on 02-24-2011 12:01 PM
Hi,
I am trying to setup https connection to NWDI. (Netweaver 7.0)
SSL is enabled on Portal, so I can see it in my browser through https (https://<host>:50001/irj/portal), SLD and NWDI are on the same system.
Now I am trying to connect from NWDS 7.0, Development Configuration Pool URL set to "https://<host>:50001", I've set path to keystore file and ve done some additional configuration according to [http://help.sap.com/saphelp_nw70/helpdata/en/4c/941f407b402402e10000000a1550b0/frameset.htm].
After those steps "Ping server" button under Development Configuration Pool URL gave no results (no error, no success). I've found logs of NWDS with exception occuring on ping server action: java.lang.NoClassDefFoundError: com/sap/security/api/certrevoc/CertRevocException.
After placing CertRevocException class in place, NWDS started to give error message on ping action: "Server certificate rejected by ChainVerifier", in log file I see different exception:
!MESSAGE Feb 24, 2011 2:50:31 PM com.sap.security.core.server.https.V3ChainVerifier.verify... [Thread[main,5,main]] Error: NamingException during CertRevoc access
[EXCEPTION]
javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:640)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:280)
at javax.naming.InitialContext.lookup(InitialContext.java:347)
at com.sap.security.core.server.https.V3ChainVerifier.verifyChain(V3ChainVerifier.java:281)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.x.b(Unknown Source)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.r.d(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)
at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)
P.S. I also have NWDS 7.2 on my pc and it can successfully connect to that NWDI server, with same keystore file.
Hi
you have the wrong SAP crypto toolkit:
Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Threadmain,5,main] Warning: SAP Java Crypto Toolkit NOT installed !
iaik_jce_export.jar delivered with 7.0 does not include strong crypto algorithms for SSL due to legal limitations/export regulations. You can download the uncrippled version named iaik_jce.jar from the market place (search for CRYPTO TOOLKIT or that like). Since 7.1x NWDS is delivered with the full iaik_jce.jar, that is the reason why your 7.20 works.
By the way: Make sure to remove iaik_jce_export.jar when you install iaik_jce.jar, otherwise you might get funny classloading problems.
Regards
Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
You are right, it was my mistake to use iaik_jce_export.jar, actually I had proper version (iaik_jce.jar) but classes were loaded from "export".
Removing iaik_jce_export.jar helped with "SAP Java Crypto Toolkit NOT installed", and procces goes a little further, but now I have other exception.
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending v3 client_hello message, requesting version 3.1...
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received v3 server_hello handshake message.
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server selected SSL version 3.1.
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server created new session 01:CC:A4:BB:38:8B:32:38...
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): CompressionMethod selected by server: NULL
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received certificate handshake message with server certificate.
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 1 elements.
Feb 28, 2011 4:18:31 PM ....https.V3ChainVerifier.verifyChain () [Thread[main,5,main]] Path: Entering method with ([Ljava.security.cert.X509Certificate;@ad8659, iaik.security.ssl.SSLTransport@4f459c)
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Chain to verify:
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: cert [0]
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Subject: CN=<host>
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Issuer: CN=<host>
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Serial: c3f7e1d0
.......
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: cert revocation status check entered for cert: 0
Feb 28, 2011 4:18:31 PM ....https.V3ChainVerifier.verifyChain () [Thread[main,5,main]] Error: NamingException during CertRevoc access [EXCEPTION]
javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:640)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:280)
at javax.naming.InitialContext.lookup(InitialContext.java:347)
at com.sap.security.core.server.https.V3ChainVerifier.verifyChain(V3ChainVerifier.java:281)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.x.b(Unknown Source)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.r.d(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
So, now problem seems to be with V3ChainVerifier class which is trying to lookup certRevok service.
InitialContext ctx = new InitialContext();
CertRevocStatusService crService = (CertRevocStatusService)ctx.lookup("tc~sec~certrevoc~service"); <----- naming exception here
I've found that they'v changed V3ChainVerifier in 7.2 vesion, now it has different code:
InitialContext ctx = new InitialContext();
Class cl = Class.forName("com.sap.security.api.certrevoc.CertRevocStatusService"); <--- class not found
Object crService = ctx.lookup((String)cl.getField("JNDI_NAME").get(null));
After "Class not found" they just skip revoc status check, but no error occuring.
Feb 28, 2011 4:33:08 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Unknown error during CertRevoc access. Revocation check failed and will be skipped. com.sap.security.api.certrevoc.CertRevocStatusService
Feb 28, 2011 4:33:08 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Path: Exiting method
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received server_hello_done handshake message.
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending client_key_exchange handshake message (1024 bit)...
