you have to get the SAPCRYPTOLIB download package from market place and place it in exe folder and give the path of the profile parameters that you have specifed to the sapcrypto library

By the way can you please explian clearly what is actual requirement?

Rohit

Refer to Note 836367 for more clearity on how to install this library

Rohit

I need to setup https on the message server Java of the SCS instance.

I need this to setup end-to-end SSL termination from SAP Web Dispatcher to the SAP Java Instance.

I installed sapcrypto lib.

I setup the SCS message server profile :

#----

1. Inserisco i parametri per https di message server

#----

ms/server_port_1 = PROT=HTTPS,PORT=444$$

ssf/name=SAPSECULIB

ssl/ssl_lib=$(DIR_EXECUTABLE)\sapcrypto.dll

ssf/ssfapi_lib=$(DIR_EXECUTABLE)\sapcrypto.dll

sec/libsapsecu=$(DIR_EXECUTABLE)\sapcrypto.dll

but when it starts I obtain the error:

[Thr 2100] = using SECUDIR=Z:\usr\sap\BJS\SCS01\sec

[Thr 2100] *** ERROR => secudessl_Create_SSL_CTX(): PSE "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" not found! [ssslsecu.c 1354]

[Thr 2100] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --

secude_error 4129 (0x00001021) = "The PSE does not exist"

[Thr 2100] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 2100] ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in ssl_set_pse: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in af_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in secsw_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in secsw_open_pse_or_extension: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

[Thr 2100] << -

End of Secude-SSL Errorstack -

[Thr 2100] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential

for "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" [ssslxxi.c 2278]

[Thr 2100] *** ERROR => Initialization of SSL library failed -- NO SSL available!

[Thr 2100] =================================================

[Thr 2100] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR

[Thr 2100] *** ERROR => MsHttpsInit: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [msxxhttp.c 2999]

After this, I have created SSLS.pse from an ABAP system by means of STRUSTSSO2 transaction but I obtain the same error, I don't understand.

My system is a BI 7.0 Java only Stack.

Note that I setup SSL on 50001 port and it works, so only Message server https doesn't work.

I hope that I have clarify to you my problem.

thanks for your help.

Mario

Hello,

you will have to change the value of these parameters:

ssl/ssl_lib=$(DIR_EXECUTABLE)\sapcrypto.dll

ssf/ssfapi_lib=$(DIR_EXECUTABLE)\sapcrypto.dll

sec/libsapsecu=$(DIR_EXECUTABLE)\sapcrypto.dll

change the value of DIR_EXECUTABLE to the actual path of sapcrypto.dll

Also please send the dev_w0 logs for further anaylsis

Rohit

Also refer to Note sapnote_0000800240

This will be useful

Also your system is ABAP+JAVA right?

Rohit

Hi,

now, sapcrypto lib is correctly used.

The problem is on SAPSSLS.PSE I think.

Th log file is dev_ms:

-

trc file: "dev_ms", trc level: 1, release: "700"

-

[Thr 2100] Wed Apr 01 09:59:03 2009

[Thr 2100] MsSSetTrcLog: trc logging active, max size = 20971520 bytes

systemid 562 (PC with Windows NT)

relno 7000

patchlevel 0

patchno 163

intno 20050900

make: multithreaded, Unicode, 64 bit, optimized

pid 3932

[Thr 2100] ***LOG Q01=> MsSInit, MSStart (Msg Server 1 3932) [msxxserv.c 1835]

[Thr 2100] load acl file = Z:\usr\sap\BJS\SYS\global\ms_acl_info.DAT

[Thr 2100] MsGetOwnIpAddr: my host addresses are :

[Thr 2100] 1 : [172.16.1.60] SBJSVIVV01.abc.net (HOSTNAME)

[Thr 2100] 2 : [127.0.0.1] SBJSVIVV01.abc.net (LOCALHOST)

[Thr 2100] MsHttpInit: full qualified hostname = SBJSVIVV01.abc.net

[Thr 2100] HTTP logging is switch off

[Thr 2100] set HTTP state to LISTEN

[Thr 2100] =================================================

[Thr 2100] = SSL Initialization on PC with Windows NT

[Thr 2100] = (700_REL,Aug 24 2008,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)

[Thr 2100] profile param "ssl/ssl_lib" = "Z:\usr\sap\BJS\SCS01\exe\sapcrypto.dll"

resulting Filename = "Z:\usr\sap\BJS\SCS01\exe\sapcrypto.dll"

[Thr 2100] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe

[Thr 2100] = current UserID: D-VIMAR\SAPServiceBJS

[Thr 2100] = using SECUDIR=Z:\usr\sap\BJS\SCS01\sec

[Thr 2100] *** ERROR => secudessl_Create_SSL_CTX(): PSE "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" not found! [ssslsecu.c 1354]

[Thr 2100] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --

secude_error 4129 (0x00001021) = "The PSE does not exist"

[Thr 2100] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 2100] ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in ssl_set_pse: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in af_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in secsw_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in secsw_open_pse_or_extension: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"

[Thr 2100] << -

End of Secude-SSL Errorstack -

[Thr 2100] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential

for "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" [ssslxxi.c 2278]

[Thr 2100] *** ERROR => Initialization of SSL library failed -- NO SSL available!

