Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTPS activation - SSL

Former Member

‎08-23-2010 3:43 PM

0 Kudos

Hi All,

I am working on to activate HTTPS service in my CRM 7.0 system. I have done the below changes so far.

Installed SAPCRYPTOLIB in this folder $DIR_EXECUTABLE directory and parameters ssf/name,ssf/ssfapi_lib,sec/libsapsecu,ssl/ssl_lib,icm/server_port_X are set and the system is restarted.

As a part of HTTPS service config,I tried to configure SSL as per the stpes in Note 510007 - Setting up SSL on Web Application Server ABAP.Point 3C. says to contact SAP Trust Center Service (http://service.sap.com/tcs ), there its says to buy SSL server certificate for 260 EUR. Is this a mandate? Am I going in right direction? Please advice.

Also I just tried to activate the HTTPS service from SMICM and got this error Operation failed (rc=1)

Below is the logs related to this.

[Thr 7] Mon Aug 23 13:37:03 2010

[Thr 7] =================================================

[Thr 7] = SSL Initialization on HP (IA-64) with HP-UX

[Thr 7] = (701_REL,Jan 28 2010,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)

[Thr 7] profile param "ssl/ssl_lib" = "/usr/sap/NCS/DVEBMGS30/exe/libsapcrypto.so"

resulting Filename = "/usr/sap/NCS/DVEBMGS30/exe/libsapcrypto.so"

[Thr 7] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe

[Thr 7] = current UserID: "ncsadm", env-var USER=<not set>

[Thr 7] = using SECUDIR=/usr/sap/NCS/DVEBMGS30/sec

[Thr 7] = secudessl_Create_SSL_CTX(): PSE "/usr/sap/NCS/DVEBMGS30/sec/SAPSSLC.pse" not found,

[Thr 7] = using PSE "/usr/sap/NCS/DVEBMGS30/sec/SAPSSLS.pse" as fallback

[Thr 7] = secudessl_Create_SSL_CTX(): PSE "/usr/sap/NCS/DVEBMGS30/sec/SAPSSLA.pse" not found,

[Thr 7] = using PSE "/usr/sap/NCS/DVEBMGS30/sec/SAPSSLS.pse" as fallback

[Thr 7] ******** Warning ********

[Thr 7] *** No SSL-client PSE "SAPSSLC.pse" available

[Thr 7] *** -- this will probably limit SSL-client side connectivity

[Thr 7] ********

[Thr 7] = Success -- SapCryptoLib SSL ready!

[Thr 7] =================================================

[Thr 7] *** ERROR => NiIBindSocket: SiBind failed for hdl 39 / sock 20

(SI_EPORT_INUSE/226; I4; ST; 0.0.0.0:8130) [nixxi.cpp 3237]

[Thr 7] *** ERROR => IcmBindService: NiBuf2Listen failed for host sapncs.eame.syngenta.org:8130 (rc=-4): NIESERV_USED [icxxserv_mt. 1485]

[Thr 7] *** ERROR => IcmHandleMonServMsg: IcmActivateService failed for 8130, 2(rc=-1) [icxxmsg_mt.c 1870]

Does this log indicates a problem with port 8130. Should I try to change it. or I can concentrate of SSL part for now.

Thanks for your advice.

Thanks

Deepak

4 REPLIES 4

mvoros
Active Contributor

‎08-23-2010 9:45 PM

0 Kudos

Hi,

you still don't have certificate which will be used for SSL. The certificate is stored in PSE file. In your case it should be in /usr/sap/NCS/DVEBMGS30/sec/SAPSSLA.pse. It's not mandatory to use SSL certificate generated by SAP Trust Center Service. You can use any SSL vendor. The cheapest thing is to use self-signed certificate generated by you in. This can work if you control all clients which will connect to your system. BTW certificates are maintained in transaction STRUST. Search for documentation for this transaction for more info about generating or importing SSL certificate.

