Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WAS ABAP SSL Client error 403 Forbidden returned

Go to solution
Former Member

‎03-11-2009 11:29 AM

0 Kudos

Hi Guys,

my WAS ABAP acts as SSL(Standard) Client to an external server, i have configured the type G RFC destination, on connection test i receive HTTP/1.1 403 Forbidden error.

- the ssl session is established successfully as i can see from the ICM trace.

- the only suspect i have now is that on the response text of the rfc connection test "Content-Type:text/html" usually this value is "text/xml"

Do you guys agree with this? If not do you have an idea why 403 Forbidden is being returned? This is the only type G rfc that returns this error, all else are successful.

Below is the ICM trace file for your reference (sorry it is so long)

[Thr  1] NiIWrite: hdl 18 sent data (wrt=80,pac=1,MESG_IO)
[Thr  1] NiBufFree: ref 1 for buf 0x110eff030
[Thr  1] SiSelPSelect: start select (timeout=-1)
[Thr 2571] IcmWorkerThread: worker 7 got the semaphore
[Thr 2571] REQUEST:
    Type: CONNECT_TO_SERV    Index = 10773
[Thr 2571] IcmConnConnect: allocate new conn slot
[Thr 2571] IcmConnCheckStoredClientConn: next client timeout check in 14 sec
[Thr 2571] MPI<1c0e>0#6 PeekSelectInbuf -1 0 204 (1) -> 6
[Thr 2571] IcmConnAssignContext: searching for context:
    tid: 20, uid: 3230, mode: 3
[Thr 2571] IcmConnConnect: context 3 assigned to tid: 20, uid: 3230, mode: 3
[Thr 2571] NiIGetServNo: servicename '8443' = port 20.FB/8443
[Thr 2571] IcmGetServicePtr: new serv_ref_count: 2
[Thr 2571] IcmConnConnect: direct connect to ws.hmrc.gov.uk:443
[Thr 2571] NiHsLGetNodeAddr: found hostname 'ws.hmrc.gov.uk' in cache
[Thr 2571] NiIGetNodeAddr: hostname 'ws.hmrc.gov.uk' = addr 195.171.20.194
[Thr 2571] NiIGetServNo: servicename '443' = port 01.BB/0443
[Thr 2571] NiICreateHandle: hdl 9 state NI_INITIAL
[Thr 2571] NiILocalCheck: 195.171.20.194 not found in local address list
[Thr 2571] NiIInitSocket: set default settings for new hdl 9 / sock 31 (I4; ST)
[Thr 2571] NiIBlockMode: set blockmode for hdl 9 FALSE
[Thr 2571] NiIConnectSocket: hdl 9 is connecting to 195.171.20.194:443 (timeout=5000)
[Thr 2571] SiPeekPendConn: connection of sock 31 established
[Thr 2571] NiICheckPendConnection: connection of hdl 9 to 195.171.20.194:443 established
[Thr 2571] NiIConnect: hdl 9 took local address 192.168.35.4:60531
[Thr 2571] NiIConnect: state of hdl 9 NI_CONNECTED
[Thr 2571] ->> SapSSLSessionInit(&sssl_hdl=0x1106d6b40, role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT))
[Thr 2571] <<- SapSSLSessionInit()==SAP_O_K
[Thr 2571]      in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"
[Thr 2571]     out: sssl_hdl = 0x110eff030
[Thr 2571] ->> SapSSLSetNiHdl(sssl_hdl=0x110eff030, ni_hdl=9)
[Thr 2571] NiIBlockMode: set blockmode for hdl 9 TRUE
[Thr 2571]   SSL socket: local=<SERVERIP>:60531  peer=195.171.20.194:443
[Thr 2571] <<- SapSSLSetNiHdl(sssl_hdl=0x110eff030, ni_hdl=9)==SAP_O_K
[Thr 2571] ->> SapSSLSetSessionCredential(sssl_hdl=0x110eff030, &cred_name=0x110ef9910)
[Thr 2571]   SapISSLComposeFilename(): Filename = "/usr/sap/<SID>/DVEBMGS02/sec/SAPSSLC.pse"
[Thr 2571]   SecudeSSL_SetSessionCred(): request for default client credentials
[Thr 2571] <<- SapSSLSetSessionCredential(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 2571]      in: cred_name = "/usr/sap/<SID>/DVEBMGS02/sec/SAPSSLC.pse"
