cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ICM_HTTP_SSL_ERROR !!

Go to solution
Former Member

on ‎03-04-2011 5:41 PM

0 Kudos

Hi Gurus

Don't know whether this is the right forum for this query. We are trying to execute the Fedex Web-Service with SOAMANAGER, when we create a Logical Port it creates a RFC connection automatically. When I am trying to test the connection it is ending up with the error "ICM_HTTP_SSL_ERROR", I have read many forums and followed the below Notes, which didn't resolve the issue.

1094342 - ICM trace contains verification of the server's certificate

1318906 - Trace analysis of SSL problems

I have imported and added the certificates from FEDEX in STRUST "SSL client SSL Client (Anonymous)", "SSL client SSL Client (Standard)". Surprisingly I tested by deleting the certificates and ending up the same error, even after adding the certificates the same error persists.

The RFC was working couple of days back, not able to make out why is it not working now.

Here is the ICM trace:

trc file: "dev_icm", trc level: 1, release: "701"

sysno 02

sid IDS

systemid 562 (PC with Windows NT)

relno 7010

patchlevel 0

patchno 25

intno 20020600

make: multithreaded, Unicode, 64 bit, optimized

pid 3540

Thr 3552 Fri Mar 04 07:16:23 2011

Thr 3552 TRACE FILE TRUNCATED

Thr 5084 Fri Mar 04 07:17:07 2011

Thr 5084 *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

Thr 5084 session uses PSE file "C:\usr\sap\IDS\DVEBMGS02\sec\SAPSSLA.pse"

Thr 5084 SecudeSSL_SessionStart: SSL_connect() failed

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

Thr 5084 >> Begin of Secude-SSL Errorstack >>

Thr 5084 ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed #

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "OU=Class 3 Public Primary Certification Auth

ERROR in get_path: (27/0x001b) Found root certificate of <OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.",

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <OU=Class 3 Public Primary Certification Authority, O="VeriSign,

Thr 5084 << End of Secude-SSL Errorstack

Thr 5084 SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

Thr 5084 SSL NI-sock: local=192.168.0.116:49335 peer=199.81.216.97:443

Thr 5084 <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000A1055D0)==SSSLERR_SSL_CONNECT

Thr 5084 *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT http://icxxconn.c 2012

Please advice me how to catch the right error and rectify and resolve the issue.

Appreciate your help.

Thanks

Sri

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-04-2011 6:57 PM
0 Kudos

Hi,

Did you set up SSL at your end? Is this working fine? Have you tired executing the web service in the browser? Does this work fine?

Regards,

Vamshi.

Show replies
Show replies
Former Member
‎03-05-2011 5:13 AM
0 Kudos

Hi Vamshi

I haven't tested the link in web-browser, I am trying to resolve the developer issue. I don't have idea about the web-service.

Can you throw some light on setting up the SSL, I remember I haven't setup it earlier as well. But the RFC was working fine and the developer could get the rates from Fedex.

Please advice me what to check and what would be wrong?

Thanks

Sri

Answers (2)

Answers (2)

Former Member
‎03-07-2011 1:16 AM
0 Kudos

Hi Srikar,

Have you restarted ICM after importing the certificate. If not , please restart ICM and try.

Show replies
Show replies
Former Member
‎03-05-2011 6:07 PM
0 Kudos

Hi,

After adding the certificate in the STRUSTSSO2, Did you try to use that in SM59,In Logon & Security tab, Did you specify the defualt SSL Client?

Also check if the certificate you have intalled from Fedex has got any expiry date? In the log it shows the certificate check failed?

Regards,

Vamshi.

Show replies
Show replies
Former Member
‎03-07-2011 11:32 AM
0 Kudos

Hi Vamshi

Since I have added the Fedex certificates in SSL Client Anonymous, in RFC I have mentioned as Anonymous Client SSL.

The Fedex certificate is Valid till 09/2011.

Still I am facing the same error. Kindly give me some thoughts about this.

