on 10-21-2009 4:13 PM
Hi All,
I am currently configuring ADS based on SSL authentication in my ERP system (ECC 6.0 ABAP). I have followed all steps to configure it via SSL authentication from ADS configuration guide. But when I am doing ADS_HTTPS test in SM59, I am getting error: ICM_HTTP_SSL_ERROR.
When I check logs in SMICM, I am getting below error:
[Thr 536] session uses PSE file "C:\usr\sap\DEV\DVEBMGS00\sec\SAPSSLC.pse"
[Thr 536] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 536] >> Begin of Secude-SSL Errorstack >>
[Thr 536] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed #
ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=SAP-SOLMAN.synapse.com"#
ERROR in get_path: (27/0x001b) Found root certificate of <CN=SAP-SOLMAN.synapse.com> which does not fit the given PKRoot #
ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=SAP-SOLMAN.synapse.com> which does not fit the given PKRoot
[Thr 536] << End of Secude-SSL Errorstack
[Thr 536] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 536] SSL NI-sock: local=172.16.2.106:3873 peer=172.16.2.79:50001
[Thr 536] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000008D31250)==SSSLERR_SSL_CONNECT
[Thr 536] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn.c 2012]
Anyone could please suggest me what is the problem, I want through SAP note 510007 but no success ?
Thanks
Sunny
We had the same problem.
Can you try to add the root certificate and all intermediate certificates in transaction STRUST (on the SSL Client PSE). As far as i remember, this helped in our case. Do not forget to restart the icm.
If that does not help, i have to dig deeper, it was over 2 years ago and we tried a lot of things then.
Cheers Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sunny,
SSL Is activated for RFC ADS_HTTPS & Client Certificate you created is mapped in ADS_HTTPS on tab logon & security.
Can you confirm is this done.
Thanks
Anil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sunny,
You going to use the ADS on Abap stack or on java stack.
Thanks
Anil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Do you know the [CA (certificate authority)|http://en.wikipedia.org/wiki/Certificate_authority] of your certificate? PKI's are trusted organisations which create or more important sign certificates.
To verify a certificate, the so called root certificate is needed. And this is the thing icman is complaining about. Again i suggest you import the root certificate of the CA into STRUST on the abap system.
Cheers Michael
Hi Sunny,
Chain of certificates is incomplete : "CN=SAP-SOLMAN.synapse.com"#
on host: "SAP-DEV"
I am bit confused , your hostname of the server which you have activated HTTPS is SAP-DEV and the Chain certificate shows hostaname as CN=SAP-SOLMAN.synapse.com
Both Sevice host name is differnt & hostname present in CN is differnet.
Any reason why you are different hostname in certificate.
Thanks
Anil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sunny,
Can you give us some info .. which of the Trust Manager layer have been activated in STRUST i.e System PSE , SNC SAPCryptolib, SSL Server Stansard ....
Which of all shows in green status.
Also can you deactivate the HTTPS in SMICM & again activate the HTTPS & can you paste the logs which generate between deactivate & acticate of HTTPS
Thanks
Anil
Edited by: Anil Bhandary on Oct 21, 2009 7:34 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Anil,
In strustsso2, System PSE, SNC SAPCryptolib, SSL Server Standard and SSL Client SSL Client (Standard) are in green status.
Please find log between restarting of HTTPS service:
[Thr 3344] Wed Oct 21 23:22:37 2009
[Thr 3344] Deactivated service 443 for protocol HTTPS on host: "SAP-DEV"(on all adapters) (timeout=90)
[Thr 1540] Wed Oct 21 23:22:47 2009
[Thr 1540] Reactivated service 443 for protocol HTTPS on host: "SAP-DEV"(on all adapters) (timeout=90)
Thanks
Sunny
Hi Sunny,
The Error you pasted says Certificate problem
Pls correct me if i am wrong
You done all the neccesary step for activating the HTTPS service on abap stack , now when you check the HTTPS service in SMICM is in Deactivate state, now when you try to activate the HTTPS service .. the service is not getting activate and when you check the log of SMICM you get the error which you have pasted.
Can you pls follow the below link upto Step 4.3 fot activating the SSL in Abap stack
Thanks
Anil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mho & Anil,
I created all required PSE's in strust transaction and all are in green state. Also, HTTPS service in SMICM is also active. I also tried to restart ICM. But it does not work.
As in my ADS configuration, I am using Java of my solution manager. And as per the error log there is some mismatch between PKCS#12 credential file and root certificatie in solman. Check below error:
ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=SAP-SOLMAN.synapse.com> which does not fit the given PKRoot
If you can suggest something more.
Thanks
Sunny
User | Count |
---|---|
92 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.