03-03-2011 9:47 AM
Hello,
I am facing a problem when I try to forward a certificate to a content server (transaction OAHT)
The system QAS was created as system copy from our productive system PRD.
When I try to send the certifcate I get the error message "SSF kernel error: Signer error"
I deleted re-created the System PSE in transaction STRUST - did not help, too.
When I check this in transaction SSO2, I find a strange thing.
In section Certificate List I find following entry
The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket
/usr/sap/QAS/DVEBMGS01/sec//usr/sap/PRD/DVEBMGS00/sec/SAPSYS.pse
This path above is definetely wrong. The correct path would be /usr/sap/QAS/DVEBMGS01/sec/
Does anybody know where this path is defined?
SECUDIR as environment varaiable is set correctly; the profile parameters are also OK.
In the trace file I can find entries like
N krn_SsfV2_para_GetProfile: SsfOpenProfile failed with rc=23
N *** ERROR => <== krn_SsfV2_para_GetProfile()==208 (SSF_KRN_INPUT_DATA_ERROR) SsfOpenProfile failed [ssfxxkrn.c 1509]
N *** ERROR => <== krn_Ssf_GetOwnCertificate()==208 (SSF_KRN_INPUT_DATA_ERROR) [ssfxxkrn.c 1509]
N krn_SsfV2_para_GetProfile: SsfOpenProfile failed with rc=23
N *** ERROR => <== krn_SsfV2_para_GetProfile()==208 (SSF_KRN_INPUT_DATA_ERROR) SsfOpenProfile failed [ssfxxkrn.c 1509]
N *** ERROR => <== krn_Ssf_GetOwnCertificate()==208 (SSF_KRN_INPUT_DATA_ERROR) [ssfxxkrn.c 1509]
N *** ERROR => <== krn_SsfSign()==205 (SSF_KRN_SIGNER_LIST_ERROR) [ssfxxkrn.c 1509]
I checked lots of similiar issues in different threads here, but nothing helps.
Any ideas?
Thank you
Philipp
Edited by: Philipp Schweizer on Mar 3, 2011 10:48 AM
Edited by: Philipp Schweizer on Mar 3, 2011 10:49 AM
03-03-2011 10:22 AM
What do you have in DIR_INSTANCE? Also check what you have in table SSF_PSE_H for SAPSYS.
Cheers
03-03-2011 11:50 AM
Hi,
DIR_Instance is set to /usr/sap/QAS/DVEBMGS01 - what is correct
In SSF_PSE_H there is only one entry SYSPSE and this is the one I have created.
best regards
03-03-2011 12:23 PM
Hi,
I just quickly checked how that transaction gets path to PSE. Those two values are used so I assumed that problem might be there. If you have basic debugging skills then you can try to see how you get that value. That program is pretty simple. It just reads various things and displays results. You might be able to see how you get that value. I am not connected anymore but I remember that there was text 29 used as headline for that section. So look for 29 and you will find a variable which holds a path to PSE. You can just watch this variable and see how it gets populated.
Cheers
07-12-2013 8:08 AM
Maybe Note 1368534 - Avoiding SSF kernel trace entries gives an answer to the entries in the tracefile.