on 11-15-2010 4:29 PM
Hello,
I'm trying to configure a Type G RFC connection. Now that I have CryptoLib correctly installed, the SSL PSEs are now available. In order to get a functioning RFC, I've navigated to the destination with my browser and saved the 3 certificates in the chain (Root, Intermediate, and actual site). Once saved to my computer, I selected the Anonymous SSL Client's PSE and imported the certificates. After the PSE was saved, I restarted the ICM via SMICM. After those steps, The following error is still reported in the ICM trace file:
[Thr 1116555584] Mon Nov 15 11:13:18 2010
[Thr 1116555584] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==
SSL_ERROR_SSL
[Thr 1116555584] session uses PSE file "/usr/sap/XS1/DVEBMGS00/sec/SAPSSLA.pse"
[Thr 1116555584] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 9 (0x00000009) = "the verification of the server's certificate chain
failed"
[Thr 1116555584] >> Begin of Secude-SSL Errorstack >>
[Thr 1116555584] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification
of the server's certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete :
"OU=Class 3 Public Primary Certification Auth
ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates
is incomplete
[Thr 1116555584] << End of Secude-SSL Errorstack
[Thr 1116555584] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 1116555584] SSL NI-sock: local=10.1.10.33:58418 peer=20.137.54.91:443
[Thr 1116555584] <<- ERROR: SapSSLSessionStart(sssl_hdl=0xdf47dc0)==
SSSLERR_SSL_CONNECT
[Thr 1116555584] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57):
SSSLERR_SSL_CONNECT {00042ae6} [icxxconn_mt
The RFC is using the FQDN for the target, and not the ip address. As far as I can tell, all the appropriate certificates has been added to the correct PSE. A SSL Connection for a client not requiring certificate login only needs to be trusted on the Client end, correct? Anything immediately obvious that I may have missed?
Thank you,
Zach
I had a window of opportunity to restart the WebAS. This fixed the error. I read in the manual that restarting the ICM was the only requirement; however, the mechanism in SMICM must not be sufficient.
Issue resolved.
Thank you,
Zach
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.