cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error in ADS Configuration

Go to solution
sunny_pahuja2
Active Contributor

on ‎10-21-2009 4:13 PM

0 Kudos

Hi All,

I am currently configuring ADS based on SSL authentication in my ERP system (ECC 6.0 ABAP). I have followed all steps to configure it via SSL authentication from ADS configuration guide. But when I am doing ADS_HTTPS test in SM59, I am getting error: ICM_HTTP_SSL_ERROR.

When I check logs in SMICM, I am getting below error:

[Thr 536] session uses PSE file "C:\usr\sap\DEV\DVEBMGS00\sec\SAPSSLC.pse"

[Thr 536] SecudeSSL_SessionStart: SSL_connect() failed

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 536] >> Begin of Secude-SSL Errorstack >>

[Thr 536] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed #

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=SAP-SOLMAN.synapse.com"#

ERROR in get_path: (27/0x001b) Found root certificate of <CN=SAP-SOLMAN.synapse.com> which does not fit the given PKRoot #

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=SAP-SOLMAN.synapse.com> which does not fit the given PKRoot

[Thr 536] << End of Secude-SSL Errorstack

[Thr 536] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 536] SSL NI-sock: local=172.16.2.106:3873 peer=172.16.2.79:50001

[Thr 536] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000008D31250)==SSSLERR_SSL_CONNECT

[Thr 536] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn.c 2012]

Anyone could please suggest me what is the problem, I want through SAP note 510007 but no success ?

Thanks

Sunny

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-21-2009 5:35 PM
0 Kudos

We had the same problem.

Can you try to add the root certificate and all intermediate certificates in transaction STRUST (on the SSL Client PSE). As far as i remember, this helped in our case. Do not forget to restart the icm.

If that does not help, i have to dig deeper, it was over 2 years ago and we tried a lot of things then.

Cheers Michael

Show replies
Show replies

Answers (5)

Answers (5)

former_member227283
Active Contributor
‎10-22-2009 7:54 AM
0 Kudos

Hi Sunny,

SSL Is activated for RFC ADS_HTTPS & Client Certificate you created is mapped in ADS_HTTPS on tab logon & security.

Can you confirm is this done.

Thanks

Anil

Show replies
Show replies
sunny_pahuja2
Active Contributor
‎10-22-2009 9:30 AM
0 Kudos

Hi Anil,

This is done.

Thanks

Sunny

former_member227283
Active Contributor
‎10-22-2009 6:04 AM
0 Kudos

Hi Sunny,

You going to use the ADS on Abap stack or on java stack.

Thanks

Anil

Show replies
Show replies
sunny_pahuja2
Active Contributor
‎10-22-2009 6:08 AM
0 Kudos

Hi Anil,

On ABAP stack via ssl.

Thanks

Sunny

Former Member
‎10-22-2009 7:14 AM
0 Kudos

Do you know the [CA (certificate authority)|http://en.wikipedia.org/wiki/Certificate_authority] of your certificate? PKI's are trusted organisations which create or more important sign certificates.

To verify a certificate, the so called root certificate is needed. And this is the thing icman is complaining about. Again i suggest you import the root certificate of the CA into STRUST on the abap system.

Cheers Michael

former_member227283
Active Contributor
‎10-22-2009 5:47 AM
0 Kudos

Hi Sunny,

Chain of certificates is incomplete : "CN=SAP-SOLMAN.synapse.com"#

on host: "SAP-DEV"

I am bit confused , your hostname of the server which you have activated HTTPS is SAP-DEV and the Chain certificate shows hostaname as CN=SAP-SOLMAN.synapse.com

Both Sevice host name is differnt & hostname present in CN is differnet.

Any reason why you are different hostname in certificate.

Thanks

Anil

Show replies
Show replies
sunny_pahuja2
Active Contributor
‎10-22-2009 5:55 AM
0 Kudos

Hi Anil,

Thanks for your reply.

I am also little bit confused. HTTPS setting I am doing on SAP-DEV is ERP ABAP system and Java part we are using of solman. So, in visual admin in key storage, I uploaded the certificate of both.

Thanks

Sunny

former_member227283
Active Contributor
‎10-21-2009 6:30 PM
0 Kudos

Hi Sunny,

Can you give us some info .. which of the Trust Manager layer have been activated in STRUST i.e System PSE , SNC SAPCryptolib, SSL Server Stansard ....

Which of all shows in green status.

Also can you deactivate the HTTPS in SMICM & again activate the HTTPS & can you paste the logs which generate between deactivate & acticate of HTTPS

Thanks

Anil

Edited by: Anil Bhandary on Oct 21, 2009 7:34 PM

Show replies
Show replies
sunny_pahuja2
Active Contributor
‎10-21-2009 6:53 PM
0 Kudos

Hi Anil,

In strustsso2, System PSE, SNC SAPCryptolib, SSL Server Standard and SSL Client SSL Client (Standard) are in green status.

Please find log between restarting of HTTPS service:

[Thr 3344] Wed Oct 21 23:22:37 2009

[Thr 3344] Deactivated service 443 for protocol HTTPS on host: "SAP-DEV"(on all adapters) (timeout=90)

[Thr 1540] Wed Oct 21 23:22:47 2009

[Thr 1540] Reactivated service 443 for protocol HTTPS on host: "SAP-DEV"(on all adapters) (timeout=90)

Thanks

Sunny

former_member227283
Active Contributor
‎10-21-2009 5:42 PM
0 Kudos

Hi Sunny,

The Error you pasted says Certificate problem

Pls correct me if i am wrong

You done all the neccesary step for activating the HTTPS service on abap stack , now when you check the HTTPS service in SMICM is in Deactivate state, now when you try to activate the HTTPS service .. the service is not getting activate and when you check the log of SMICM you get the error which you have pasted.

Can you pls follow the below link upto Step 4.3 fot activating the SSL in Abap stack

http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/a0b08305-0623-2a10-14be-8f7ad3725fee&override...

Thanks

Anil

Show replies
Show replies
sunny_pahuja2
Active Contributor
‎10-21-2009 6:06 PM
0 Kudos

Hi Mho & Anil,

I created all required PSE's in strust transaction and all are in green state. Also, HTTPS service in SMICM is also active. I also tried to restart ICM. But it does not work.

As in my ADS configuration, I am using Java of my solution manager. And as per the error log there is some mismatch between PKCS#12 credential file and root certificatie in solman. Check below error:

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=SAP-SOLMAN.synapse.com> which does not fit the given PKRoot

If you can suggest something more.

Thanks

Sunny

Ask a Question