on 01-07-2011 8:06 PM
Hi Guru's
Scenario 1:
I have to import a ssl client cert from 3rd party into SAP 47 system. The Basis rel is 620. I imported the certificate in both Anonymous and standard. After this I created an External RFC to the 3rd party site with SSL, it is giving error
@@@@@@@@@@@@@@@@@@@@@@@@
[Thr 2057] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 2057] session uses PSE file "/usr/sap/XXX/DVEBMGS02/sec/SAPSSLC.pse"
[Thr 2057] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 2057] >> Begin of Secude-SSL Errorstack >>
[Thr 2057] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Class 3 Public Primary Certification Auth
ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
[Thr 2057] << End of Secude-SSL Errorstack
[Thr 2057] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 2057] SSL socket: local=172.19.125.57:64404 peer=172.19.123.9:80
[Thr 2057] <<- ERROR: SapSSLSessionStart(sssl_hdl=110b30130)==SSSLERR_SSL_CONNECT
[Thr 2057] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 182
@@@@@@@@@@@@@@@@@@@@@@@@
Scenario 2: I did the same with a BASIS 700 release. But in Strust I imported the 3rd party client cert in "SSL client WSSE Web service".... After that the RFC is working perfectly
My question is , how can we get "SSL client WSSE Web service" in strust of BASIS rel 620?. Is it possible ?. Is there any alternate way for the older basis release to make this external RFC work?
Thanks...
AJ
thanks all for the reply
I found the solution in Note #1094342 - ICM trace contains verification of the server's Certificate
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
What are you trying to achieve ?
Will your R/3 4.7 system act as an http client using a X.509 client certicate to authenticate on an external HTTPS system ?
Or will an external system connect to the R/3 4.7 system using a X.509 client certificate to authenticate ?
Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
the error pointing an issue with SAPSSLC.pse (Keystore for client certificates), this is CLIENT specific area to import certficate for client. Aapart from Standard and Anonymous, you also need to implement Client specific SSL certificate.
Regards
Chandra
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Abdullah,
This is strange. Anyways the error suggests that a chain of SSL certificates i.e multiple certifcates is involved. You would need primary Server authentication certificate and CA signed certificate.Are you sure you have imported all the correct certificates? I once had this issue and resolved it by importing all relevant certificates.
Check you ICM trace file also for any hints. OSS note 1094342 provides a good explanation.
With Regards.
Ruchit.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.