Thanks

Srikar

Former Member
‎03-07-2011 11:44 AM
0 Kudos

Hi,

Do you use any user credentials to connect to fedex? We do have one scenario like this consuming a web service in our PI7.1 system, We added the certificate in the SSL client standard in Strustsso2. We use uid and pwd to connect so we maintained the same in the RFC. If you dont mind, can you post the ICM trace again please. Is the request going to FED EX? What is the http post your server is sending? and where does it fail. Increase the ICM trance level, and execute the RFC again.

Regards,

Vamshi.

Former Member
‎03-07-2011 12:16 PM
0 Kudos

Hi Vamshi

Thanks for the response, Yes we are using user & pwd from Fedex in the RFC. Here is the end of icm trace (level 2):

[icxxconn.c 2321]

[Thr 924] IcmConnConnect(id=5/192): free MPI request blocks

[Thr 924] MPI<3953>4#7 GetInbuf -1 287610 874 (1) -> 6

[Thr 924] MPI<3952>f#4 GetOutbuf -1 227490 65536 (0) -> 0000000004E17500 0

[Thr 924] NiIGetServNo: servicename '8002' = port 1F.42/8002

[Thr 924] MPI<3952>f#5 FlushOutbuf l-1 1 1 227490 2211 6 -> 0000000004E174E0 0

[Thr 924] IcmConnFreeContext: context 5 released

[Thr 924] IcmServDecrRefCount: mercury.vssod.com:8002 - serv_ref_count: 1

[Thr 924] IcmWorkerThread: Thread 5: Waiting for event

[Thr 5068] NiIRead: hdl 12 received data (rcd=2164,pac=1,MESG_IO)

[Thr 5068] NiSelISelectInt: 1 handles selected (1 buffered)

[Thr 5068] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 0

[Thr 5068] IcmRecMsg: received 2164 bytes

[Thr 5068] ============================================

[Thr 5068] | COM_DATA:

[Thr 5068] | Offset: 80 | Version: 7000

[Thr 5068] | MsgNo: 4114 | Opcode: ICM_COM_OP_CONNECT (4)

[Thr 5068] ============================================

[Thr 5068] IcmHandleAdmMsg: op: 4

[Thr 5068] MPI<3955>4#5 PeekSelectInbuf -1 0 856 (1) -> 6

[Thr 5068] IcmHandleAdmMsg: need new slot

[Thr 5068] NiBufDup: ref 1 for buf 000000000A5502B0

[Thr 5068] IcmQueueAppend: queuelen: 1

[Thr 5068] IcmCreateRequest: Appended request 224

[Thr 2040] IcmWorkerThread: worker 4 got the semaphore

[Thr 2040] REQUEST:

Type: CONNECT_TO_SERV Index = 223

[Thr 2040] IcmConnConnect: allocate new conn slot

[Thr 2040] IcmConnCheckStoredClientConn: next client timeout check in 7 sec

[Thr 5068] NiIWrite: hdl 12 sent data (wrt=104,pac=1,MESG_IO)

[Thr 2040] NiBufFree: ref 1 for buf 000000000A5502B0

[Thr 2040] MPI<3955>4#6 PeekSelectInbuf -1 0 856 (1) -> 6

[Thr 2040] IcmConnAssignContext: searching for context:

tid: 0, uid: 1, mode: 0

[Thr 2040] IcmConnConnect: context 5 assigned to tid: 0, uid: 1, mode: 0

[Thr 2040] NiIGetServNo: servicename '8002' = port 1F.42/8002

[Thr 2040] IcmGetServicePtr: new serv_ref_count: 2

[Thr 2040] IcmConnConnect: direct connect to arcdev.wdf.sap.corp:1080

[Thr 2040] NiHsLGetNodeAddr: found hostname 'arcdev.wdf.sap.corp' in cache

[Thr 2040] *** WARNING => Connection request from (0/1/0) to host: arcdev.wdf.sap.corp, service: 1080 failed (NIEHOST_UNKNOWN)

[icxxconn.c 2321]