[Thr 2100] =================================================

[Thr 2100] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR

[Thr 2100] *** ERROR => MsHttpsInit: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [msxxhttp.c 2999]

[Thr 2100] MsHttpOwnDomain: own domain[1] = abc.net

[Thr 2100] ms/icf_info_server : deleted

[Thr 2100] *** I listen to internal port 3901 (3901) ***

[Thr 2100] *** HTTP port 8101 state LISTEN ***

[Thr 2100] CUSTOMER KEY: >H1211753310<

[Thr 2100] Wed Apr 01 09:59:35 2009

[Thr 2100] MsJ2EE_AddLoggedInNode: add node [2590400] into logged in list

[Thr 2100] MsJ2EE_AddLoggedInNode: add node [2590450] into logged in list

Thanks.

THE PSE SAPSSLS.pse is absent and thats why the errors are coming

you have to create this PSE,just follow the method given below step by step:

http://help.sap.com/saphelp_nw04s/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm

and

http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/46/cd75ea61533c20e10000000a155369/content.htm

I think if you follow these you might be able to resolve the issue,let me know of any issues

Rohit

I have created using STRUST, I followed the steps and I created SAPSSLS.pse

I assigned credential to SAPServiceBJS on to SAPSSLS.pse

but I obtain :

[Thr 2244] ***LOG Q01=> MsSInit, MSStart (Msg Server 1 3852) [msxxserv.c 1835]

[Thr 2244] load acl file = Z:\usr\sap\BJS\SYS\global\ms_acl_info.DAT

[Thr 2244] MsGetOwnIpAddr: my host addresses are :

[Thr 2244] 1 : [172.16.1.60] SBJSVIVV01.vimar.net (HOSTNAME)

[Thr 2244] 2 : [127.0.0.1] SBJSVIVV01.vimar.net (LOCALHOST)

[Thr 2244] MsHttpInit: full qualified hostname = SBJSVIVV01.vimar.net

[Thr 2244] HTTP logging is switch off

[Thr 2244] set HTTP state to LISTEN

[Thr 2244] =================================================

[Thr 2244] = SSL Initialization on PC with Windows NT

[Thr 2244] = (700_REL,Aug 24 2008,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)

[Thr 2244] profile param "ssl/ssl_lib" = "Z:\usr\sap\BJS\SCS01\exe\sapcrypto.dll"

resulting Filename = "Z:\usr\sap\BJS\SCS01\exe\sapcrypto.dll"

[Thr 2244] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe

[Thr 2244] = current UserID: D-VIMAR\SAPServiceBJS

[Thr 2244] = using SECUDIR=Z:\usr\sap\BJS\SCS01\sec

[Thr 2244] *** ERROR => secudessl_Create_SSL_CTX(): PSE "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" not found! [ssslsecu.c 1354]

[Thr 2244] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --

secude_error 1537 (0x00000601) = "PSE with DSA keypair is not supported for SSL"

[Thr 2244] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 2244] ERROR in SSL_CTX_set_default_pse_by_name: (1537/0x0601) PSE with DSA keypair is not supported for SSL

ERROR in ssl_set_pse: (1537/0x0601) PSE with DSA keypair is not supported for SSL

[Thr 2244] << -

End of Secude-SSL Errorstack -

[Thr 2244] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential

for "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" [ssslxxi.c 2278]

[Thr 2244] *** ERROR => Initialization of SSL library failed -- NO SSL available!

[Thr 2244] =================================================

[Thr 2244] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR

[Thr 2244] *** ERROR => MsHttpsInit: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [msxxhttp.c 2999]

[Thr 2244] MsHttpOwnDomain: own domain[1] = vimar.net

[Thr 2244] ms/icf_info_server : deleted

[Thr 2244] *** I listen to internal port 3901 (3901) ***

[Thr 2244] *** HTTP port 8101 state LISTEN ***

So I don't understand..

Hi

you have got it wrong..

Please read this clearly and follow

http://help.sap.com/saphelp_nw04s/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm

You should not create PSE with DSA ,you have to create with RSA key pair and that is why it is giving errors

Please refer to above link,you will be able to create this easily.

This is the method

Creating the SAP Web Dispatcheru2019s PSEs Using the Trust Manager

To create each PSE (SSL server PSE and SSL client PSE), using the trust manager:

...

1. Start the trust manager (transaction STRUST).

2. Using the context menu for the File node, choose Create (RSA).

For SSL, you must create a PSE that contains an RSA key pair. If you choose Create, then a DSA key pair is created, which cannot be used for SSL.

The Create PSE dialog appears.

3. Enter the Distinguished Name parts in the corresponding fields according to your CAu2019s naming convention.

For the SSL server PSE, the Common Name part of the Distinguished Name must correspond to the fully-qualified host name used to access the Web Dispatcher.

For more information about how the trust manager builds the Distinguished Name from the field entries, see Creating or Replacing a PSE in the Trust Manager documentation.

4. Save the PSE to local file (for example, the Web Dispatcheru2019s SECUDIR directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively

My system is only Java.

So to create SAPSSLS.pse I used an ABAP system (my solution manager) with a SPS 14 :when I use STRUST from the context menu of File node, when I choose "Create" I couldn't choose "RSA" so the problem is that it is automatically create of DSA mode.

Now I choosed a newer ABAP system and I can choose "RSA" and now it works!

Thanks for youur help.

Mario

You must put the following parameters in the system profile

ssf/name = SAPSECULIB

ssf/ssfapi_lib = <Path and file name of the SAPCRYPTOLIB>

sec/libsapsecu = <Path and file name of the SAPCRYPTOLIB>

then you can choose the algorythmus.

regards

chris