on 04-01-2009 8:58 AM
Hallo,
I need to setup https for message server of ab only Java installation 7.0
How can I do?
Do I need to use sapcrypto library as for the ABAP stack?
Thanks.
Mario
I setup on SCS message server profile parameter:
ms/server_port_1 = PROT=HTTPS,PORT=444$$
ssf/name=SAPSECULIB
ssl/ssl_lib=$(DIR_EXECUTABLE)\sapcrypto.dll
ssf/ssfapi_lib=$(DIR_EXECUTABLE)\sapcrypto.dll
sec/libsapsecu=$(DIR_EXECUTABLE)\sapcrypto.dll
but when the message server start I obtain the error:
secude_error 4129 (0x00001021) = "The PSE does not exist"
[Thr 2100] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 2100] ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in ssl_set_pse: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in af_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in secsw_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in secsw_open_pse_or_extension: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
[Thr 2100] << -
End of Secude-SSL Errorstack -
[Thr 2100] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" [ssslxxi.c 2278]
[Thr 2100] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 2100] =================================================
Could you help me?
Thanks.
Mario
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I need to setup https on the message server Java of the SCS instance.
I need this to setup end-to-end SSL termination from SAP Web Dispatcher to the SAP Java Instance.
I installed sapcrypto lib.
I setup the SCS message server profile :
#----
Inserisco i parametri per https di message server
#----
ms/server_port_1 = PROT=HTTPS,PORT=444$$
ssf/name=SAPSECULIB
ssl/ssl_lib=$(DIR_EXECUTABLE)\sapcrypto.dll
ssf/ssfapi_lib=$(DIR_EXECUTABLE)\sapcrypto.dll
sec/libsapsecu=$(DIR_EXECUTABLE)\sapcrypto.dll
but when it starts I obtain the error:
[Thr 2100] = using SECUDIR=Z:\usr\sap\BJS\SCS01\sec
[Thr 2100] *** ERROR => secudessl_Create_SSL_CTX(): PSE "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" not found! [ssslsecu.c 1354]
[Thr 2100] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 4129 (0x00001021) = "The PSE does not exist"
[Thr 2100] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 2100] ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in ssl_set_pse: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in af_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in secsw_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in secsw_open_pse_or_extension: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
[Thr 2100] << -
End of Secude-SSL Errorstack -
[Thr 2100] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" [ssslxxi.c 2278]
[Thr 2100] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 2100] =================================================
[Thr 2100] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 2100] *** ERROR => MsHttpsInit: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [msxxhttp.c 2999]
After this, I have created SSLS.pse from an ABAP system by means of STRUSTSSO2 transaction but I obtain the same error, I don't understand.
My system is a BI 7.0 Java only Stack.
Note that I setup SSL on 50001 port and it works, so only Message server https doesn't work.
I hope that I have clarify to you my problem.
thanks for your help.
Mario
Hello,
you will have to change the value of these parameters:
ssl/ssl_lib=$(DIR_EXECUTABLE)\sapcrypto.dll
ssf/ssfapi_lib=$(DIR_EXECUTABLE)\sapcrypto.dll
sec/libsapsecu=$(DIR_EXECUTABLE)\sapcrypto.dll
change the value of DIR_EXECUTABLE to the actual path of sapcrypto.dll
Also please send the dev_w0 logs for further anaylsis
Rohit
Hi,
now, sapcrypto lib is correctly used.
The problem is on SAPSSLS.PSE I think.
Th log file is dev_ms:
-
trc file: "dev_ms", trc level: 1, release: "700"
-
[Thr 2100] Wed Apr 01 09:59:03 2009
[Thr 2100] MsSSetTrcLog: trc logging active, max size = 20971520 bytes
systemid 562 (PC with Windows NT)
relno 7000
patchlevel 0
patchno 163
intno 20050900
make: multithreaded, Unicode, 64 bit, optimized
pid 3932
[Thr 2100] ***LOG Q01=> MsSInit, MSStart (Msg Server 1 3932) [msxxserv.c 1835]
[Thr 2100] load acl file = Z:\usr\sap\BJS\SYS\global\ms_acl_info.DAT
[Thr 2100] MsGetOwnIpAddr: my host addresses are :
[Thr 2100] 1 : [172.16.1.60] SBJSVIVV01.abc.net (HOSTNAME)
[Thr 2100] 2 : [127.0.0.1] SBJSVIVV01.abc.net (LOCALHOST)
[Thr 2100] MsHttpInit: full qualified hostname = SBJSVIVV01.abc.net
[Thr 2100] HTTP logging is switch off
[Thr 2100] set HTTP state to LISTEN
[Thr 2100] =================================================
[Thr 2100] = SSL Initialization on PC with Windows NT
[Thr 2100] = (700_REL,Aug 24 2008,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
[Thr 2100] profile param "ssl/ssl_lib" = "Z:\usr\sap\BJS\SCS01\exe\sapcrypto.dll"
resulting Filename = "Z:\usr\sap\BJS\SCS01\exe\sapcrypto.dll"
[Thr 2100] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe
[Thr 2100] = current UserID: D-VIMAR\SAPServiceBJS
[Thr 2100] = using SECUDIR=Z:\usr\sap\BJS\SCS01\sec
[Thr 2100] *** ERROR => secudessl_Create_SSL_CTX(): PSE "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" not found! [ssslsecu.c 1354]
[Thr 2100] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 4129 (0x00001021) = "The PSE does not exist"
[Thr 2100] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 2100] ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in ssl_set_pse: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in af_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in secsw_open: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in secsw_open_pse_or_extension: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse"
[Thr 2100] << -
End of Secude-SSL Errorstack -
[Thr 2100] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" [ssslxxi.c 2278]
[Thr 2100] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 2100] =================================================
[Thr 2100] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 2100] *** ERROR => MsHttpsInit: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [msxxhttp.c 2999]
[Thr 2100] MsHttpOwnDomain: own domain[1] = abc.net
[Thr 2100] ms/icf_info_server : deleted
[Thr 2100] *** I listen to internal port 3901 (3901) ***
[Thr 2100] *** HTTP port 8101 state LISTEN ***
[Thr 2100] CUSTOMER KEY: >H1211753310<
[Thr 2100] Wed Apr 01 09:59:35 2009
[Thr 2100] MsJ2EE_AddLoggedInNode: add node [2590400] into logged in list
[Thr 2100] MsJ2EE_AddLoggedInNode: add node [2590450] into logged in list
Thanks.