[Thr 2040] IcmConnConnect(id=5/193): free MPI request blocks

[Thr 2040] MPI<3955>4#7 GetInbuf -1 287610 856 (1) -> 6

[Thr 2040] MPI<3954>f#4 GetOutbuf -1 227490 65536 (0) -> 0000000004E17500 0

[Thr 2040] NiIGetServNo: servicename '8002' = port 1F.42/8002

[Thr 2040] MPI<3954>f#5 FlushOutbuf l-1 1 1 227490 2212 6 -> 0000000004E174E0 0

[Thr 2040] IcmConnFreeContext: context 5 released

[Thr 2040] IcmServDecrRefCount: mercury.vssod.com:8002 - serv_ref_count: 1

[Thr 2040] IcmWorkerThread: Thread 4: Waiting for event

[Thr 5068] NiIRead: hdl 12 received data (rcd=2164,pac=1,MESG_IO)

[Thr 5068] NiSelISelectInt: 1 handles selected (1 buffered)

[Thr 5068] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 0

[Thr 5068] IcmRecMsg: received 2164 bytes

[Thr 5068] ============================================

[Thr 5068] | COM_DATA:

[Thr 5068] | Offset: 80 | Version: 7000

[Thr 5068] | MsgNo: 4115 | Opcode: ICM_COM_OP_CONNECT (4)

[Thr 5068] ============================================

[Thr 5068] IcmHandleAdmMsg: op: 4

[Thr 5068] MPI<3957>4#5 PeekSelectInbuf -1 0 865 (1) -> 6

[Thr 5068] IcmHandleAdmMsg: need new slot

[Thr 5068] NiBufDup: ref 1 for buf 000000000A5502B0

[Thr 5068] IcmQueueAppend: queuelen: 1

[Thr 5068] IcmCreateRequest: Appended request 225

[Thr 3524] IcmWorkerThread: worker 6 got the semaphore

[Thr 3524] REQUEST:

Type: CONNECT_TO_SERV Index = 224

[Thr 3524] IcmConnConnect: allocate new conn slot

[Thr 3524] IcmConnCheckStoredClientConn: next client timeout check in 7 sec

[Thr 5068] NiIWrite: hdl 12 sent data (wrt=104,pac=1,MESG_IO)

[Thr 3524] NiBufFree: ref 1 for buf 000000000A5502B0

[Thr 3524] MPI<3957>4#6 PeekSelectInbuf -1 0 865 (1) -> 6

[Thr 3524] IcmConnAssignContext: searching for context:

tid: 0, uid: 1, mode: 0

[Thr 3524] IcmConnConnect: context 5 assigned to tid: 0, uid: 1, mode: 0

[Thr 3524] NiIGetServNo: servicename '8002' = port 1F.42/8002

[Thr 3524] IcmGetServicePtr: new serv_ref_count: 2

[Thr 3524] IcmConnConnect: direct connect to pswdf009:1081

[Thr 3524] NiHsLGetNodeAddr: found hostname 'pswdf009' in cache

[Thr 3524] *** WARNING => Connection request from (0/1/0) to host: pswdf009, service: 1081 failed (NIEHOST_UNKNOWN)

[icxxconn.c 2321]

[Thr 3524] IcmConnConnect(id=5/194): free MPI request blocks

[Thr 3524] MPI<3957>4#7 GetInbuf -1 287610 865 (1) -> 6

[Thr 3524] MPI<3956>f#4 GetOutbuf -1 227490 65536 (0) -> 0000000004E17500 0

[Thr 3524] NiIGetServNo: servicename '8002' = port 1F.42/8002

[Thr 3524] MPI<3956>f#5 FlushOutbuf l-1 1 1 227490 2201 6 -> 0000000004E174E0 0

[Thr 3524] IcmConnFreeContext: context 5 released

[Thr 3524] IcmServDecrRefCount: mercury.vssod.com:8002 - serv_ref_count: 1

[Thr 3524] IcmWorkerThread: Thread 6: Waiting for event

[Thr 5068] Mon Mar 07 04:09:38 2011

[Thr 5068] NiIRead: hdl 11 received data (rcd=2164,pac=1,MESG_IO)

[Thr 5068] NiSelISelectInt: 1 handles selected (1 buffered)

[Thr 5068] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1

[Thr 5068] IcmRecMsg: received 2164 bytes

[Thr 5068] ============================================

[Thr 5068] | COM_DATA:

