on 04-14-2009 10:46 AM
Hi Experts,
We activated SSL in our landscape. After the activation of SSL and all PSE configurations performed, the HTTPS port to ICM is not functioning. We are able to reach the Java stack using HTTPS with direct port.
While accessing java stack using HTTPS ICM port we get the below error in browser
503 Service not available
-
Error: -6
Version: 7000
Component: J2EE Server
Date/Time: Tue Apr 14 09:37:13 2009
Module: http_j2ee_mt.c
Line: 820
Server: sapd*7_*7_07
Error Tag: Detail: Cannot reach external Application Server on sapd**7.europe.shell.com:8407 In the ICM trace file we get the below error [Thr 1543] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL [Thr 1543] SecudeSSL_SessionStart: SSL_connect() failed secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed" [Thr 1543] >> Begin of Secude-SSL Errorstack >> [Thr 1543] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=sapd**7.europe.shell.com" ERROR in get_path: (27/0x001b) Found root certificate of <CN=sapd**7.europe.shell.com> which does not fit the given PKRoot ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=sapd**7.europe.shell.com> which does not fit the given P [Thr 1543] << End of Secude-SSL Errorstack [Thr 1543] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B" [Thr 1543] SSL NI-sock: local=145.26.54.182:46609 peer=145.26.55.103:8407 [Thr 1543] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x116001ab0)==SSSLERR_SSL_CONNECT [Thr 1543] *** ERROR => IcmConnPoolConnect: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxpool_mt. 2097] [Thr 1543] *** ERROR => Cannot reach external Application Server on sapd**7.europe.shell.com:8407 [http_j2ee_mt.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Juan,
Thanks for your quick response.
I have tried reconfiguring all the certificates in SAPSYS.pse , SAPSSLS.pse,SAPSNCS.pse and SAPSSLC.pse .The certificate that is displayed as incorrect in the trace file is of J2EE certificate that was downloaded from service_SSL of key storage.
The J2EE certificate is imported in SAPSSLS.pse,SAPSNCS.pse and SAPSSLC.pse. Is there a way to ensure the certificate chain configuraitons.
We just followed to bulid certificate chain by adding J2EE certificate into SAPSSLS.pse.
Regards,
Karthick.
Hi,
Don't mix up J2EE and ICM certificates.
Are you able to access the ABAP Stack through SSL directly from a web browser ?
>We just followed to bulid certificate chain by adding J2EE certificate into SAPSSLS.pse.
SAPSSLS.pse is the ABAP ICM https server certificate. Don't add J2EE certificate inside !
Do you have an intermediate CA in your ABAP ICM certificate ?
If yes, there is a trick to use when importing the signed certificate in STRUST.
Regards,
Olivier
Hi Oliver,
Cheers. In our landscape all the external request https will pass via ICM --> webdispatcher --- > ABAP/J2EE . For this purpose we build certificate chain to trust each other.
There is no intermediate CA like Verisign or SAP trusted. The certificates are self system signed.
Regards,
Karthick.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.