Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Web Dispatcher HTTP_ROUTE 500 Dispatching error

Former Member

‎09-19-2010 5:43 PM

0 Kudos

sap/admin/default.html works. The 500 dispatching error "HTTP_ROUTE" generated trying to call the backend Central lInstance services with sap/bc/ping, or /sap/public/bc/its/mimes/zcnp_disc/99/default.html. I have a very High Message Open with SAP for 2 days. Still unresolved.

I have done a global recycle of ICM on the Central Instance and rebooted the Wintel Server running the stand alone SAP Web Dispatcher. ports are open I can telnet to them from the Web Dispatcher to the Central Instance.

I am seriously considering bouncing the Unix Server the Central Instance is on. ICM recyle is suspicious.

Dispatcher log shows:

[Thr 5896] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 5896] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 5896] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 5896] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=<Central Intance>, OU=IT, OU=Company, O=City, C=State"

ERROR in get_path: (27/0x001b) Found root certificate of <CN=<Central Instance> OU=IT, OU=Company name, O=City, C=State> which does not fit the given PKRoot

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=<Central Intance>, OU=IT, OU=Comany Name, O=City, C=State> which does not fit the given PKRoot

[Thr 5896] << -

End of Secude-SSL Errorstack -

[Thr 5896] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 5896] SSL NI-sock: local=Webdispatcher:2629 peer=Central Instance:8129

[Thr 5896] <<- ERROR: SapSSLSessionStart(sssl_hdl=00A8D038)==SSSLERR_SSL_CONNECT

[Thr 5896] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn.c 2012]

[Thr 5896] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx.c 5284]

[Thr 5896] *** ERROR => Could not connect to SAP Message Server at Central Instance. URL=/msgserver/text/logon?version=1.2 [icrxx.c 2634]

[Thr 5896] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c 2635]

[Thr 5896] *** ERROR => see also OSS note 552286 [icrxx.c 2636]

Backend ABAP Central Instance ICM trace shows:

I see this in CI. Using transaction smms.

[Thr 365] Thu Sep 16 11:14:01 2010

[Thr 365] SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"

[Thr 365] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 365] SecudeSSL_SessionStart: SSL_accept() failed

secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"

[Thr 365] >> Begin of Secude-SSL Errorstack >>

[Thr 365] WARNING in ssl3_read_bytes: (536875074/0x20001042) received a fatal SSLv3 bad certificate alert message from the peer

[Thr 365] << End of Secude-SSL Errorstack

[Thr 365] SSL NI-sock: loca=l<CI IP:PORT.peer=<Web Disp IP:port>

[Thr 365] <<- ERROR: SapSSLSessionStart(sssl_hdl=111096e50)==SSSLERR_SSL_ACCEPT

[Thr 365] *** ERROR => MsSSLThread: SapSSLSessionStart (rc=-56) SSSLERR_SSL_ACCEPT [msxxhttp_mt. 5472]

[

Edited by: Dan Mead on Sep 19, 2010 6:46 PM

Edited by: Dan Mead on Sep 19, 2010 6:54 PM

2 REPLIES 2

mvoros
Active Contributor

‎09-20-2010 12:35 AM

0 Kudos

Hi,

firstly, have you checked note 1094342? What variant do you want to use? Do you terminate a SSL connection on web dispatcher and create a new one between web dispatcher and application server? It looks like the web dispatcher can't verify SSL certificate used by application server. Maybe you've already tried this but you can try to turn off SSL between dispatcher and application server. If this setup works then problem is in SSL connection. You can check what host name is used in SSL certificate and what host name is used by dispatcher. You can use parameter wdisp/ssl_certhost which sets host name which will be used for certificate validation.

Cheers

Former Member

‎09-20-2010 12:55 AM

0 Kudos

I have resolved this issue: I was impacted by someone elses project. They needed to redo the Central Instance SSL Server Standard PSE as it was created as a 1020 RSA and it needed to be a 2048 RSA fomat. Once they did this only the ICM was recycled. In order to get things right after creating a new PSE the Message Server must be restarted. So yes, SAP must come down.They were trying to avoid this. You can only export "good" certificates after the Message Server is recycled.