[Thr 5068] | Offset: 80 | Version: 7000

[Thr 5068] | MsgNo: 322 | Opcode: ICM_COM_OP_CONNECT (4)

[Thr 5068] ============================================

[Thr 5068] IcmHandleAdmMsg: op: 4

[Thr 5068] MPI<3959>4#5 PeekSelectInbuf -1 0 379 (1) -> 6

[Thr 5068] IcmHandleAdmMsg: need new slot

[Thr 5068] NiBufDup: ref 1 for buf 000000000A5502B0

[Thr 5068] IcmQueueAppend: queuelen: 1

[Thr 5068] IcmCreateRequest: Appended request 226

[Thr 4600] IcmWorkerThread: worker 9 got the semaphore

[Thr 4600] REQUEST:

Type: CONNECT_TO_SERV Index = 225

[Thr 4600] IcmConnConnect: allocate new conn slot

[Thr 4600] IcmConnCheckStoredClientConn: next client timeout check in 5 sec

[Thr 5068] NiIWrite: hdl 11 sent data (wrt=104,pac=1,MESG_IO)

[Thr 4600] NiBufFree: ref 1 for buf 000000000A5502B0

[Thr 4600] MPI<3959>4#6 PeekSelectInbuf -1 0 379 (1) -> 6

[Thr 4600] IcmConnAssignContext: searching for context:

tid: 24, uid: 6736, mode: 0

[Thr 4600] IcmConnConnect: context 5 assigned to tid: 24, uid: 6736, mode: 0

[Thr 4600] NiIGetServNo: servicename '8003' = port 1F.43/8003

[Thr 4600] IcmGetServicePtr: new serv_ref_count: 2

[Thr 4600] IcmConnConnect: direct connect to gatewaybeta.fedex.com:443

[Thr 4600] NiHsLGetNodeAddr: found hostname 'gatewaybeta.fedex.com' in cache

[Thr 4600] NiIGetNodeAddr: hostname 'gatewaybeta.fedex.com' = addr 199.81.216.97

[Thr 4600] NiIGetServNo: servicename '443' = port 01.BB/0443

[Thr 4600] NiICreateHandle: hdl 17 state NI_INITIAL

[Thr 4600] NiIInitSocket: set default settings for new hdl 17 / sock 7860 (I4; ST)

[Thr 4600] NiIBlockMode: set blockmode for hdl 17 FALSE

[Thr 4600] Mon Mar 07 04:09:39 2011

[Thr 4600] NiICheckPendConnection: connection of hdl 17 to 199.81.216.97:443 established

[Thr 4600] NiIConnect: hdl 17 took local address 192.168.0.116:58865

[Thr 4600] NiIConnect: state of hdl 17 NI_CONNECTED

[Thr 4600] <<- SapSSLSessionInit()==SAP_O_K

[Thr 4600] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

[Thr 4600] out: sssl_hdl = 000000000A5502B0

[Thr 4600] NiIBlockMode: set blockmode for hdl 17 TRUE

[Thr 4600] SSL NI-sock: local=192.168.0.116:58865 peer=199.81.216.97:443

[Thr 4600] <<- SapSSLSetNiHdl(sssl_hdl=000000000A5502B0, ni_hdl=17)==SAP_O_K

[Thr 4600] SapISSLComposeFilename(): Filename = "C:\usr\sap\IDS\DVEBMGS02\sec\SAPSSLA.pse"

[Thr 4600] <<- SapSSLSetSessionCredential(sssl_hdl=000000000A5502B0)==SAP_O_K

[Thr 4600] in: cred_name = "C:\usr\sap\IDS\DVEBMGS02\sec\SAPSSLA.pse"

[Thr 4600] <<- SapSSLSetTargetHostname(sssl_hdl=000000000A5502B0)==SAP_O_K

[Thr 4600] in: hostname = "gatewaybeta.fedex.com"

[Thr 4600] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 4600] session uses PSE file "C:\usr\sap\IDS\DVEBMGS02\sec\SAPSSLA.pse"

[Thr 4600] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 4600] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 4600] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "OU=Class 3 Public Primary Certification Auth

