bad record mac error in Prod?

Hi Guys,

we have some of the messages failing in prod with the below error in PI 7.1.

com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: bad record mac

any help or suggestions would be appreciated

Thanks,

Srini

SAP Managed Tags:
SAP Process Integration

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (0)

Answers (2)

we have resolved the problem. we have made the NIC changes and it has solved the problem.

Thanks,

Srini

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Srini,

We also have the same error in one of the DAE after pathcing the system to SPS 20 for PI 7.0 system.

PLEASE LET ME KNOW what kind of NIC CHANGES you have performed or other team has performed to resolved this ?

Thanks.

divs

Hi Srinivas,

would you mind posting the solution? It would be a great help for all of us at sdn here and a great way of community spirit.

Thanks

Holger,

Hello,

At one of my clients we have got the same issue.

We tested our configuration on 3 environments and occasionally we getting the "Bad Record Mac" issue. It's verry unpredictable when the issue is shows up.

One of the test-scenarios, deliberately using a set of invalid certificates that were not yet expired, showed that this error occured every time. This points in the direction of certificate-related problems. However the certificates that we normally use are valid and not expired.

Interface Configuration:

SAP ERP 6.0 -

xml/proxy--~~> SAP PI 7.11 -~~

SOAP/https+signature--> Legacy system

(HTTPS & SOAP Adapter using the AXIS Framework with signature)

If anyone has an idea which settings we should check, we are very interested

Kind regards,

Ramon

Hi,

this isn't an XI/PI issue as such but my understanding is that the problem relates to the IAIK libraries.

The SAP Java App. Server <= 7.0 SP20 used (offered to the server it was connecting to ) version 3.0 - 3.1.

From SP20 the IAIK implementation changed and versions offered are 3.0 - 3.2.

The server selects the highest version that the client offers so if the server's own IAIK implementation doesn't recognise 3.2 then thie 'bad record mac' error occurs.

The solutions are:

(1)

to get the server to implement SSL version 3.2

(2)

replace the IAIK libraries on the SAP Java App. server with older IAIK libraries :

iaik_ssl.jar

w3c_http.jar.

Located :

..j2ee\cluster\server0\bin\ext\tc_secssl in case of 7.00

..j2ee\cluster\bin\ext\mail-activation-iaik in case of 7.10 or higher

---

Obviously option (1) is the best option.

Regards

Kenny

Hello Kenny,

we are currently faicing the same bad record mac problem with one of our partners.

here is the log:

Starting handshake (iSaSiLk 4.1)...

ssl_debug(117): Sending v3 client_hello message, requesting version 3.2...

ssl_debug(117): Received v3 server_hello handshake message.

ssl_debug(117): Server selected SSL version 3.1.

ssl_debug(117): Server created new session C0:CA:2C:69:73:F5:50:02...

ssl_debug(117): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA

ssl_debug(117): CompressionMethod selected by server: NULL

ssl_debug(117): Received certificate handshake message with server certificate.

ssl_debug(117): Server sent a 1024 bit RSA certificate, chain has 2 elements.

ssl_debug(117): ChainVerifier: Found a trusted certificate, returning true

ssl_debug(117): Received server_hello_done handshake message.

ssl_debug(117): Sending client_key_exchange handshake message (1024 bit)...

ssl_debug(117): Sending change_cipher_spec message...

ssl_debug(117): Sending finished message...

ssl_debug(117): Received alert message: Alert Fatal: bad record mac

ssl_debug(117): SSLException while handshaking: Peer sent alert: Alert Fatal: bad record mac

ssl_debug(117): Shutting down SSL layer...

as you can see our PI 7.11 asked for 3.2, but server requested 3.1, but in the end it failed with the error.

so seems like the error is not because the server is selecting the highest version available and than failing...

Best Regards,

Artsiom Anichenka

Hi Srinivas,

Error seems to be related with SSL certificate install in STRUST transaction in ABAP stack. Check if SSL certificate is expaired and also if Sender and Receiver using same SSL Certificate.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Rajhans,

Thanks for the quick response. we dont have any cert maintained in the STRUST in the ABAP stack and all certs are maintained in the Java stack. Probably we need to check the certs on the receiver system.

Thanks,

Srini

Hi Srinivas,

Ya I missed Java stack certifcates check certificate whether it is not expaired and receiver system installed proper certicate.

Hi Rajhans,

I am seeing this error in the sender soap adapter channel. I have checked the certs in the java stack and all of them are good.

Thanks,

Srini

Hi guys,

Im just curious Im having the same problem and it seems to have started after I patched my system to SPS21 on 7.00. Is it possible that the patches have changed something since all my certs are also fine and worked before the new patches.

Regards,

Waleed

Hi Waleed,

Do you have the problem with the soap adapter. Can you please explain your scenario and where you are seeing this error?

Thanks,

Srini

Hi Srini,

I am sending orders over a soap connection from XI to a webmethods system. We received a bad record mac error after patching the system to SPS21. We bypassed security by removing the cert in the integration builder setup and used userid and password to authenticate. We still need to get certs working though before we start patching on Production.

Regards,

Waleed

Thanks Waleed. Are you facing this problem with the soap adapter?

Srini

Ask a Question

Top Q&A Solution Author

User

Count