Problem enabling HTTPS on SAP Web AS 6.20

Former Member · ‎06-22-2006

Hi,

I'm trying to enable HTTPS on a Netweaver '04 (SP14)server but having a bit of difficulty after enabling HTTPS.

The HTTPS service shows as active in the ICM monitor but when I try to test the "ping" bsp I get the following error in the ICM trace file :-

[Thr 12] IcmWatchDogThread: watchdog started

[Thr 14] ISC: created 400 MB disk cache.

[Thr 14] Thu Jun 22 11:17:14 2006

[Thr 14] ISC: created 50 MB memory cache.

[Thr 14] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0

[Thr 14] HttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=1, flags=4101) for /:0

[Thr 14] HttpSubHandlerAdd: Added handler HttpJ2EEHandler(slot=2, flags=1077253) for /:0

[Thr 14] Started service 8004 for protocol HTTP on host "hapq3.sapqas.mcc"(on all adapters) (process

[Thr 14] =================================================

[Thr 14] = SSL Initialization on SUN on SPARC CPU with Solaris 2.2

[Thr 14] = (640_REL,Jul 2 2005,mt,ascii,SAP_UC/size_t/void* = 8/64/64)

[Thr 14] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 11 2005) MT-safe

[Thr 14] = current UserID: "bwsadm", env-var USER=<not set>

[Thr 14] ******** Warning ********

[Thr 14] *** You should define environment variable SECUDIR !

[Thr 14] *************************

[Thr 14] = using SECUDIR=/usr/sap/BWS/DVEBMGS04/sec

[Thr 14] = secudessl_Create_SSL_CTX(): PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLC.pse" not found,

[Thr 14] = using PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse" as fallback

[Thr 14] = secudessl_Create_SSL_CTX(): PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLA.pse" not found,

[Thr 14] = using PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse" as fallback

[Thr 14] ******** Warning ********

[Thr 14] *** No SSL-client PSE "SAPSSLC.pse" available

[Thr 14] *** this will probably limit SSL-client side connectivity

[Thr 14] ********

[Thr 14] = Success SapCryptoLib SSL ready!

[Thr 14] =================================================

[Thr 14] Started service 8994 for protocol HTTPS on host "hapq3.sapqas.mcc"(on all adapters) (proces

[Thr 11] MPI<3>0#3 Peak buffer usage: 1 (@ 64 KB)

[Thr 09] MPI<5>2#3 Peak buffer usage: 2 (@ 64 KB)

[Thr 14] IcmNetCheck: network check passed without detecting problems

[Thr 08] Thu Jun 22 11:17:15 2006

[Thr 08] MPI<7>4#3 Peak buffer usage: 3 (@ 64 KB)

[Thr 07] MPI<9>6#3 Peak buffer usage: 4 (@ 64 KB)

[Thr 01] Thu Jun 22 11:17:43 2006

[Thr 01] HttpSAPR3SetParam: switch j2ee http port from to: 50400

[Thr 01] HttpSAPR3SetParam: switch j2ee https port from to: 50401

[Thr 01] Thu Jun 22 11:18:10 2006

[Thr 01] HttpSAPR3SetParam: Switched j2ee status to: 1

[Thr 11] Thu Jun 22 11:18:19 2006

[Thr 11] *** ERROR => No common SSL ciphersuite with SSL client!

[Thr 11] SSL socket: local=10.112.210.12:8994 peer=10.112.230.55:3392

[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=104c02350)==SSSLERR_SSL_ACCEPT

[Thr 11] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [i

[Thr 11] SSL_get_state() returned 0x00001210 "SSLv2/v3 read client hello A"

[Thr 11] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 11] session uses PSE file "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse"

[Thr 11] SecudeSSL_SessionStart: SSL_accept() failed

secude_error 536871687 (0x20000307) = "the client hello handshake message requests SSLv2, which is

[Thr 11] >> Begin of Secude-SSL Errorstack >>

[Thr 11] ERROR in ssl23_get_client_hello: (536871687/0x20000307) the client hello handshake message

[Thr 11] << End of Secude-SSL Errorstack

[Thr 11] SSL socket: local=10.112.210.12:8994 peer=10.112.230.55:3393

[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=104c02350)==SSSLERR_SSL_ACCEPT

[Thr 11] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [i

[Thr 11] *** ERROR => No common SSL ciphersuite with SSL client!

[Thr 11] SSL socket: local=10.112.210.12:8994 peer=10.112.230.55:3394

[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=104c02350)==SSSLERR_SSL_ACCEPT

[Thr 11] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [i

[Thr 11] SSL_get_state() returned 0x00001210 "SSLv2/v3 read client hello A"

[Thr 11] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 11] session uses PSE file "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse"

[Thr 11] SecudeSSL_SessionStart: SSL_accept() failed

secude_error 536871687 (0x20000307) = "the client hello handshake message requests SSLv2, which is

[Thr 11] >> Begin of Secude-SSL Errorstack >>

[Thr 11] ERROR in ssl23_get_client_hello: (536871687/0x20000307) the client hello handshake message

[Thr 11] << End of Secude-SSL Errorstack

[Thr 11] SSL socket: local=10.112.210.12:8994 peer=10.112.230.55:3395

[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=104c02350)==SSSLERR_SSL_ACCEPT

[Thr 11] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [i

The Steps I went through to get to this point are :-

Set profile param : icm/server_port_2 = PROT=HTTPS,PORT=8994

Placed the SAP Crypto library in the /sapmnt/<SID>/exe directory.

