on 06-22-2006 12:16 PM
Hi,
I'm trying to enable HTTPS on a Netweaver '04 (SP14)server but having a bit of difficulty after enabling HTTPS.
The HTTPS service shows as active in the ICM monitor but when I try to test the "ping" bsp I get the following error in the ICM trace file :-
[Thr 12] IcmWatchDogThread: watchdog started
[Thr 14] ISC: created 400 MB disk cache.
[Thr 14] Thu Jun 22 11:17:14 2006
[Thr 14] ISC: created 50 MB memory cache.
[Thr 14] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0
[Thr 14] HttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=1, flags=4101) for /:0
[Thr 14] HttpSubHandlerAdd: Added handler HttpJ2EEHandler(slot=2, flags=1077253) for /:0
[Thr 14] Started service 8004 for protocol HTTP on host "hapq3.sapqas.mcc"(on all adapters) (process
[Thr 14] =================================================
[Thr 14] = SSL Initialization on SUN on SPARC CPU with Solaris 2.2
[Thr 14] = (640_REL,Jul 2 2005,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 14] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 11 2005) MT-safe
[Thr 14] = current UserID: "bwsadm", env-var USER=<not set>
[Thr 14] ******** Warning ********
[Thr 14] *** You should define environment variable SECUDIR !
[Thr 14] *************************
[Thr 14] = using SECUDIR=/usr/sap/BWS/DVEBMGS04/sec
[Thr 14] = secudessl_Create_SSL_CTX(): PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLC.pse" not found,
[Thr 14] = using PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse" as fallback
[Thr 14] = secudessl_Create_SSL_CTX(): PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLA.pse" not found,
[Thr 14] = using PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse" as fallback
[Thr 14] ******** Warning ********
[Thr 14] *** No SSL-client PSE "SAPSSLC.pse" available
[Thr 14] *** this will probably limit SSL-client side connectivity
[Thr 14] ********
[Thr 14] = Success SapCryptoLib SSL ready!
[Thr 14] =================================================
[Thr 14] Started service 8994 for protocol HTTPS on host "hapq3.sapqas.mcc"(on all adapters) (proces
[Thr 11] MPI<3>0#3 Peak buffer usage: 1 (@ 64 KB)
[Thr 09] MPI<5>2#3 Peak buffer usage: 2 (@ 64 KB)
[Thr 14] IcmNetCheck: network check passed without detecting problems
[Thr 08] Thu Jun 22 11:17:15 2006
[Thr 08] MPI<7>4#3 Peak buffer usage: 3 (@ 64 KB)
[Thr 07] MPI<9>6#3 Peak buffer usage: 4 (@ 64 KB)
[Thr 01] Thu Jun 22 11:17:43 2006
[Thr 01] HttpSAPR3SetParam: switch j2ee http port from to: 50400
[Thr 01] HttpSAPR3SetParam: switch j2ee https port from to: 50401
[Thr 01] Thu Jun 22 11:18:10 2006
[Thr 01] HttpSAPR3SetParam: Switched j2ee status to: 1
[Thr 11] Thu Jun 22 11:18:19 2006
[Thr 11] *** ERROR => No common SSL ciphersuite with SSL client!
[Thr 11] SSL socket: local=10.112.210.12:8994 peer=10.112.230.55:3392
[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=104c02350)==SSSLERR_SSL_ACCEPT
[Thr 11] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [i
[Thr 11] SSL_get_state() returned 0x00001210 "SSLv2/v3 read client hello A"
[Thr 11] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 11] session uses PSE file "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse"
[Thr 11] SecudeSSL_SessionStart: SSL_accept() failed
secude_error 536871687 (0x20000307) = "the client hello handshake message requests SSLv2, which is
[Thr 11] >> Begin of Secude-SSL Errorstack >>
[Thr 11] ERROR in ssl23_get_client_hello: (536871687/0x20000307) the client hello handshake message
[Thr 11] << End of Secude-SSL Errorstack
[Thr 11] SSL socket: local=10.112.210.12:8994 peer=10.112.230.55:3393
[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=104c02350)==SSSLERR_SSL_ACCEPT
[Thr 11] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [i
[Thr 11] *** ERROR => No common SSL ciphersuite with SSL client!
[Thr 11] SSL socket: local=10.112.210.12:8994 peer=10.112.230.55:3394
[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=104c02350)==SSSLERR_SSL_ACCEPT
[Thr 11] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [i
[Thr 11] SSL_get_state() returned 0x00001210 "SSLv2/v3 read client hello A"
[Thr 11] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 11] session uses PSE file "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse"
[Thr 11] SecudeSSL_SessionStart: SSL_accept() failed
secude_error 536871687 (0x20000307) = "the client hello handshake message requests SSLv2, which is
[Thr 11] >> Begin of Secude-SSL Errorstack >>
[Thr 11] ERROR in ssl23_get_client_hello: (536871687/0x20000307) the client hello handshake message
[Thr 11] << End of Secude-SSL Errorstack
[Thr 11] SSL socket: local=10.112.210.12:8994 peer=10.112.230.55:3395
[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=104c02350)==SSSLERR_SSL_ACCEPT
[Thr 11] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [i
The Steps I went through to get to this point are :-
Set profile param : icm/server_port_2 = PROT=HTTPS,PORT=8994
Placed the SAP Crypto library in the /sapmnt/<SID>/exe directory.
