WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set => do not trust any intermediary
X.509 cert data will be removed from header [http_plg.c 723]
[Thr 6068] ISC: created 400 MB disk cache.
[Thr 6068] ISC: created 50 MB memory cache.
[Thr 6068] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0
[Thr 6068] HttpExtractArchive: files from archive D:\usr\sap\EHD\DVEBMGS00\exe/icmadmin.SAR in directory D:/usr/sap/EHD/DVEBMGS00/data/icmanroot are up to date
[Thr 6068] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0
[Thr 6068] CsiInit(): Initializing the Content Scan Interface
[Thr 6068] PC with Windows NT (mt,unicode,SAP_CHAR/size_t/void* = 16/64/64)
Goto TCode SMICM -> Goto->Services and check if the HTTPS service is present ,if not create a new HTTPS service from SMICM-> Goto -> Services -> Define (or Create).
Also, define the parameter icm/server_port_<n> in the instance profile as the service created above in SMICM will only remain until the system is restarted.
If you look into your instance profile, this parameter would have a few variants defined as follows:
Service name would be HTTPS. If ur sys nr. is XX, then ur HTTP port no. is usually 8XX0 and the HTTPS port no. is 8XX1. This is in case the system is ABAP only installation. On the other hand, if it is ABAP+JAVA, then ur HTTP port becomes 5<XX>00 and HTTPS becomes 5<XX>01.
Also, remember to set the icm server port parameter for HTTPS.
Can u tell me what is the port no. for HTTP in ur system in SMICM?
Create the service for HTTPS and give it port no. 8001. Then, from SMICM menu Administration, restart the ICM service.
Then, also set the following parameter in the instance profile:
icm/server_port_1 = PROT=HTTPS,PORT=8001.
The service that you are creating in SMICM will only last till you restart the system. The parameter will automatically create this service the automatically next time you restart the system.
Hope this helps. Do assign me p o i n t s if it does.
These changes are client independent. So it doesn't matter in which client you make this change.
Can you check your instance profile to see if there is any parameter for SMTP as well, just like you created for HTTPS? Chances are the <x> value in parameters icm/server_port_<x> might have conflicted.
Make sure there is no conflict of these parameters. I mean ensure that these 3 different protocols (HTTP, HTTPS, SMTP) are defined using different profile parameters:
icm/server_port_0 (for HTTP)
icm/server_port_1 (for HTTPS)
icm/server_port_2 (for SMTP)
You can even revert the changes you just made and go back and see the details of SMTP service and then set up these three parameters again. But usually, SMTP service has port no. 1025, but check your profile to see if theres been another setting for it.
I hope by now you've completely understood the role of this very important, yet simple parameter
Under Configuring SNC for Using the SAPCRYPTOLIB on the SAP Web AS, perform the steps:
1. Installing the SAP Cryptographic Library on the SAP Web AS (u need to download sapcryptolib files from service marketplace and place respective files in various folders at OF levl)
2. Setting the Trust Manager Profile Parameters (set parameters in profile and restart the system)
3. Creating the SNC PSE (simply create PSEs with default settings in STRUST transaction)
I gave u the link in the last step. Giving u detailed steps for SAPCRYPTOLIB installation here. Just download the package from service marketplace and install it as follows:
1. Install the SAPCRYPTOLIB on all application servers into the $DIR_EXECUTABLE directory. The library must not be older than version PL 10. Note 397175 describes the prerequisites for downloading the library. If you are using a 6.10 kernel, copy the license ticket SAPCRYPTOLIB (file "ticket") into the $DIR_INSTANCE/sec directory on all application servers. As of kernel release 6.20, the license ticket is automatically generated at the system start. On all application servers, set the environment variable (at OS level) SECUDIR to the directory $DIR_INSTANCE/sec. If you want to protect the PSEs (key files) with a password, set the environment variable USER on all UNIX systems to the name of the UNIX user under whom the SAP system is running.
2. Set the following profile parameters in the instance profile of all application servers and start the system:
ssf/name = SAPSECULIB
ssf/ssfapi_lib = <Path and file name of the SAPCRYPTOLIB>
sec/libsapsecu = <Path and file name of the SAPCRYPTOLIB>
ssl/ssl_lib = <Path and file name of the SAPCRYPTOLIB>
3. Call transaction STRUST (trust manager) to create the SSL server PSEs.
a) Create the default PSE (serves as a fallback for all instances without their own PSE).
Choose "Create" in the context menu of the "SSL server" node. As far as possible, the trust manager provides the correct entries so that you can then send the certificates to the SAP Trust Center Service for signing. In particular, set the following values:
Name = *.<WebAS domain>
Do not replace the "*" with a host name. The default PSE must also exist even if PSEs are created for all instances.
b) Create individual PSEs for all instances: A list of all active instances is displayed in a second dialog box. The default Distinguished Name (DN) contains the following entry:
CN = <host name>.<WebAS domain>
c) Create certificate requests for all instance PSEs. Expand the "SSL server" node in the tree control, double-click to load the instance PSE into the relevant node and select the "Generate certificate request" function. For the default PSE, you must only create a certificate request if there are instances without their own PSEs.
4. Create the SSL client PSE
5. Restart ICM.
Refer to the previously mentioned URL if you have any doubts. Can also refer to SAP Note # 510007.
Am afraid cannot provide more details on this cryptolib configuration than I already have.
Sorry man but I have still det same problem, When I tried my connection on SM59 I get det same error :
HTTPIO_PLG_CANCELED Message no. SR000
this is from dev_im.
IcmWatchDogThread: watchdog started
[Thr 5860] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set => do not trust any intermediary
X.509 cert data will be removed from header [http_plg.c 723]
[Thr 5860] ISC: created 400 MB disk cache.
[Thr 5860] ISC: created 50 MB memory cache.
[Thr 5860] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0
[Thr 5860] HttpExtractArchive: files from archive D:\usr\sap\EHD\DVEBMGS00\exe/icmadmin.SAR in directory D:/usr/sap/EHD/DVEBMGS00/data/icmanroot are up to date
[Thr 5860] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0
[Thr 5860] CsiInit(): Initializing the Content Scan Interface
[Thr 5860] PC with Windows NT (mt,unicode,SAP_CHAR/size_t/void* = 16/64/64)
ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist : "D:\usr\sap\EHD\DVEBMGS00\sec\SAPSSLS.pse"
Basically, it is looking for SAPSSLS.pse file in the path of SECUDIR env. variable that you had set previously.
See whether this file exists or not at this path. Apparently, the file does not exist. In this case, you need to generate this file using sapgenpse program, which you had downloaded in the SAPCRYPTOLIB package. Follow the link below to generate the required link. Ignore any references to TREX on this page and just continue with the steps given. This should generate the .pse file:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.