Created a system PSE file using STRUST and saved it to the /usr/sap/<SID/DVEBMGS04/sec directory - SAPSSLS.ps

Changed param icm/HTTPS/verify_client = 0 dynamically to be able to test.

Can anyone suggest what I need to do to get the bsp to work using the HTTPS protocol - works fine using the HTTP port.

Regards,

Brian.

Former Member · ‎02-27-2008

Even i am also getting the same error

[Thr 2057] << -

End of Secude-SSL Errorstack -

[Thr 2057] SSL NI-sock: unix domain socket="/tmp/.sapicm8503"

[Thr 2057] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x115f4ec10)==SSSLERR_SSL_ACCEPT

[Thr 2057] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn_mt. 1777]

[Thr 2828] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"

[Thr 2828] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 2828] SecudeSSL_SessionStart: SSL_accept() failed --

secude_error 9 (0x00000009) = "the verification of the client's certificate chain failed"

[Thr 2828] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 2828] ERROR in ssl3_get_client_certificate: (9/0x0009) the verification of the client's certificate chain failed

ERROR in af_verify_Certificates: (12851/0x3233) Verification of one certificate of path failed

ERROR in sec_decrypt_Digest: (12848/0x3230) verification failed, see decrypted digest

Please help in finding the solution. Waiting for reply

Regards

Punit

Former Member · ‎08-13-2007

Guys,

I faced the same problem and it got fixed. ..Check "bwsadm" as current user and when you create the credential file enter:

./sapgenpse seclogin -p SAPSSL.PSE -x <PIN you entered> -O bwsadm

check the log and changed the -O option to your current user. in the above syntax bwsadm is current user found the log provided by the user.

Suresh Bollina

Former Member · ‎06-23-2006

Hi Eddy,

Many thanks for your reply.

Yes, I followed that procedure. I've been through it again and now my HTTPS service in ICM is not active - I get an error in the ICM trace file :-

[Thr 14] HttpSubHandlerAdd: Added handler HttpJ2EEHandler(slot=2, flags=1077253) for /:0

[Thr 14] Started service 8004 for protocol HTTP on host "hapq3.sapqas.mcc"(on all adapters) (processing timeout

[Thr 14] =================================================

[Thr 14] = SSL Initialization on SUN on SPARC CPU with Solaris 2.2

[Thr 14] = (640_REL,Jul 2 2005,mt,ascii,SAP_UC/size_t/void* = 8/64/64)

[Thr 14] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 11 2005) MT-safe

[Thr 14] = current UserID: "bwsadm", env-var USER=<not set>

[Thr 14] = found SECUDIR environment variable

[Thr 14] = using SECUDIR=/usr/sap/BWS/DVEBMGS04/sec

[Thr 14] *** ERROR => secudessl_Create_SSL_CTX(): PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse" not found! [s

[Thr 14] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed

secude_error 4129 (0x00001021) = "The PSE does not exist"

[Thr 14] >> Begin of Secude-SSL Errorstack >>

[Thr 14] ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist

ERROR in ssl_set_pse: (4129/0x1021) The PSE does not exist

ERROR in af_open: (4129/0x1021) The PSE does not exist

ERROR in secsw_open: (4129/0x1021) The PSE does not exist

ERROR in sec_open: (4129/0x1021) The PSE does not exist

ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse"

[Thr 14] << End of Secude-SSL Errorstack

[Thr 14] *** ERROR => Initialization of SSL library failed NO SSL available!

[Thr 14] =================================================

[Thr 14] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR

[Thr 14] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv_mt. 348]

[Thr 11] MPI<3>0#3 Peak buffer usage: 1 (@ 64 KB)

[Thr 14] IcmNetCheck: network check passed without detecting problems

[Thr 09] MPI<5>2#3 Peak buffer usage: 2 (@ 64 KB)

[Thr 08] Thu Jun 22 18:23:11 2006

But there is a SAPSSLS.pse file in the directory with the correct permissions etc.

Regards,

Brian.

eddy_declercq · ‎06-22-2006

Hi,

Did you follow exactly what is mentioned here:

http://help.sap.com/saphelp_nw2004s/helpdata/en/52/31683ab81fd846e10000000a11402f/content.htm

Did your restart the ICM?

Why did you set verify_client to 0 instead of 1?

Eddy

PS.

Did you put yourself on the SDN world map already? Pls check

/people/eddy.declercq/blog/2006/06/14/from-the-grumpy-old-man-hoy-en-el-mundo

for details.

Problem enabling HTTPS on SAP Web AS 6.20

Accepted Solutions (0)

Answers (4)

Answers (4)

SFTP receiver - error Cannot store file cause: jav...

Re: SAP RAP Refresh issue when update from grand c...

Re: SAP RAP Refresh issue when update from grand c...

Re: Sap Analytics Cloud - Input a Date Parameter i...

Duplicate clients in CDC