HTTPS - SSL configuration between SAP Web Dispatch...

Former Member · ‎03-02-2010

For the love of me I can't figure out what the problem is. The tutorial I developed from the last time we did a PRD to DEV SAP copy doesn't seem to work this time around to solve the problem.

What I keep running into is the error is that it finds the "Root" certificate but it doesn't match the given PKRoot.

[Thr 3596] Tue Mar 02 09:17:10 2010

[Thr 3596] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 3596] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 3596] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 3596] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=*.server.local, OU=<our CO>, OU=SAP Web AS, O=SAP Trust Community, C=DE"

ERROR in get_path: (27/0x001b) Found root certificate of <CN=*.server.local, OU=<our CO>, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=*.server.local, OU=<our CO>, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot

[Thr 3596] << -

End of Secude-SSL Errorstack -

[Thr 3596] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 3596] SSL NI-sock: local=192.168.251.119:2821 peer=192.0.2.31:44300

[Thr 3596] <<- ERROR: SapSSLSessionStart(sssl_hdl=04BBA228)==SSSLERR_SSL_CONNECT

[Thr 3596] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn.c 2012]

[Thr 3596] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx.c 5234]

[Thr 3596] *** ERROR => Could not connect to SAP Message Server at onebase. URL=/msgserver/text/logon?version=1.2 [icrxx.c 2591]

[Thr 3596] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c 2592]

[Thr 3596] *** ERROR => see also OSS note 552286 [icrxx.c 2593]

I question is where is it comparing to the PKRoot at? I have no clue where it's looking for that at.

Former Member · ‎03-02-2010

Did you check 1094342 ?

Former Member · ‎03-02-2010

Ok, I figured out the problem.

It looks like when you make changes inside of STRUST, the changes aren't reflected until the system is rebooted. Even though I made changes on our DEV system to what they were before the PRD to DEV copy it was still recoginizing the PRD data.

So a reboot fixed it along with the recreationg of the SAPSSLC.pse files from the web dispatcher.

sebastian_broll · ‎04-01-2010

A reboot will make changes in PSE to become active in ICM - but you do NOT need to reboot.

You only need to restart ICM.

TA: SMICM

Menu: "Administration --> ICM --> Exit soft"

Former Member · ‎04-01-2010

Why use "Exit Soft?" Can you just do Restart?

sebastian_broll · ‎04-08-2010

The menu item named "Restart" does not restart the ICM, whereas "Exit soft" does.

Former Member · ‎04-08-2010

>The menu item named "Restart" does not restart the ICM, whereas "Exit soft" does.

Typîcal SAP ergonomy !

You get used to it but I don't know any other software so unlogical. The water must be special in Waldorf, I guess !

Olivier

Former Member · ‎01-09-2015

Applying a new SSL on strust, applies the certificate to the message server as well. Restarting ICM will only effect the application servers. The whole instance will have to be restarted in order for the new SSL settings to come into effect across the instance/

Jaleel.

SM9 · ‎01-16-2015

A restart is needed, but not for ICM reasons. STRUST will inform ICM when changes are made. No need to restart the ICM. However, the webdispatcher is not only talking to the ICM, but also with the message server. The message server will read the modified PSE only at startup and that is the reason the system needs to be restarted.

HTTPS - SSL configuration between SAP Web Dispatcher & SAP AS ABAP