cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTPS under SM59 - Verification of one certificate of path failed because t

Former Member

on ‎01-05-2011 3:55 PM

0 Kudos

I'm trying to test a SSL connection in SM59 and I keep getting the same error.

[Thr 140434420815632] Wed Jan 5 05:06:36 2011

[Thr 140434420815632] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 140434420815632] session uses PSE file "/usr/sap/N4S/DVEBMGS01/sec/SAPSSLC.pse"

[Thr 140434420815632] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 140434420815632] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 140434420815632] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (12851/0x3233) Verification of one certificate of path failed because there are no basic constraints

ERROR in check_basicConstraints: (12851/0x3233) Verification of one certificate of path failed because there are no basic constraints

ERROR in af_pse_get_PCAList: (4130/0x1022) Object PCAList doesn't exist

ERROR in af_pse_get_FCPath_static: (4130/0x1022) Object FCPath doesn't exist

[Thr 140434420815632] << -

End of Secude-SSL Errorstack -

[Thr 140434420815632] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 140434420815632] SSL socket: local=192.168.1.13:51332 peer=17.149.34.134:2195

[Thr 140434420815632] <<- ERROR: SapSSLSessionStart(sssl_hdl=0xea5e30)==SSSLERR_SSL_CONNECT

[Thr 140434420815632] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2005] It appears that SAP does not like the certificate returned by the called server. Does anyone have any idea how to get around this? Is is possible to add something into STRUST to make this issue go away. I also recorded the test make by SAP via HTTPS. Here is the result. 500 Native SSL error Error: -14 Version: 7000 Component: ICM Date/Time: Wed Jan 5 05:06:36 2011 Module: icxxconn_mt.c Line: 2005 Server: source_N4S_01 Error Tag:

Detail: IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT

Any help would be much appreciated.

Clark Dennison

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎01-07-2011 3:29 PM
0 Kudos

Working with Gregor he discovered the provider (apple push notification service FYI) does not implement the HTTPS protocol but actually a raw socket (sucks). Unless anyone has any tricks to opening a raw socket from SAP ABAP stack it doesn't look like it would be possible to call APNS from SAP.

Boo!

Thanks for all the quick responses.

P.S. If anyone has a good idea feel free to post it here. I would love to hear the feedback.

Show replies
Show replies
Former Member
‎07-16-2013 2:08 PM
0 Kudos

Hey Clark,

i know that this post is actually old but my requirement is to send msg from SAP to APNS. I have been struggling for two days now and unfortunately couldnt manage to set up a secure connection until i found your post which i think that it might help me!!


Now, my question to you is whether you were able to find a solution to call APNS from SAP???

Kind regards
Alex Miller

former_member80258
Participant
‎07-16-2013 11:49 PM
0 Kudos

Good day Alexander.

Please attach either SM59 or ST11 logs, this for to view the errors

Regards

Erick Verbena

PROLAMSA

Former Member
‎07-17-2013 9:57 PM
0 Kudos

Alexander,

In fact I did work with Gregor Wolf until we (actually he) discovered that APNS uses raw sockets so the elegant method didn't much work.  My solution was a bit more rough and required calling a Perl script located on the server.  I did this by setting up a command in SM69 and executing it via function module SXPG_COMMAND_EXECUTE.  I will warn you up front that there were some limitations around length that the FM brought to the table.  The parameter ADDITIONAL_PARAMETERS only contained lines that were 255 and I was forced to kinda live with it.  In hindsight I think I might be better off just calling the P script using something link this.

http://wiki.sdn.sap.com/wiki/display/ABAP/Executing+Unix+command+from+ABAP

But then you are forced to deal with all the error catching and I was kinda in a hurry.

The biggest drawback was having to get the perl script on the server that is most cases will take some coordination with your basis group.  Of course you have to generate all the right APNS which is a pain also.  I was able to move it quickly to my test server and made sure it worked before I did all the stuff above.  Oh and I also need to install perl and depending on which operating system you are dealing with there are different steps.

http://www.perl.org/get.html

Undoubtedly you have turned up man tutorials on how to call APNS.  Here is one with a link to a perl script:

http://answers.oreilly.com/topic/1541-how-to-send-a-push-notification-to-an-iphone-user/

Sorry I can't remember the one I found but I will be glad to post it if you need it.

