on 02-20-2010 5:34 AM
Hi Guys,
we have some of the messages failing in prod with the below error in PI 7.1.
com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: bad record mac
any help or suggestions would be appreciated
Thanks,
Srini
we have resolved the problem. we have made the NIC changes and it has solved the problem.
Thanks,
Srini
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
At one of my clients we have got the same issue.
We tested our configuration on 3 environments and occasionally we getting the "Bad Record Mac" issue. It's verry unpredictable when the issue is shows up.
One of the test-scenarios, deliberately using a set of invalid certificates that were not yet expired, showed that this error occured every time. This points in the direction of certificate-related problems. However the certificates that we normally use are valid and not expired.
Interface Configuration:
SAP ERP 6.0 -
xml/proxy--> SAP PI 7.11 -
(HTTPS & SOAP Adapter using the AXIS Framework with signature)
If anyone has an idea which settings we should check, we are very interested
Kind regards,
Ramon
Hi,
this isn't an XI/PI issue as such but my understanding is that the problem relates to the IAIK libraries.
The SAP Java App. Server <= 7.0 SP20 used (offered to the server it was connecting to ) version 3.0 - 3.1.
From SP20 the IAIK implementation changed and versions offered are 3.0 - 3.2.
The server selects the highest version that the client offers so if the server's own IAIK implementation doesn't recognise 3.2 then thie 'bad record mac' error occurs.
The solutions are:
(1)
to get the server to implement SSL version 3.2
(2)
replace the IAIK libraries on the SAP Java App. server with older IAIK libraries :
iaik_ssl.jar
w3c_http.jar.
Located :
..j2ee\cluster\server0\bin\ext\tcsecssl in case of 7.00
..j2ee\cluster\bin\ext\mail-activation-iaik in case of 7.10 or higher
---
Obviously option (1) is the best option.
Regards
Kenny
Hello Kenny,
we are currently faicing the same bad record mac problem with one of our partners.
here is the log:
Starting handshake (iSaSiLk 4.1)...
ssl_debug(117): Sending v3 client_hello message, requesting version 3.2...
ssl_debug(117): Received v3 server_hello handshake message.
ssl_debug(117): Server selected SSL version 3.1.
ssl_debug(117): Server created new session C0:CA:2C:69:73:F5:50:02...
ssl_debug(117): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA
ssl_debug(117): CompressionMethod selected by server: NULL
ssl_debug(117): Received certificate handshake message with server certificate.
ssl_debug(117): Server sent a 1024 bit RSA certificate, chain has 2 elements.
ssl_debug(117): ChainVerifier: Found a trusted certificate, returning true
ssl_debug(117): Received server_hello_done handshake message.
ssl_debug(117): Sending client_key_exchange handshake message (1024 bit)...
ssl_debug(117): Sending change_cipher_spec message...
ssl_debug(117): Sending finished message...
ssl_debug(117): Received alert message: Alert Fatal: bad record mac
ssl_debug(117): SSLException while handshaking: Peer sent alert: Alert Fatal: bad record mac
ssl_debug(117): Shutting down SSL layer...
as you can see our PI 7.11 asked for 3.2, but server requested 3.1, but in the end it failed with the error.
so seems like the error is not because the server is selecting the highest version available and than failing...
Best Regards,
Artsiom Anichenka
Hi Srinivas,
Error seems to be related with SSL certificate install in STRUST transaction in ABAP stack. Check if SSL certificate is expaired and also if Sender and Receiver using same SSL Certificate.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Srini,
I am sending orders over a soap connection from XI to a webmethods system. We received a bad record mac error after patching the system to SPS21. We bypassed security by removing the cert in the integration builder setup and used userid and password to authenticate. We still need to get certs working though before we start patching on Production.
Regards,
Waleed
User | Count |
---|---|
89 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.