Created a system PSE file using STRUST and saved it to the /usr/sap/<SID/DVEBMGS04/sec directory - SAPSSLS.ps
Changed param icm/HTTPS/verify_client = 0 dynamically to be able to test.
Can anyone suggest what I need to do to get the bsp to work using the HTTPS protocol - works fine using the HTTP port.
Regards,
Brian.
Even i am also getting the same error
[Thr 2057] << -
End of Secude-SSL Errorstack -
[Thr 2057] SSL NI-sock: unix domain socket="/tmp/.sapicm8503"
[Thr 2057] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x115f4ec10)==SSSLERR_SSL_ACCEPT
[Thr 2057] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn_mt. 1777]
[Thr 2828] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"
[Thr 2828] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 2828] SecudeSSL_SessionStart: SSL_accept() failed --
secude_error 9 (0x00000009) = "the verification of the client's certificate chain failed"
[Thr 2828] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 2828] ERROR in ssl3_get_client_certificate: (9/0x0009) the verification of the client's certificate chain failed
ERROR in af_verify_Certificates: (12851/0x3233) Verification of one certificate of path failed
ERROR in sec_decrypt_Digest: (12848/0x3230) verification failed, see decrypted digest
Please help in finding the solution. Waiting for reply
Regards
Punit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Guys,
I faced the same problem and it got fixed. ..Check "bwsadm" as current user and when you create the credential file enter:
./sapgenpse seclogin -p SAPSSL.PSE -x <PIN you entered> -O bwsadm
check the log and changed the -O option to your current user. in the above syntax bwsadm is current user found the log provided by the user.
Suresh Bollina
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Eddy,
Many thanks for your reply.
Yes, I followed that procedure. I've been through it again and now my HTTPS service in ICM is not active - I get an error in the ICM trace file :-
[Thr 14] HttpSubHandlerAdd: Added handler HttpJ2EEHandler(slot=2, flags=1077253) for /:0
[Thr 14] Started service 8004 for protocol HTTP on host "hapq3.sapqas.mcc"(on all adapters) (processing timeout
[Thr 14] =================================================
[Thr 14] = SSL Initialization on SUN on SPARC CPU with Solaris 2.2
[Thr 14] = (640_REL,Jul 2 2005,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 14] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 11 2005) MT-safe
[Thr 14] = current UserID: "bwsadm", env-var USER=<not set>
[Thr 14] = found SECUDIR environment variable
[Thr 14] = using SECUDIR=/usr/sap/BWS/DVEBMGS04/sec
[Thr 14] *** ERROR => secudessl_Create_SSL_CTX(): PSE "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse" not found! [s
[Thr 14] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed
secude_error 4129 (0x00001021) = "The PSE does not exist"
[Thr 14] >> Begin of Secude-SSL Errorstack >>
[Thr 14] ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist
ERROR in ssl_set_pse: (4129/0x1021) The PSE does not exist
ERROR in af_open: (4129/0x1021) The PSE does not exist
ERROR in secsw_open: (4129/0x1021) The PSE does not exist
ERROR in sec_open: (4129/0x1021) The PSE does not exist
ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "/usr/sap/BWS/DVEBMGS04/sec/SAPSSLS.pse"
[Thr 14] << End of Secude-SSL Errorstack
[Thr 14] *** ERROR => Initialization of SSL library failed NO SSL available!
[Thr 14] =================================================
[Thr 14] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
[Thr 14] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv_mt. 348]
[Thr 11] MPI<3>0#3 Peak buffer usage: 1 (@ 64 KB)
[Thr 14] IcmNetCheck: network check passed without detecting problems
[Thr 09] MPI<5>2#3 Peak buffer usage: 2 (@ 64 KB)
[Thr 08] Thu Jun 22 18:23:11 2006
But there is a SAPSSLS.pse file in the directory with the correct permissions etc.
Regards,
Brian.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Did you follow exactly what is mentioned here:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/31683ab81fd846e10000000a11402f/content.htm
Did your restart the ICM?
Why did you set verify_client to 0 instead of 1?
Eddy
PS.
Did you put yourself on the SDN world map already? Pls check
/people/eddy.declercq/blog/2006/06/14/from-the-grumpy-old-man-hoy-en-el-mundo
for details.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
77 | |
9 | |
9 | |
7 | |
6 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.