Cheers

Former Member
In response to mvoros

‎08-24-2010 11:00 AM

0 Kudos

Hi, Thanks for your suggestion. I have installed SSL server test certificate and I could see the file SAPSSLA.pse in the sec directory. All the HTTPS is active now( This is solved by changing the port). When I test the HTTPS connection with this URL, I get this error 'This Connection is Untrusted' and technical details give this message 'sapncs.eame.syngenta.org:8230 uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

The certificate is only valid for frgoxs28.eame.syngenta.org

(Error code: sec_error_unknown_issuer)'

I restarted ICM but didnt help. This is the DEV_ICM log for restart.

trc file: "dev_icm", trc level: 1, release: "701"

sysno 30

sid NCS

systemid 274 (HP (IA-64) with HP-UX)

relno 7010

patchlevel 0

patchno 68

intno 20020600

make: multithreaded, Unicode, 64 bit, optimized

pid 5333

[Thr 1] started security log to file dev_icm_sec

[Thr 1] ICM running on: sapncs.eame.syngenta.org

[Thr 1] MtxInit: 30001 0 2

[Thr 1] IcmInit: listening to admin port: 65000

[Thr 1] DpSysAdmExtCreate: ABAP is active

[Thr 1] DpSysAdmExtCreate: VMC (JAVA VM in WP) is active

[Thr 1] DpShMCreate: sizeof(wp_adm)##54320#(1752)

[Thr 1] DpShMCreate: sizeof(tm_adm)##6009216#(29896)

[Thr 1] DpShMCreate: sizeof(wp_ca_adm)##28800#(96)

[Thr 1] DpShMCreate: sizeof(appc_ca_adm)#9600#(96)

[Thr 1] DpCommTableSize: max/headSize/ftSize/tableSize=500/16/552064/552080

[Thr 1] DpShMCreate: sizeof(comm_adm)##552080#(1088)

[Thr 1] DpSlockTableSize: max/headSize/ftSize/fiSize/tableSize=512/48/65600/90416/156064

[Thr 1] DpShMCreate: sizeof(slock_adm)##156064#(104)

[Thr 1] DpFileTableSize: max/headSize/ftSize/tableSize=6000/16/576064/576080

[Thr 1] DpShMCreate: sizeof(file_adm)##576080#(72)

[Thr 1] DpShMCreate: sizeof(vmc_adm)##60240#(2008)

[Thr 1] DpShMCreate: sizeof(wall_adm)##(41664/36752/80/192)

[Thr 1] DpShMCreate: sizeof(gw_adm)#48

[Thr 1] DpShMCreate: SHM_DP_ADM_KEY##(addr: 0xc00000000fc00000, size: 7534160)

[Thr 1] DpShMCreate: allocated sys_adm at 0xc00000000fc00000

[Thr 1] DpShMCreate: allocated wp_adm at 0xc00000000fc02310

[Thr 1] DpShMCreate: allocated tm_adm_list at 0xc00000000fc0f740

[Thr 1] DpShMCreate: allocated tm_adm at 0xc00000000fc0f7a0

[Thr 1] DpShMCreate: allocated wp_ca_adm at 0xc0000000101ca920

[Thr 1] DpShMCreate: allocated appc_ca_adm at 0xc0000000101d19a0

[Thr 1] DpShMCreate: allocated comm_adm at 0xc0000000101d3f20

[Thr 1] DpShMCreate: allocated slock_adm at 0xc00000001025abb0

[Thr 1] DpShMCreate: allocated file_adm at 0xc000000010280d50

[Thr 1] DpShMCreate: allocated vmc_adm_list at 0xc00000001030d7a0

[Thr 1] DpShMCreate: allocated gw_adm at 0xc00000001030d820

[Thr 1] DpShMCreate: allocated vmc_adm at 0xc00000001030d850

[Thr 1] DpShMCreate: allocated ca_info at 0xc00000001031c3a0

[Thr 1] DpSesCreateTable: attached session table at 0xc000000007ae0000 (len=145632)

[Thr 3] IcmProxyWatchDog: proxy watchdog started

[Thr 1] CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.