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending change_cipher_spec message...
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending finished message...
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received change_cipher_spec message.
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received finished message.
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Session added to session cache.
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Handshake completed, statistics:
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Read 603 bytes in 3 records, wrote 310 bytes in 4 records.
Feb 28, 2011 4:33:08 PM ...b.protocol.Connection.prepareSocket() [Thread[main,5,main]] Debug: SSL handshake [succeeded]
Hello Ilya
Please try the following;
1.Download the cryptographic library to your local PC from SAP Service
Marketplace (go to service.sap.com/download and choose Download ® SAP
Cryptographic Software) or ask your system administrator to provide you
with this library. Make sure that you download the library that matches
your Java version (1.3 or 1.4). Save the library in a temporary
directory.
2.If you use J2SE from Version 1.4, you must prepare the Java runtime
environment for using strong cryptography by installing special Security
Policies (Java Cryptography Extensions) from java.sun.com/jce. For more
information, see the documentation on your Java environment.
3.Start your IDE and choose File -> Import -> Java Cryptography Toolkit.
Choose Next. Enter the path to the downloaded cryptography library or
navigate to this location in your file system by choosing Browse#
4.Start the IDE again.
5.Choose Window ® Preferences ®Java Development Infrastructure. Under
Certificates, specify the path to a file with certificates in PKCS7 or
PKCS12 format, or the path to a Java key store. To confirm your entries,
choose OK.
You have now prepared your development environment for communication
with SSL.
Also;
Which version of NWDS are you running?
I know there was a fix in 7.10 SP7 Patch level 3.
Thanks
Kenny
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Kenny,
That was exactly what i've done with NWDS.
That brought me to "Server certificate rejected by ChainVerifier" error.
I changed jce.jar from my JDK with iaik_jce_export.jar, now I have other error: "Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure."
Unfortunatly NWDS doesn't give much information about what's happening, so write some code to invoke "Ping server" action and see what's the problem, here is a trace what I've got:
Feb 25, 2011 2:56:53 PM ...ttps.Utils.addIAIKasJDK14Provider () [Thread[main,5,main]] Path: Entering method
Feb 25, 2011 2:56:53 PM ....sap.security.core.server.https.Utils [Thread[main,5,main]] Path: Exiting method
Feb 25, 2011 2:56:53 PM ...re (InputStream is, char[] password) [Thread[main,5,main]] Path: Entering method
Feb 25, 2011 2:56:53 PM ...onContext.setupCredentials(IResponse) [Thread[main,5,main]] Info: authentication scheme changed [new scheme=SSO2]
Feb 25, 2011 2:56:53 PM ...b.protocol.Connection.Connection(URL) [Thread[main,5,main]] Info: connection created [url=https://sz22.adm.gazprom.ru:50001]
Feb 25, 2011 2:56:53 PM ...onContext.setupCredentials(IResponse) [Thread[main,5,main]] Info: authentication scheme changed [new scheme=SSO2]
Feb 25, 2011 2:56:53 PM ...ssionContext(ISessionContext context) [Thread[main,5,main]] Info: session context defined [user=user<XXXXX>, auth<SSO2>, cookies<allowed><privacy:from original host only>,auth=]
Feb 25, 2011 2:56:53 PM ...Store keystore, Object keystoreCreds) [Thread[main,5,main]] Path: Entering method with (java.security.KeyStore@765a16, <null>, <null>, <null>)
Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Thread[main,5,main]] Path: Exiting method
Feb 25, 2011 2:56:53 PM ...ps.Utils.isNonProxyHost(String host) [Thread[main,5,main]] Path: Entering method with (sz22.adm.gazprom.ru)
Feb 25, 2011 2:56:53 PM ...SLClientContext(String [] keyaliases) [Thread[main,5,main]] Path: Entering method with (<null>)
Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Thread[main,5,main]] Warning: SAP Java Crypto Toolkit NOT installed !
Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Thread[main,5,main]] Info: add trusted: Version: 3
Serial number: 3287802320
Signature algorithm: md5WithRSAEncryption (1.2.840.113549.1.1.4)
Issuer: CN=<host name>
Valid not before: Fri Apr 18 10:27:00 MSD 2008
not after: Wed Apr 18 10:27:00 MSD 2018
Subject: CN=<host name>
SunJSSE RSA public key:
public exponent:
010001
modulus:
b9c77b3b b3bcff5a c6276087 7c83477b 2c0df45f ff916342 fdaf37e9 ca9caf09
48d26fad e44c5957 fc5fd940 0dd5b418 a4ff0b92 e3bd3976 2e55bef0 72d64ace
aadc4c2b d921ae84 daadd6a2 dd575496 537c0cd7 b82a9a10 6b03beb4 b3f86ced
0be0b120 d6c12bd6 37e5e524 4b982e99 4dcfc85f 22a54232 216fb818 eb478133
Certificate Fingerprint (MD5) : 0F:8D:78:8C:15:B1:E0:80:A2:46:EE:B9:FF:87:8A:A6
Certificate Fingerprint (SHA-1): A3:79:68:00:A1:B8:7E:49:E1:0D:36:C5:EE:EF:F1:90:D4:8D:EC:BA
Extensions: 1
Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Thread[main,5,main]] Path: Exiting method
Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Starting handshake (iSaSiLk 3.06)...
Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending v3 client_hello message, requesting version 3.1...
Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received alert message: Alert Fatal: handshake failure
Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure
Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Shutting down SSL layer...
Edited by: Ilya Karnaukhov on Feb 25, 2011 1:07 PM
Feb 25, 2011 2:56:53 PM ....lib.protocol.Connection.openSocket() [Thread[main,5,main]] Path: Caught iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure
at iaik.security.ssl.r.f(Unknown Source)
at iaik.security.ssl.x.b(Unknown Source)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.r.d(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)
at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)
at com.tssap.dtr.client.lib.protocol.streams.ChunkedInputStream.<init>(ChunkedInputStream.java:109)
at com.tssap.dtr.client.lib.protocol.streams.ChunkedInputStream.<init>(ChunkedInputStream.java:97)
at com.tssap.dtr.client.lib.protocol.streams.ResponseStream.<init>(ResponseStream.java:65)
at com.tssap.dtr.client.lib.protocol.Connection.prepareSocket(Connection.java:2162)
at com.tssap.dtr.client.lib.protocol.Connection.openSocket(Connection.java:2007)
at com.tssap.dtr.client.lib.protocol.Connection.open(Connection.java:1380)
at com.tssap.dtr.client.lib.protocol.Connection.sendInternal(Connection.java:1534)
at com.tssap.dtr.client.lib.protocol.Connection.send(Connection.java:1427)
at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:341)
at com.sap.lcr.api.cimclient.CIMOMClient.sendImpl(CIMOMClient.java:198)
at com.sap.lcr.api.cimclient.CIMOMClient.send(CIMOMClient.java:146)
at com.sap.lcr.api.cimclient.CIMOMClient.getCIMClass(CIMOMClient.java:545)
at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1185)
at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1196)
at com.sap.lcr.api.cimclient.CIMClient.ping(CIMClient.java:287)
Feb 25, 2011 2:56:53 PM ....lib.protocol.Connection.openSocket() [Thread[main,5,main]] Debug: opening socket failed Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure.[host=<host>:50001][protocol=https][connID=16e1fb1][waited 109ms]
com.sap.lcr.api.cimclient.CIMClientException: IO error: Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure.
at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:358)
at com.sap.lcr.api.cimclient.CIMOMClient.sendImpl(CIMOMClient.java:198)
at com.sap.lcr.api.cimclient.CIMOMClient.send(CIMOMClient.java:146)
at com.sap.lcr.api.cimclient.CIMOMClient.getCIMClass(CIMOMClient.java:545)
at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1185)
at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1196)
at com.sap.lcr.api.cimclient.CIMClient.ping(CIMClient.java:287)
Caused by: java.io.IOException: Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure.
at com.tssap.dtr.client.lib.protocol.Connection.openSocket(Connection.java:2117)
at com.tssap.dtr.client.lib.protocol.Connection.open(Connection.java:1380)
at com.tssap.dtr.client.lib.protocol.Connection.sendInternal(Connection.java:1534)
at com.tssap.dtr.client.lib.protocol.Connection.send(Connection.java:1427)
at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:341)
... 7 more
caused by:
java.io.IOException: Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure.
at com.tssap.dtr.client.lib.protocol.Connection.openSocket(Connection.java:2117)
at com.tssap.dtr.client.lib.protocol.Connection.open(Connection.java:1380)
at com.tssap.dtr.client.lib.protocol.Connection.sendInternal(Connection.java:1534)
at com.tssap.dtr.client.lib.protocol.Connection.send(Connection.java:1427)
at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:341)
at com.sap.lcr.api.cimclient.CIMOMClient.sendImpl(CIMOMClient.java:198)
at com.sap.lcr.api.cimclient.CIMOMClient.send(CIMOMClient.java:146)
at com.sap.lcr.api.cimclient.CIMOMClient.getCIMClass(CIMOMClient.java:545)
at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1185)
at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1196)
at com.sap.lcr.api.cimclient.CIMClient.ping(CIMClient.java:287)
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.