Finally after I got my solution completed (and it worked), I saw this which Gregor pointed out to me the next day.

http://scn.sap.com/people/alisdair.templeton3/blog/2011/04/19/sap-meet-the-apple-push-notification-s...

Basically it starts a little Java server that you communicate with via SM59 by calling a destination.  Similar and but perhaps a bit more best practice than my idea.

One finally idea was one that Gregor threw around but I didn't have to time or guts to do was this:

https://cw.sdn.sap.com/cw/groups/blue-ruby and then use something like

https://github.com/PRX/apn_on_rails

But I am not a Ruby guy so I didn't even start.

Hope this helps.

Clark

Former Member
‎07-31-2013 10:20 AM
0 Kudos

Hi Clark,

thank you so much for the nice summary! It helped a lot, especially since i am a SAP beginner and with your reponse you gave me a nice overview of the alternatives and capabilities of SAP, especially in the context of SAP-APNS.

As i can develop in JAVA, i decided to use the approach you mentioned:
http://scn.sap.com/people/alisdair.templeton3/blog/2011/04/19/sap-meet-the-apple-push-notification-s....

But for the sending of push msgs i used the http://code.google.com/p/javapns/ library, which  made the coding even easier. As for JCo (3.x) implementation i followed the code that i found here: http://help.sap.com/saphelp_nwpi711/helpdata/de/48/63bb85c6bf07dbe10000000a42189b/content.htm

..and it works like a charm!!

Thank you again.

Kind regards
Alex

Former Member
‎07-31-2013 4:55 PM
0 Kudos

Glad to hear it worked out for you.

Cheers!

Former Member
‎01-05-2011 5:37 PM
0 Kudos

I was able to get my the above error but now I get another error.

[Thr 140147246323472] Wed Jan 5 12:24:08 2011

[Thr 140147246323472] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 140147246323472] session uses PSE file "/usr/sap/N4S/DVEBMGS01/sec/SAPSSLC.pse"

[Thr 140147246323472] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 140147246323472] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 140147246323472] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer

WARNING in ssl3_get_certificate_request: (536871681/0x20000301) CertRequest with empty certificate_autorities list received (violation of SSLv3/TLSv1.0 spec) -- declining request

[Thr 140147246323472] << -

End of Secude-SSL Errorstack -

[Thr 140147246323472] SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"

[Thr 140147246323472] No certificate request received from Server

[Thr 140147246323472] SSL socket: local=192.168.1.13:59005 peer=17.149.34.141:2195

[Thr 140147246323472] <<- ERROR: SapSSLSessionStart(sssl_hdl=0xf9ab10)==SSSLERR_SSL_CONNECT

[Thr 140147246323472] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2005]

It appears now that during the SSL handshake my SAP server is not sending list of certifcate_autorities (note the misspelling)..

Any idea that to do now? Google turns up almost nothing.

Clark

Show replies
Show replies
Former Member
‎01-06-2011 12:36 PM
0 Kudos

Hi,

As you have not explained the configuration you have done and have not told which system/release you are using , it is difficult to help you...

I assume that you have created a client SSL standard PSE in STRUST.

Do you have imported the Certification authorities certificates (from the external SSL server to which tour SM59 destination points) in the certificate list of the client SSL standard PSE ?

If yes, did you restart the ICM afterward ?

Regards,

Olivier

Former Member
‎01-06-2011 2:24 PM
0 Kudos

Yes (with a bit of help from Gregor Wolf) I did all the right steps as you mentioned above, but I still get the same error..Oh and yep we did restart the ICM.

Former Member
‎01-07-2011 12:27 PM
0 Kudos 
WARNING in ssl3_get_certificate_request: (536871681/0x20000301) CertRequest with empty certificate_autorities list received (violation of SSLv3/TLSv1.0 spec) -- declining request

It seems to me that the problem is not from the SAP client side but from the test server.

Is your test server using SSLv3 ? maybe an older release of the SSL spec ?

If possible, you should try to connect to another SSL server.

You can also try to increase the ICM trace level to see if you get more error information.

Regards,

Olivier

Former Member
‎01-07-2011 12:29 PM
0 Kudos

An other idea : is your SAP¨client certificate signed by a certification authority ? It has to be signed.

Regards,

Olivier

Ask a Question