on 12-01-2008 9:11 PM
Dear All,
I am trying to set up a HTTP destination (type G, HTTP connections to external server). The target external server demands client authentication when i send data/ping from SAP XI to it.
1. I imported the public certificate from the external party under SSL client (standard), through transaction STRUST.
2. Exported the SAP XI server certificate, got it signed by our local CA and provided the same to the external party. They have confirmed that the certificates have been imported on their server.
3. I imported the CA certificate that was used to sign our server certificate under SSL server.
When i try to test the connection from sm59 -> connection test, i get error ICM_HTTP_SSL_ERROR.
In smicm ->trace file, i see the following
********************************************************************************************************************
ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
session uses PSE file "/usr/sap/FXD/DVEBMGS22/sec/SAPSSLC.pse"
SecudeSSL_SessionStart: SSL_connect() failed --
secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"
Begin of Secude-SSL Errorstack
WARNING in ssl3_read_bytes: (536875074/0x20001042) received a fatal SSLv3 bad certificate alert message from the peer
End of Secude-SSL Errorstack
SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"
SSL NI-sock: local=172.19.129.32:60517 peer=160.83.52.59:443
ERROR: SapSSLSessionStart(sssl_hdl=0x6000000000843e80)==SSSLERR_SSL_CONNECT
ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2012]
********************************************************************************************************************
Could you please give me any pointers on the cause of this error and its possible solutions?
Kind Regards,
Thomas.
Hi Thomas,
The SSL Client (Standard) cert is the cert your server will present to the target server when it connects
(or which ever one you select in SM59). It looks like you imported the external serveru2019s public cert into
SSL Client. If so, thatu2019s part of the issue. Depending on what you need, you might just want to
use the same cert for your u201CSSL Serveru201D cert and the u201CSSL Clientu201D cert in STRUST. The same one you
had signed by your local CA. You can copy the SSL Server to the SSL Client by selecting SSL Server
and then select u201CSave asu201D from the PSE menu.
After that, you may also need to load the CA root cert and any intermediate certs from your local CA
and the external certu2019s CA using STRUST.
http://help.sap.com/saphelp_nw04/helpdata/en/70/63393c3eb3036be10000000a11402f/content.htm
Thanks,
-Russ
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Russ,
Thank you for the response. I have now included the xi certificate and the CA certificate into SSL client. But the error persists.
I increased the trace level and tried tesing the connection and i see the CA certificate i just imported, under "Server's list of trusted CA DNames". Am not sure if my previous sentence makes any sense, but just letting you know.
Now i have the three certificates, the server public certificate, the CA certificate and the external party's certificate under the SSL client. Please note that the external service demands client authentication to accept connections/requests.
Would you have any more suggestions?
Hi Gaurav, Thank you also for the repsonse. The firewalls are configured correctly. I shall cross check this with our network team.
Kind Regards,
Thomas.
Hi Thomas,
The most important cert is the one you see when you double click on the u201COwn Certif.u201D in the SSL Client
(Standard). Is the one that is displayed the same one which you sent to be loaded into the target server
(the one you had signed by your CA)? Is your local CA in the u201CCert Listu201D? You might also try restarting
the ICM. I think that's required with some of these cert changes.
Thanks,
-Russ
Hi Russ,
The certificate under 'own certificate' in client is not the same as the one that we had sent to the external party.
I have now exported the 'own certificate' and am about to check the feasibility of gettiing this verified and sent out to the external party.
Would you know of any implications that we may have if we update the current 'own certificate' with the one that i have already sent to the external party? We are just starting with our interface developments in PI and so we have not many interfaces running on the server making use of SSL.
Would the certificate update effect any of the pipeline steps?
I work in the CET time zone and hence the delay in responding.
Thank you and kind Regards,
Thomas.
Hi Thomas,
We have had the same issue. The reason why the certificates installed in their servers should be the exact certificates that you are using, is that they will be rejecting/failing to validate your server certificate. Hence the error is "Bad Certificate Alert from the Peer" means that the peer you are making a connection to, is unable to verify the certificate that you are sending to them.
Hope this help,
regards,
Hi Thomas,
Any SM59 connection using the SSL Client (Standard) for client authentication will be impacted if you
change the SSL Client (Standard) cert in STRUST. If you decide to update the SSL Client (Standard), you can export it first from the PSE menu in STRUST. This will give you a backup you can import back in just in case.
If you are concerned that the existing SSL Client (Standard) cert is being used already for other systems,
you can also create a new client PSE. Perhaps, u201CSSL Client (Custom)u201D or whatever you wish.
http://help.sap.com/SAPHELP_NW04S/helpdata/EN/3b/8e343ca26ba569e10000000a114084/content.htm
When you create a new entry in the table it will appear in STRUST and SM59. Instead of doing the
second step in the link above (Creating the Individual SSL Client PSE), you can copy the SSL Server
PSE (using PSE -> Save As -> SSL Client (Custom). Edit the SM59 destination to use SSL Client (Custom) instead of SSL Client (Standard).
Thanks,
-Russ
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Thomas
Is this configured properly in your company firewall as well. Looks like the request is not send to target. Do you use HTTP proxy?
Thanks
Gaurav
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.