cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTP Destination with Client Authentication

Go to solution
Former Member

on ‎12-01-2008 9:11 PM

0 Kudos

Dear All,

I am trying to set up a HTTP destination (type G, HTTP connections to external server). The target external server demands client authentication when i send data/ping from SAP XI to it.

1. I imported the public certificate from the external party under SSL client (standard), through transaction STRUST.

2. Exported the SAP XI server certificate, got it signed by our local CA and provided the same to the external party. They have confirmed that the certificates have been imported on their server.

3. I imported the CA certificate that was used to sign our server certificate under SSL server.

When i try to test the connection from sm59 -> connection test, i get error ICM_HTTP_SSL_ERROR.

In smicm ->trace file, i see the following

********************************************************************************************************************

ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

session uses PSE file "/usr/sap/FXD/DVEBMGS22/sec/SAPSSLC.pse"

SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"

Begin of Secude-SSL Errorstack

WARNING in ssl3_read_bytes: (536875074/0x20001042) received a fatal SSLv3 bad certificate alert message from the peer

End of Secude-SSL Errorstack

SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"

SSL NI-sock: local=172.19.129.32:60517 peer=160.83.52.59:443

ERROR: SapSSLSessionStart(sssl_hdl=0x6000000000843e80)==SSSLERR_SSL_CONNECT

ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2012]

********************************************************************************************************************

Could you please give me any pointers on the cause of this error and its possible solutions?

Kind Regards,

Thomas.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-01-2008 10:04 PM
0 Kudos

Hi Thomas,

The SSL Client (Standard) cert is the cert your server will present to the target server when it connects

(or which ever one you select in SM59). It looks like you imported the external serveru2019s public cert into

SSL Client. If so, thatu2019s part of the issue. Depending on what you need, you might just want to

use the same cert for your u201CSSL Serveru201D cert and the u201CSSL Clientu201D cert in STRUST. The same one you

had signed by your local CA. You can copy the SSL Server to the SSL Client by selecting SSL Server

and then select u201CSave asu201D from the PSE menu.

After that, you may also need to load the CA root cert and any intermediate certs from your local CA

and the external certu2019s CA using STRUST.

http://help.sap.com/saphelp_nw04/helpdata/en/70/63393c3eb3036be10000000a11402f/content.htm

Thanks,

-Russ

Show replies
Show replies
Former Member
‎12-01-2008 10:41 PM
0 Kudos

Hi Russ,

Thank you for the response. I have now included the xi certificate and the CA certificate into SSL client. But the error persists.

I increased the trace level and tried tesing the connection and i see the CA certificate i just imported, under "Server's list of trusted CA DNames". Am not sure if my previous sentence makes any sense, but just letting you know.

Now i have the three certificates, the server public certificate, the CA certificate and the external party's certificate under the SSL client. Please note that the external service demands client authentication to accept connections/requests.

Would you have any more suggestions?

Hi Gaurav, Thank you also for the repsonse. The firewalls are configured correctly. I shall cross check this with our network team.

Kind Regards,

Thomas.

Former Member
‎12-01-2008 11:37 PM
0 Kudos

Hi Thomas,

The most important cert is the one you see when you double click on the u201COwn Certif.u201D in the SSL Client

(Standard). Is the one that is displayed the same one which you sent to be loaded into the target server

(the one you had signed by your CA)? Is your local CA in the u201CCert Listu201D? You might also try restarting

the ICM. I think that's required with some of these cert changes.

Thanks,

-Russ

Former Member
‎12-02-2008 8:35 AM
0 Kudos

Hi Russ,

The certificate under 'own certificate' in client is not the same as the one that we had sent to the external party.

I have now exported the 'own certificate' and am about to check the feasibility of gettiing this verified and sent out to the external party.

Would you know of any implications that we may have if we update the current 'own certificate' with the one that i have already sent to the external party? We are just starting with our interface developments in PI and so we have not many interfaces running on the server making use of SSL.

Would the certificate update effect any of the pipeline steps?

I work in the CET time zone and hence the delay in responding.

Thank you and kind Regards,

Thomas.

markangelo_dihiansan
Active Contributor
‎12-02-2008 8:44 AM
0 Kudos

Hi Thomas,

We have had the same issue. The reason why the certificates installed in their servers should be the exact certificates that you are using, is that they will be rejecting/failing to validate your server certificate. Hence the error is "Bad Certificate Alert from the Peer" means that the peer you are making a connection to, is unable to verify the certificate that you are sending to them.

Hope this help,

regards,

Former Member
‎12-02-2008 4:51 PM
0 Kudos

Hi Thomas,

Any SM59 connection using the SSL Client (Standard) for client authentication will be impacted if you

change the SSL Client (Standard) cert in STRUST. If you decide to update the SSL Client (Standard), you can export it first from the PSE menu in STRUST. This will give you a backup you can import back in just in case.

If you are concerned that the existing SSL Client (Standard) cert is being used already for other systems,

you can also create a new client PSE. Perhaps, u201CSSL Client (Custom)u201D or whatever you wish.

http://help.sap.com/SAPHELP_NW04S/helpdata/EN/3b/8e343ca26ba569e10000000a114084/content.htm

When you create a new entry in the table it will appear in STRUST and SM59. Instead of doing the

second step in the link above (Creating the Individual SSL Client PSE), you can copy the SSL Server

PSE (using PSE -> Save As -> SSL Client (Custom). Edit the SM59 destination to use SSL Client (Custom) instead of SSL Client (Standard).

Thanks,

-Russ

Answers (2)

Answers (2)

Former Member
‎12-02-2008 6:16 PM
0 Kudos

Hi Thomas

Check this as well. It can help

Thanks

Gaurav

Show replies
Show replies
Former Member
‎12-01-2008 9:25 PM
0 Kudos

Hi Thomas

Is this configured properly in your company firewall as well. Looks like the request is not send to target. Do you use HTTP proxy?

Thanks

Gaurav

Show replies
Show replies
Ask a Question