.(c)97VeriSign(INTERMEDIATEParent
Level)
<punchoutsupplier.domain>(BASEChildLevel)
Comparethedetailsofthecertificatewiththecabundlefileontheserver(referencedintheprofileoption:'POR:CA
CertificateFile').Thecabundle.crtontheserverdoesnotcontaintheVeriSignrootcertificateusedbythesupplier.
SOLUTION
Toimplementthesolution,executethefollowingsteps:
1.Navigatetothesuppliersite,e.g.:https://<punchoutsupplier.domain>/
2.Doubleclickonthepadlockiconatthebottomofthebrowserwindow.(orinIE8clickthepadlockiconatthetopof
thebrowserintheaddressbar,andchooseViewCertificates)
3.ClicktheDetailstab.
4.ClicktheCopyToFilebutton.
5.Exportthe(Chain)CertificatesfromIEinBase64encoding.
6.Opentheexportedfileusingatexteditor(suchasNotepad).
7.Updatethecertificatefile(usuallycabundle.crt)referencedbytheprofile'POR:CACertificateFile'bycopyingthe
detailsoftheexportedcertificatetothetopofthecertificatefileasdescribedin
Note137145.1HowtoconfigureOraclePortalwithSSLandGlobalServerCertificates:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=134u1hrr45_877&id=343799.1 2/3
1/8/2016 Document343799.1
NOTE1:Thecertificateauthorityusedbythesuppliermustbeincludedinthecabundle.crtfileontheserver.The
cabundle.crtdirectswhichsigningauthoritiesareacceptedbytheserver.
IfthesupplierusesTLSitisnecessarytoincludeALL3levels(Root,Intermediate,andBase)oftheCertificatein
thebundlefile.ItisagoodpracticetoalwaysincludeALL3levels.
NOTE2:Inadditiontoaddingthecertificatesasmentionedabove,ifthesupplierhasalreadymigratedfromSSL
toTLS,thesearetheoptionsavailablefortheEBSiProcurementpunchoutcustomertohavecompatibleaccessto
thepunchoutsite
EitherA)upgradethedatabasetoenableuseoftheTLSprotocol,orB)askthesuppliertoallowbothSSLandTLS
iftheycandoso.
A.Upgradethedatabaseto12cor11gversionandapplythepatchtocommunicatewithsupplierswithTLS.
Asmentionedin[Note1937646.1CVE20143566InstructionstoMitigatetheSSLv3Vulnerability("POODLE
Attack")inOracleEBusinessSuite],OracleEBusinessSuitehastestedseveralversionsofOracleDatabase.
OracleDatabase12c(12.1.0.1andlater)enablesTLSv1andlater.OracleDatabase11gRelease2(11.2.0.4and
11.2.0.3)enablesTLSv1.OracleDatabase11gRelease1(11.1.0.7)mayrequirepatch6973000tosupportTLSv1
or
B.AskthepunchoutsupplierstokeeptheSSLprotocolopened,eveniftheyuseTLS.(Although,duetosecurity
issueswithSSLthesuppliersmaystillprefertoonlyallowTLSconnectiontotheirpunchoutsite)
REFERENCES
NOTE:137145.1HowtoconfigureOraclePortalwithSSLandGlobalServerCertificatesinPortal3.0.9
NOTE:230607.1SSLhandshakefailed:X509CertChainIncompleteErrwithGlobalServerCertificates
NOTE:473525.1HowToDiagnoseProblemsWithSSLDuringPunchout
NOTE:1937646.1CVE20143566InstructionstoMitigatetheSSLv3Vulnerability("POODLEAttack")inOracleE
BusinessSuite
NOTE:1938985.1SecuringOMSwithCustomCertificatesfailwitherrorInvalidtrustedcert
NOTE:1999543.1WhichTypeOfCertificatesAreSupportedByOracleExchangeAndiProcurementPunchout.DoesIt
SupportSHA256RSA?
NOTE:1926905.1PunchoutWithSHA2CertificateResultsInSSLHandshakeFailed:X509CertChainInvalidErrError
NOTE:1937220.1PunchoutinOracleiProcurementandExchangeFailsAfterSupplierSiteMigratesFromSSLv3toTLS
Protocol(withSSLHandshakeSSLIOClosedOverrideGoodbyeKiss)
NOTE:1969779.1PunchouttoSupplierThatisUsingSHA2CertificateGetsIECannotDisplaytheWebPage,and
PointingDirectlytothePunchoutSiteGetsInvalidSecurityCertificateErrorsec_error_unknown_issuer
NOTE:1520258.1ReturningTheCartInPunchoutGoesToLoginPageAndAnErrorOccurs
Didn'tfindwhatyouarelookingfor?
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=134u1hrr45_877&id=343799.1 3/3