Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problems forwarding a certificate

philipp_schweizer
Participant

‎03-03-2011 9:47 AM

0 Kudos

Hello,

I am facing a problem when I try to forward a certificate to a content server (transaction OAHT)

The system QAS was created as system copy from our productive system PRD.

When I try to send the certifcate I get the error message "SSF kernel error: Signer error"

I deleted re-created the System PSE in transaction STRUST - did not help, too.

When I check this in transaction SSO2, I find a strange thing.

In section Certificate List I find following entry

The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket

/usr/sap/QAS/DVEBMGS01/sec//usr/sap/PRD/DVEBMGS00/sec/SAPSYS.pse

This path above is definetely wrong. The correct path would be /usr/sap/QAS/DVEBMGS01/sec/

Does anybody know where this path is defined?

SECUDIR as environment varaiable is set correctly; the profile parameters are also OK.

In the trace file I can find entries like


N  krn_SsfV2_para_GetProfile: SsfOpenProfile failed with rc=23
N  *** ERROR => <== krn_SsfV2_para_GetProfile()==208 (SSF_KRN_INPUT_DATA_ERROR) SsfOpenProfile failed [ssfxxkrn.c   1509]
N  *** ERROR => <== krn_Ssf_GetOwnCertificate()==208 (SSF_KRN_INPUT_DATA_ERROR)  [ssfxxkrn.c   1509]
N  krn_SsfV2_para_GetProfile: SsfOpenProfile failed with rc=23
N  *** ERROR => <== krn_SsfV2_para_GetProfile()==208 (SSF_KRN_INPUT_DATA_ERROR) SsfOpenProfile failed [ssfxxkrn.c   1509]
N  *** ERROR => <== krn_Ssf_GetOwnCertificate()==208 (SSF_KRN_INPUT_DATA_ERROR)  [ssfxxkrn.c   1509]
N  *** ERROR => <== krn_SsfSign()==205 (SSF_KRN_SIGNER_LIST_ERROR)  [ssfxxkrn.c   1509]

I checked lots of similiar issues in different threads here, but nothing helps.

Any ideas?

Thank you

Philipp

Edited by: Philipp Schweizer on Mar 3, 2011 10:48 AM

Edited by: Philipp Schweizer on Mar 3, 2011 10:49 AM

4 REPLIES 4

martin_voros
Active Contributor

‎03-03-2011 10:22 AM

0 Kudos

What do you have in DIR_INSTANCE? Also check what you have in table SSF_PSE_H for SAPSYS.

Cheers

philipp_schweizer
Participant
In response to martin_voros

‎03-03-2011 11:50 AM

0 Kudos

Hi,

DIR_Instance is set to /usr/sap/QAS/DVEBMGS01 - what is correct

In SSF_PSE_H there is only one entry SYSPSE and this is the one I have created.

best regards

martin_voros
Active Contributor
In response to martin_voros

‎03-03-2011 12:23 PM

0 Kudos

Hi,

I just quickly checked how that transaction gets path to PSE. Those two values are used so I assumed that problem might be there. If you have basic debugging skills then you can try to see how you get that value. That program is pretty simple. It just reads various things and displays results. You might be able to see how you get that value. I am not connected anymore but I remember that there was text 29 used as headline for that section. So look for 29 and you will find a variable which holds a path to PSE. You can just watch this variable and see how it gets populated.

Cheers

Former Member

‎07-12-2013 8:08 AM

0 Kudos

Maybe Note 1368534 - Avoiding SSF kernel trace entries gives an answer to the entries in the tracefile.