[Thr 2571] ->> SapSSLSetTargetHostname(sssl_hdl=0x110eff030, &hostname=0x110ef7010)
[Thr 2571] <<- SapSSLSetTargetHostname(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 2571]      in: hostname = "ws.hmrc.gov.uk"
[Thr 2571] ->> SapSSLSessionStart(sssl_hdl=0x110eff030)
[Thr 2571]   SapISSLUseSessionCache(): Trying to resume cached session (1 cached)
[Thr 3342] Wed Mar 11 09:13:41 2009
[Thr 3342] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 3342] IcmCheckForBlockedThreads: check for blocked SSL-threads
[Thr 3342] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 3342] SiSelPSelect: start select (timeout=10000)
[Thr 515] Wed Mar 11 09:13:42 2009
[Thr 515] SiSelPSelect: of 1 sockets 0 selected
[Thr 515] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 515] SiSelPSelect: start select (timeout=10000)
[Thr 2571] Wed Mar 11 09:13:50 2009
[Thr 2571]   SecudeSSL_SessionStart(): created new SSL session
[Thr 2571]   Server Certificate available (FCPath-Len= 1)
[Thr 2571]   No certificate request received from Server
[Thr 2571]   secudessl_AddSSL2Cache(): Creating new SSSL_CACHE entry
[Thr 2571]   HexDump of native SSL session ID { &buf= 0x110eff200, buf_len= 32 }
[Thr 2571]    00000: 80 20 00 00 bc 1e 80 0c  ef 97 f1 3e b7 fe 64 77   . ...... ...>..dw
[Thr 2571]    00010: c3 2b 13 c5 a3 fa 72 18  5c 6f c4 87 99 2c fb a7   .+....r. \o...,..
[Thr 2571] Base64-Dump of peer certificate (len=1446 bytes)
[Thr 2571] 
-
BEGIN CERTIFICATE-----
-
END CERTIFICATE-----
[Thr 2571]   Subject DN: CN=ws.hmrc.gov.uk, OU="Member, VeriSign Trust Network", OU=Authenticated by VeriSign, OU=Terms of use at www.verisign.co.uk/rpa (c) 
03, OU=DTA1, O=HMRC, L=Telford, SP=Shropshire, C=GB
[Thr 2571]   Issuer  DN: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, 
Inc.", O=VeriSign Trust Network
[Thr 2571]   Current Cipher: SSL_RSA_WITH_RC4_128_MD5
[Thr 2571]   MatchTarget("ws.hmrc.gov.uk", "CN=ws.hmrc.gov.uk") == EXACT
[Thr 2571] <<- SapSSLSessionStart(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 2571]          status = "new SSL session"
[Thr 2571]       Server DN = "CN=ws.hmrc.gov.uk, OU="Member, VeriSign Trust Network", OU=Authenticated by VeriSign, OU=Terms of use at www.verisign.co.uk/rpa 
(c) 03, OU=DTA1, O=HMRC, L=Telford, SP=Shropshire, C=GB"
[Thr 2571] IcmPlCheckRetVal: Next status: WRITE_REQUEST(3)
[Thr 2571] IcmReadFromPartner(id=3/8007): read with maximum timeout 500
[Thr 2571] IcmConnRollInWP: no need to roll in WP status: ROLLED IN
[Thr 2571] MPI<1c0e>0#7 GetInbuf 0 17f4f0 204 (1) -> 6
[Thr 2571] DpDebuggingActive: check T20/M3
[Thr 2571] NiIBlockMode: set blockmode for hdl 9 FALSE
[Thr 2571] NiIHdlGetStatus: hdl 9 / sock 31 ok, no data pending
[Thr 2571] NiIBlockMode: set blockmode for hdl 9 TRUE
[Thr 2571] IcmReadFromPartner(id=3/8007): fe-nihdl timeout
[Thr 2571] BINDUMP of content denied
[Thr 2571] PlugInHandleServData: role: 2, status: 3, content-length: 0/0
		buf_len: 132, buf_offset: 0, buf_status: 6
[Thr 2571] HttpParseRequestHeader: no content length set
[Thr 2571] HttpParseRequestHeader: no transfer-encoding set
[Thr 2571] HttpParseRequestHeader: no connection value set
[Thr 2571] HttpParseRequestHeader: Version: 1000
[Thr 2571] HttpParseRequestHeader: Keep-Alive: 0
[Thr 2571] HttpParseRequestHeader: no server port set
[Thr 2571] IcmNetBufWrapBuf: allocated netbuf: 0x1106b2630, blocks used: 1
[Thr 2571] IcmNetBufWrapBuf: allocated netbuf: 0x1106b2630
