cancel
Showing results for 
Search instead for 
Did you mean: 

PI connecting to other system using SSL

Former Member
0 Kudos

Hi i tried to communicate to other server from our PI usng SSL, sapcrptyo is activated.. and other server Certificate is imported

Step that i do :

1. in the strust - environment - SSL CLient Identifies , i have create new entry called TESSSL. then

2. from STRUST , there is entry SSL Client test exist.. i have create the PSE by using the default entry.

3. I imported the other server SLL Cert, intemediate , root. and add it into the SSL Client test , Certificate list

4. Creating RFC type G, then filled in the target host, prefix and port, also activating the SSL on logon & security tab, by choowing the "SSL Client test"

upon testing the connection i got ICM_HTTP_ERROR

Edited by: Muda Ikhsan on Jan 20, 2010 3:09 PM

Accepted Solutions (1)

Accepted Solutions (1)

markangelo_dihiansan
Active Contributor
0 Kudos

Hi,

Were you able to do an ICM Restart after you have imported the SSL Certificates in STRUST?

Hope this helps,

Former Member
0 Kudos

Hi.. ys ICM restart and SSL cert of third party already imported to STRUST.. but seem it having problem on the cert..

I have tried imported the same cert to my IE, all the cert , ssl, intermediate, and root. it didnt give any error.

but when importing the same cert into SSL Client certificate on STRUST, seem it can read the intermediate and root cert

Answers (1)

Answers (1)

Former Member
0 Kudos

Thr 1800] IcmConnConnect: context 2 assigned to tid: 31, uid: 398, mode: 1

Thr 1800] NiIGetServNo: servicename '5443' = port 15.43/5443

Thr 1800] IcmGetServicePtr: new serv_ref_count: 2

Thr 1800] IcmConnConnect: direct connect to j2eedevt.eds.xxx.com:8443

Thr 1800] NiHsLGetNodeAddr: found hostname 'j2eedevt.eds.jxxx.com' in cache

Thr 1800] NiIGetNodeAddr: hostname 'j2eedevt.eds.jjsea.com' = addr 192.168.5.52

Thr 1800] NiIGetServNo: servicename '8443' = port 20.FB/8443

Thr 1800] NiICreateHandle: hdl 6 state NI_INITIAL

Thr 1800] NiIInitSocket: set default settings for new hdl 6 / sock 46 (I4; ST)

Thr 1800] NiIBlockMode: set blockmode for hdl 6 FALSE

Thr 1800] NiICheckPendConnection: connection of hdl 6 to 192.168.5.52:8443 established

Thr 1800] NiIConnect: hdl 6 took local address 192.168.5.23:59600

Thr 1800] NiIConnect: state of hdl 6 NI_CONNECTED

Thr 1800] <<- SapSSLSessionInit()==SAP_O_K

Thr 1800] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

Thr 1800] out: sssl_hdl = 0x115e46750

Thr 1800] NiIBlockMode: set blockmode for hdl 6 TRUE

Thr 1800] SSL NI-sock: local=192.168.5.23:59600 peer=192.168.5.52:8443

Thr 1800] <<- SapSSLSetNiHdl(sssl_hdl=0x115e46750, ni_hdl=6)==SAP_O_K

Thr 1800] SapISSLComposeFilename(): Filename = "/usr/sap/Q01/DVEBMGS00/sec/SAPSSLTESSSL.pse"

Thr 1800] <<- SapSSLSetSessionCredential(sssl_hdl=0x115e46750)==SAP_O_K

Thr 1800] in: cred_name = "/usr/sap/Q01/DVEBMGS00/sec/SAPSSLTESSSL.pse"

Thr 1800] <<- SapSSLSetTargetHostname(sssl_hdl=0x115e46750)==SAP_O_K

Thr 1800] in: hostname = "j2eedevt.eds.jjsea.com"

Thr 1800] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

Thr 1800] session uses PSE file "/usr/sap/Q01/DVEBMGS00/sec/SAPSSLTESSSL.pse"

Thr 1800] SecudeSSL_SessionStart: SSL_connect() failed

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 1800] >> Begin of Secude-SSL Errorstack >>

[Thr 1800] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "CN=VeriSign Trial Secure Server CA - G2, OU=

ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete

[

Thr 1800] << End of Secude-SSL Errorstack

[Thr 1800] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 1800] No certificate request received from Server

[Thr 1800] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x115e46750)==SSSLERR_SSL_CONNECT

[Thr 1800] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

[Thr 1800] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 201

[Thr 1800] <<- SapSSLSessionDone(sssl_hdl=0x115e46750)==SAP_O_K

[Thr 1800] IcmConnConnect(id=2/604): free MPI request blocks

[Thr 1800] MPI<3b4>4#7 GetInbuf -1 16f4b8 225 (1) -> 6

[Thr 1800] MPI<3b3>5#4 GetOutbuf -1 17f4f0 65536 (0) -> 0x70000003017f510 0

[Thr 1800] NiIGetServNo: servicename '8000' = port 1F.40/8000

[Thr 1800] MPI<3b3>5#5 FlushOutbuf l-1 1 1 17f4f0 2180 6 -> 0x70000003017f4f0 0

[Thr 1800] NiICloseHandle: shutdown and close hdl 6 / sock 46

[Thr 1800] IcmConnFreeContext: context 2 released

[Thr 1800] IcmServDecrRefCount: sapqa.eds.xxxx.com:5443 - serv_ref_count: 1

[Thr 1800] IcmWorkerThread: Thread 4: Waiting for event

[Thr 3342] Wed Jan 20 15:02:02 2010

[Thr 3342] NiSelISelectInt: 0 handles selected (0 buffered)

Anybody could help ?

Edited by: Muda Ikhsan on Jan 20, 2010 3:09 PM

Edited by: Muda Ikhsan on Jan 20, 2010 3:11 PM

Former Member
0 Kudos

Are you connecting to another ABAP/J2EE system or ABAP only system?

The certificates you'd need should be stored on STRUST or STRUSTSSO2 (on ABAP side).

STRUST = Certificates

STRUSTSO2 (O not zero) = Logon tickets for SSO (best to get it done sooner rather then later) you can do the STRUST activities in this transaction.

7.0 or 7.1 or 7.11

You'll need to go to the J2EE engine and run the sso2 web page (NWA for 7.10 or 7.11 and check that the J2EE engine has the certificate from either the ABAP or J2EE engines) it should actually give you the option to pull the target certificate to the j2ee engine's certficate.

7.0 pending on the level of SP's the link is just the http://<PI Hostname or Alias>5<System Number>00/sso2

7.10 or 7.11 NWA (after login) -> Configuration Management -> Trusted System ( Single Sign-On with SAP Logon Tickets)

Here you can add or update your certificates to other ABAP or J2EE systems, all you'll need are ID's to the target systems.

You will have to manually put both the J2EE and ABAP certificates onto the target system (STRUSTSSO2). You can even from the J2EE (NWA/WEB) get the certificate from PI/ABAP to PI/J2EE.

Hope this helps, you'll also want to probably configure SSO (Single Sign On) if you haven't already.

(PI 7.1) http://help.sap.com/saphelp_nwpi71/helpdata/EN/45/24d3e18d494aa8e10000000a11466f/frameset.htm

Good Luck

Sorry forgot to add that it looks like in the error message above, it's not fully configured (that's why I posted the above).

Edited by: Rocco Espina on Jan 21, 2010 11:18 AM