THE PSE SAPSSLS.pse is absent and thats why the errors are coming
you have to create this PSE,just follow the method given below step by step:
http://help.sap.com/saphelp_nw04s/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm
and
http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/46/cd75ea61533c20e10000000a155369/content.htm
I think if you follow these you might be able to resolve the issue,let me know of any issues
Rohit
I have created using STRUST, I followed the steps and I created SAPSSLS.pse
I assigned credential to SAPServiceBJS on to SAPSSLS.pse
but I obtain :
[Thr 2244] ***LOG Q01=> MsSInit, MSStart (Msg Server 1 3852) [msxxserv.c 1835]
[Thr 2244] load acl file = Z:\usr\sap\BJS\SYS\global\ms_acl_info.DAT
[Thr 2244] MsGetOwnIpAddr: my host addresses are :
[Thr 2244] 1 : [172.16.1.60] SBJSVIVV01.vimar.net (HOSTNAME)
[Thr 2244] 2 : [127.0.0.1] SBJSVIVV01.vimar.net (LOCALHOST)
[Thr 2244] MsHttpInit: full qualified hostname = SBJSVIVV01.vimar.net
[Thr 2244] HTTP logging is switch off
[Thr 2244] set HTTP state to LISTEN
[Thr 2244] =================================================
[Thr 2244] = SSL Initialization on PC with Windows NT
[Thr 2244] = (700_REL,Aug 24 2008,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
[Thr 2244] profile param "ssl/ssl_lib" = "Z:\usr\sap\BJS\SCS01\exe\sapcrypto.dll"
resulting Filename = "Z:\usr\sap\BJS\SCS01\exe\sapcrypto.dll"
[Thr 2244] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe
[Thr 2244] = current UserID: D-VIMAR\SAPServiceBJS
[Thr 2244] = using SECUDIR=Z:\usr\sap\BJS\SCS01\sec
[Thr 2244] *** ERROR => secudessl_Create_SSL_CTX(): PSE "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" not found! [ssslsecu.c 1354]
[Thr 2244] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 1537 (0x00000601) = "PSE with DSA keypair is not supported for SSL"
[Thr 2244] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 2244] ERROR in SSL_CTX_set_default_pse_by_name: (1537/0x0601) PSE with DSA keypair is not supported for SSL
ERROR in ssl_set_pse: (1537/0x0601) PSE with DSA keypair is not supported for SSL
[Thr 2244] << -
End of Secude-SSL Errorstack -
[Thr 2244] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
for "Z:\usr\sap\BJS\SCS01\sec\SAPSSLS.pse" [ssslxxi.c 2278]
[Thr 2244] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 2244] =================================================
[Thr 2244] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 2244] *** ERROR => MsHttpsInit: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [msxxhttp.c 2999]
[Thr 2244] MsHttpOwnDomain: own domain[1] = vimar.net
[Thr 2244] ms/icf_info_server : deleted
[Thr 2244] *** I listen to internal port 3901 (3901) ***
[Thr 2244] *** HTTP port 8101 state LISTEN ***
So I don't understand..
Hi
you have got it wrong..
Please read this clearly and follow
http://help.sap.com/saphelp_nw04s/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm
You should not create PSE with DSA ,you have to create with RSA key pair and that is why it is giving errors
Please refer to above link,you will be able to create this easily.
This is the method
Creating the SAP Web Dispatcheru2019s PSEs Using the Trust Manager
To create each PSE (SSL server PSE and SSL client PSE), using the trust manager:
...
1. Start the trust manager (transaction STRUST).
2. Using the context menu for the File node, choose Create (RSA).
For SSL, you must create a PSE that contains an RSA key pair. If you choose Create, then a DSA key pair is created, which cannot be used for SSL.
The Create PSE dialog appears.
3. Enter the Distinguished Name parts in the corresponding fields according to your CAu2019s naming convention.
For the SSL server PSE, the Common Name part of the Distinguished Name must correspond to the fully-qualified host name used to access the Web Dispatcher.
For more information about how the trust manager builds the Distinguished Name from the field entries, see Creating or Replacing a PSE in the Trust Manager documentation.
4. Save the PSE to local file (for example, the Web Dispatcheru2019s SECUDIR directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively
My system is only Java.
So to create SAPSSLS.pse I used an ABAP system (my solution manager) with a SPS 14 :when I use STRUST from the context menu of File node, when I choose "Create" I couldn't choose "RSA" so the problem is that it is automatically create of DSA mode.
Now I choosed a newer ABAP system and I can choose "RSA" and now it works!
Thanks for youur help.
Mario
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.