[Thr 2571] IcmPlCheckRetVal: Next status: READ_RESPONSE(2)
[Thr 2571] IcmHandleNetWrite(id=3/8007): HandleServData returned: 2
[Thr 2571] BINDUMP of content denied
[Thr 2571] IcmWriteToConn(id=3/8007): prepared to write data to partner (len = 132)
[Thr 2571] ->> SapSSLWrite(sssl_hdl=0x110eff030, buf=0x70000003017f558, len=132,	 timeout=2000, &writelen=0x110d86460)
[Thr 2571] <<- SapSSLWrite(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 2571]          result = "written= 132 of 132 (all)"
[Thr 2571] IcmWriteToConn(id=3/8007): wrote data to partner (len = 132)
[Thr 2571] IcmNetBufFree: free netbuf: 0x1106b2630 out of 1 used
[Thr 2571] MPI<1c0e>0#8 FreeInbuf#1 0 17f4f0  0 -> 0
[Thr 2571] IcmConnRollInWP: no need to roll in WP status: ROLLED IN
[Thr 2571] IcmReadFromConn(id=3/8007): request new MPI (0/0)
[Thr 2571] MPI<1c0d>1#4 GetOutbuf -1 17f4f0 65536 (0) -> 0x70000003017f510 0
[Thr 2571] ->> SapSSLReadPending(sssl_hdl=0x110eff030, &pendlen=0x110d86470)
[Thr 2571] <<- SapSSLReadPending(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 2571]     out: pendlen = 0
[Thr 2571] Wed Mar 11 09:13:51 2009
[Thr 2571] NiIPeek: peek for hdl 9 timed out (r; 500ms)
[Thr 2571] IcmReadFromConn(id=3/8007): no SSL data available
[Thr 2571] IcmReadFromConn: read failed with timeout: 500 -> roll out
[Thr 2571] MPI<1c0d>1#5 WriteOOB 00000000 00000002 00000003 00
[Thr 2571] MPI<1c0e>0#11 ReadOOB 00000001 00000001 00000014 03 -> 0
[Thr 2571] IcmHandleOOBData: Received data on 1st MPI (seqno: 1, type=1, reason=1): 20/3230/3
[Thr 2571] MPI<1c0d>1#10 ReadOOB 00000001 00000001 00000014 03 -> 0
[Thr 2571] IcmHandleOOBData: Received data on 2nd MPI (seqno: 1, type=1, reason=1): 20/3230/3
[Thr 2571] IcmHandleOOBData: Received context key (type=1, reason=1): 20/3230/3
[Thr 2571] NiWakeupExec: send wakeup signal to 64997 (sock 17)
[Thr 2571] IcmConnRollOut: connection (id=3/8007) rolled out:
[Thr 2571] CONNECTION (id=3/8007):
    used: 1, type: 1, role: 2, stateful: 0
    NI_HDL: 9, protocol: HTTPS(2)
    local host:  <SERVERIP>:60531 ()
    remote host: 195.171.20.194:443 ()
    status: READ_RESPONSE
    connect time: 11.03.2009 09:13:37
    WP-status: ROLLED OUT (Context: 3, Role: 2)
              tid: 20, mode: 3, uid: 3230, roll-reason: ICM_ROLL_NETTIMEOUT
    MPI request:        <1c0e>   MPI response:        <1c0d>
    request_buf_size:   0        response_buf_size:   65464 
    request_buf_used:   0        response_buf_used:   0     
    request_buf_offset: 0        response_buf_offset: 0     
[Thr 3342] IcmConnRollIn: connection (id=3/8007) rolled back to status: READ_RESPONSE
[Thr 3342] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 3342] SiSelPSelect: start select (timeout=10000)
[Thr 1543] IcmWorkerThread: worker 3 got the semaphore
[Thr 1543] REQUEST:
    Type: READ_RESPONSE    Index = 10775
[Thr 1543] CONNECTION (id=3/8007):
    used: 1, type: 1, role: 2, stateful: 0
    NI_HDL: 9, protocol: HTTPS(2)
    local host:  <SERVERIP>:60531 ()
    remote host: 195.171.20.194:443 ()
    status: READ_RESPONSE
    connect time: 11.03.2009 09:13:37
    WP-status: ROLLED OUT (Context: 3, Role: 2)
              tid: 20, mode: 3, uid: 3230, roll-reason: ICM_ROLL_NETTIMEOUT
    MPI request:        <1c0e>   MPI response:        <1c0d>
    request_buf_size:   0        response_buf_size:   65464 
    request_buf_used:   0        response_buf_used:   0     