[Thr 1] IcmCreateWorkerThreads: created worker thread 0

[Thr 1] IcmCreateWorkerThreads: created worker thread 1

[Thr 1] IcmCreateWorkerThreads: created worker thread 2

[Thr 1] IcmCreateWorkerThreads: created worker thread 3

[Thr 1] IcmCreateWorkerThreads: created worker thread 4

[Thr 1] IcmCreateWorkerThreads: created worker thread 5

[Thr 1] IcmCreateWorkerThreads: created worker thread 6

[Thr 1] IcmCreateWorkerThreads: created worker thread 7

[Thr 1] IcmCreateWorkerThreads: created worker thread 8

[Thr 1] IcmCreateWorkerThreads: created worker thread 9

[Thr 14] IcmWatchDogThread: watchdog started

[Thr 15] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set => do not

X.509 cert data will be removed from header [http_plg_mt. 718]

[Thr 15] ISC: created 400 MB disk cache.

[Thr 15] ISC: created 50 MB memory cache.

[Thr 15] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0

[Thr 15] HttpExtractArchive: files from archive /usr/sap/NCS/DVEBMGS30/exe/icmadmin.SAR in directory /usr/sap/NCS/DVEBMGS30/data/icmanroot are

[Thr 15] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0

[Thr 15] CsiInit(): Initializing the Content Scan Interface

[Thr 15] HP (IA-64) with HP-UX (mt,unicode,SAP_CHAR/size_t/void* = 16/64/64)

[Thr 15] CsiInit(): CSA_LIB = "/usr/sap/NCS/DVEBMGS30/exe/libsapcsa.so"

[Thr 15] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0

[Thr 15] HttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=3, flags=1052677) for /:0

[Thr 15] Started service 8030 for protocol HTTP on host "sapncs.eame.syngenta.org"(on all adapters) (processing timeout=60, keep_alive_timeout

[Thr 15] =================================================

[Thr 15] = SSL Initialization on HP (IA-64) with HP-UX

[Thr 15] = (701_REL,Jan 28 2010,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)

[Thr 15] profile param "ssl/ssl_lib" = "/usr/sap/NCS/DVEBMGS30/exe/libsapcrypto.so"

resulting Filename = "/usr/sap/NCS/DVEBMGS30/exe/libsapcrypto.so"

[Thr 15] = found SAPCRYPTOLIB 5.5.5C pl24 (Jun 11 2008) MT-safe

[Thr 15] = current UserID: "ncsadm", env-var USER=<not set>

[Thr 15] = using SECUDIR=/usr/sap/NCS/DVEBMGS30/sec

[Thr 15] = Success SapCryptoLib SSL ready!

[Thr 15] =================================================

[Thr 15] Started service 8230 for protocol HTTPS on host "sapncs.eame.syngenta.org"(on all adapters) (processing timeout=60, keep_alive_timeou

[Thr 15] IcmNetCheck: network check passed without detecting problems

ANY SUGGESTION PLEASE

mvoros
Active Contributor
In response to mvoros

‎08-24-2010 11:15 AM

0 Kudos

Hi,

everything is as it should be. You installed self-signed certificate and your browser does not trust this certificate because it's self-signed and this certificate is not in browser's list of trusted certificates. Search for self-signed certificate on google to get more info. As I said this can work only if you have all clients under control. It looks like you want to expose CRM to the clients over the internet. The self-signed certificate is not a good idea in this case and you need to purchase a SSL certificate from CA. Obviously, self-signed certificate for development and QA system is OK.

Cheers

Former Member
In response to mvoros

‎08-24-2010 11:55 AM

0 Kudos

Thanks a lot. your suggestions and clarifications were really helpful. indeed we want to expose CRM to internet. . we would purchase certificate from CA for production. .