cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTPS Port to ICM unavailable

Go to solution
Former Member

on ‎04-14-2009 10:46 AM

0 Kudos

Hi Experts,

We activated SSL in our landscape. After the activation of SSL and all PSE configurations performed, the HTTPS port to ICM is not functioning. We are able to reach the Java stack using HTTPS with direct port.

While accessing java stack using HTTPS ICM port we get the below error in browser

503 Service not available

-

Error: -6

Version: 7000

Component: J2EE Server

Date/Time: Tue Apr 14 09:37:13 2009

Module: http_j2ee_mt.c

Line: 820

Server: sapd*7_*7_07

Error Tag: Detail: Cannot reach external Application Server on sapd**7.europe.shell.com:8407 In the ICM trace file we get the below error [Thr 1543] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL [Thr 1543] SecudeSSL_SessionStart: SSL_connect() failed secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed" [Thr 1543] >> Begin of Secude-SSL Errorstack >> [Thr 1543] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=sapd**7.europe.shell.com" ERROR in get_path: (27/0x001b) Found root certificate of <CN=sapd**7.europe.shell.com> which does not fit the given PKRoot ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=sapd**7.europe.shell.com> which does not fit the given P [Thr 1543] << End of Secude-SSL Errorstack [Thr 1543] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B" [Thr 1543] SSL NI-sock: local=145.26.54.182:46609 peer=145.26.55.103:8407 [Thr 1543] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x116001ab0)==SSSLERR_SSL_CONNECT [Thr 1543] *** ERROR => IcmConnPoolConnect: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxpool_mt. 2097] [Thr 1543] *** ERROR => Cannot reach external Application Server on sapd**7.europe.shell.com:8407 [http_j2ee_mt.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

JPReyes
Active Contributor
‎04-14-2009 10:53 AM
0 Kudos 
which does not fit the given PKRoot

Seems like a problem with the certificate, You need to doublecheck that the info in the certificate is correct.

Also read,

That might help.

Regards

Juan

Show replies
Show replies
Former Member
‎04-14-2009 11:29 AM
0 Kudos

Hi Juan,

Thanks for your quick response.

I have tried reconfiguring all the certificates in SAPSYS.pse , SAPSSLS.pse,SAPSNCS.pse and SAPSSLC.pse .The certificate that is displayed as incorrect in the trace file is of J2EE certificate that was downloaded from service_SSL of key storage.

The J2EE certificate is imported in SAPSSLS.pse,SAPSNCS.pse and SAPSSLC.pse. Is there a way to ensure the certificate chain configuraitons.

We just followed to bulid certificate chain by adding J2EE certificate into SAPSSLS.pse.

Regards,

Karthick.

Former Member
‎04-14-2009 12:15 PM
0 Kudos

Hi,

Don't mix up J2EE and ICM certificates.

Are you able to access the ABAP Stack through SSL directly from a web browser ?

>We just followed to bulid certificate chain by adding J2EE certificate into SAPSSLS.pse.

SAPSSLS.pse is the ABAP ICM https server certificate. Don't add J2EE certificate inside !

Do you have an intermediate CA in your ABAP ICM certificate ?

If yes, there is a trick to use when importing the signed certificate in STRUST.

Regards,

Olivier

Former Member
‎04-14-2009 6:52 PM
0 Kudos

Hi Oliver,

Cheers. In our landscape all the external request https will pass via ICM --> webdispatcher --- > ABAP/J2EE . For this purpose we build certificate chain to trust each other.

There is no intermediate CA like Verisign or SAP trusted. The certificates are self system signed.

Regards,

Karthick.

Answers (0)

Ask a Question