    request_buf_offset: 0        response_buf_offset: 0     
[Thr 1543] ->> SapSSLReadPending(sssl_hdl=0x110eff030, &pendlen=0x110b6a470)
[Thr 1543] <<- SapSSLReadPending(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 1543]     out: pendlen = 0
[Thr 1543] NiIPeek: peek successful for hdl 9 (r)
[Thr 1543] ->> SapSSLRead(sssl_hdl=0x110eff030, buf=0x70000003017f558, maxlen=65463,	 timeout=500, &readlen=0x110b6a474)
[Thr 1543] <<- SapSSLRead(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 1543]          result = "max=65463, received=19"
[Thr 1543] IcmReadFromConn(id=3/8007): read 19 bytes(timeout 500)
[Thr 1543] BINDUMP of content denied
[Thr 1543] PlugInHandleNetData: role: 2, status: 1, content-length: 0/-1
		buf_len: 19, buf_offset: 0, buf_status: 0
[Thr 1543] PlugInHandleNetData: read response header
[Thr 1543] PlugInHandleNetData: header termination not found
[Thr 1543] PlugInHandleNetData: need more data (0/-1)
[Thr 1543] IcmPlCheckRetVal: Next status: READ_RESPONSE(2)
[Thr 1543] IcmHandleNetRead(id=3/8007): read_len: 19, HandleNetData returned: 2
[Thr 1543] IcmHandleNetRead(id=3/8007): status 2 -> 2
[Thr 1543] IcmHandleNetRead(id=3/8007): MPI buf count: 0
[Thr 1543] ->> SapSSLReadPending(sssl_hdl=0x110eff030, &pendlen=0x110b6a5d0)
[Thr 1543] <<- SapSSLReadPending(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 1543]     out: pendlen = 0
[Thr 1543] NiIPeek: peek successful for hdl 9 (r)
[Thr 1543] IcmHandleNetRead(id=3/8007): pending SSL data: 0, rollout=0
[Thr 1543] ->> SapSSLReadPending(sssl_hdl=0x110eff030, &pendlen=0x110b6a470)
[Thr 1543] <<- SapSSLReadPending(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 1543]     out: pendlen = 0
[Thr 1543] NiIPeek: peek successful for hdl 9 (r)
[Thr 1543] ->> SapSSLRead(sssl_hdl=0x110eff030, buf=0x70000003017f56b, maxlen=65444,	 timeout=250, &readlen=0x110b6a474)
[Thr 1543] <<- SapSSLRead(sssl_hdl=0x110eff030)==SAP_O_K
[Thr 1543]          result = "max=65444, received=100"
[Thr 1543] IcmReadFromConn(id=3/8007): read 119 bytes(timeout 250)
[Thr 1543] BINDUMP of content denied
[Thr 1543] PlugInHandleNetData: role: 2, status: 1, content-length: 0/-1
		buf_len: 119, buf_offset: 19, buf_status: 0
[Thr 1543] PlugInHandleNetData: read response header
[Thr 1543] HttpParseResponseHeader: no transfer-encoding set
[Thr 1543] HttpParseResponseHeader: no connection value set
[Thr 1543] HttpParseResponseHeader: Version: 1001
[Thr 1543] HttpParseResponseHeader: Keep-Alive: 1
[Thr 1543] HttpClntHdlResponse: response completely read(len=0,EOS=0)
[Thr 1543] IcmFlushBuf: Flushing 119 Bytes, buf_status: 6
[Thr 1543] flush buffer with mpi buffer id 1
[Thr 1543] MPI<1c0d>1#11 FlushOutbuf l1 1 0 17f4f0 191 6 -> 0x70000003017f4f0 0
[Thr 1543] IcmCreateDpRequest: Send request to AppServer
[Thr 1543] -OUT- sender_id IC_MAN            tid  20    wp_ca_blk   -1      wp_id -1
[Thr 1543] -OUT- action    SEND_TO_WP        uid  3230   appc_ca_blk -1      type  DIA  
[Thr 1543] -OUT- new_stat  NO_CHANGE         mode 3     len         -1      rq_id 1952
[Thr 1543] -OUT- req_info  DP_ICM_EVENT 
[Thr 1543] -OUT- mpi rq    <1c0e>  mpi resp    <1c0d>   prot   2  obj fd    -1   rq_id  0
[Thr 1543] -OUT- icm_opcode: ICM_PLUGIN_REQUEST
[Thr 1543] DpRqPutIntoQueue: put request into queue (reqtype 1, prio LOW, rq_id 1952)
[Thr 1543] IcmConnRollInWP: rolled in WP -old roll reason was: 0
[Thr 1543] HttpClntHdlResponse: close connection

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-11-2009 12:20 PM

0 Kudos

Hi,

The HTTP 403 message is not necessarely an error. It depends of which service you are calling on the distant server.

I use also this kind of SM59 HTTP destinations for the rosettanet B2B protocol.

If I test the destination from SM59, I get an error message (403 or 404) because the test is only an HTTP GET to the configured URL.

If the server waits for a Rosettanet POST or a webservice post, you will get an error message which tells you that the test is OK !

SM59 test is only a connectivity and authentication test...

In your case the connection and authentication with a client certificate seems to be OK.

As we don't know which service is called on the distant server, we don't know if the HTTP 403 response is abnormal or not.

Regards,

Olivier

2 REPLIES 2

Go to solution
Former Member

‎03-11-2009 12:20 PM

0 Kudos

Hi,

The HTTP 403 message is not necessarely an error. It depends of which service you are calling on the distant server.

I use also this kind of SM59 HTTP destinations for the rosettanet B2B protocol.

If I test the destination from SM59, I get an error message (403 or 404) because the test is only an HTTP GET to the configured URL.

If the server waits for a Rosettanet POST or a webservice post, you will get an error message which tells you that the test is OK !

SM59 test is only a connectivity and authentication test...

In your case the connection and authentication with a client certificate seems to be OK.

As we don't know which service is called on the distant server, we don't know if the HTTP 403 response is abnormal or not.

Regards,

Olivier

Go to solution
Former Member
In response to Former Member

‎03-12-2009 6:31 AM

0 Kudos

Hi Olivier,

Thank you for your very helpful answer!

Now i understand why 403 is returned, the target service in the target URL is expecting to process HTTP-Post requests, and as you said in sm59 connection test only Get request is sent, that explains why the target service is returning Content-Type:text/html instead of Content-Type:text/xml which is the one supported in XI/PI. Yes this is a PI box.

I got confused becaused this scenario involves 2 rfc connections wherein the the 1st request gets the token (authentication) and the second connection retrieves the data & every data thereafter for that session using that token which is wrapped in the soap envelope header.

Thanks Olivier!

Edited by: HJ Dlec on Mar 12, 2009 8:19 AM