ERROR in get_path: (27/0x001b) Found root certificate of <OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.",

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <OU=Class 3 Public Primary Certification Authority, O="VeriSign,

[Thr 4600] << -

End of Secude-SSL Errorstack -

[Thr 4600] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 4600] No certificate request received from Server

[Thr 4600] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000A5502B0)==SSSLERR_SSL_CONNECT

[Thr 4600] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

[Thr 4600] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn.c 2012]

[Thr 4600] <<- SapSSLSessionDone(sssl_hdl=000000000A5502B0)==SAP_O_K

[Thr 4600] IcmConnConnect(id=5/195): free MPI request blocks

[Thr 4600] MPI<3959>4#7 GetInbuf -1 287610 379 (1) -> 6

[Thr 4600] MPI<3958>f#4 GetOutbuf -1 227490 65536 (0) -> 0000000004E17500 0

[Thr 4600] NiIGetServNo: servicename '8002' = port 1F.42/8002

[Thr 4600] MPI<3958>f#5 FlushOutbuf l-1 1 1 227490 2161 6 -> 0000000004E174E0 0

[Thr 4600] NiICloseHandle: shutdown and close hdl 17 / sock 7860

[Thr 4600] IcmConnFreeContext: context 5 released

[Thr 4600] IcmServDecrRefCount: mercury.vssod.com:8003 - serv_ref_count: 1

[Thr 4600] IcmWorkerThread: Thread 9: Waiting for event

[Thr 4380] Mon Mar 07 04:09:43 2011

[Thr 4380] NiSelISelectInt: 0 handles selected (0 buffered)

[Thr 4380] IcmQueueAppend: queuelen: 1

[Thr 4380] IcmCreateRequest: Appended request 227

[Thr 4016] IcmWorkerThread: worker 0 got the semaphore

[Thr 4016] REQUEST:

Type: SCHEDULER Index = 226

[Thr 4016] IcmGetSchedule: found slot 0

[Thr 4016] IcmAlReportData: Reporting data to CCMS Alerting Infrastructure

[Thr 4016] NiIGetServNo: servicename '8002' = port 1F.42/8002

[Thr 4016] IcmConnCheckStoredClientConn: next client timeout check in 0 sec

[Thr 4016] NiIGetServNo: servicename '8002' = port 1F.42/8002

[Thr 4016] IcmGetServicePtr: new serv_ref_count: 2

[Thr 4016] PlugInHandleAdmMessage: request received:

[Thr 4016] PlugInHandleAdmMessage: opcode: 136, len: 528, dest_type: 2, subhdlkey: 262145

[Thr 4016] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=4, header_len=0

[Thr 4016] HttpCacheHandler: 4 0 0000000140466F58 0000000000000000

[Thr 4016] SCACHE: adm request received:

[Thr 4016] SCACHE: opcode: 136, len: 528, dest_type: 2, dest:

[Thr 4016] IctCmGetCacheInfo#192 -> 0

[Thr 4016] IcmNetBufWrapBuf: allocated netbuf: 00000000029C9F00, blocks used: 1

[Thr 4016] IcmNetBufWrapBuf: allocated netbuf: 00000000029C9F00

[Thr 4016] IcmNetBufFree: free netbuf: 00000000029C9F00 out of 1 used

[Thr 4016] IcmConnFreeContext: context 5 released

[Thr 4016] IcmServDecrRefCount: mercury.vssod.com:8002 - serv_ref_count: 1

[Thr 4016] IcmWorkerThread: Thread 0: Waiting for event

[Thr 4604] SiSelNSelect: of 1 sockets 0 selected

Do let me know your observations from this trace.

Thanks

Srikar

Former Member
‎03-07-2011 5:30 PM
0 Kudos

Hi,

Can you try executing the RFC destination making the status of the SSL to inactive in SM59 and cehck the result.

Also try to delete the Client Anonymous certifcate for your server in strustsso2 and recreate one. Then add the FEDEX certificate again and check. The is some issue with the certificates. Also check with FEDEX if they are expecting a client certificate in the respone? Then ask them to provide that.

Regards,

Vamshi.

Former Member
‎03-07-2011 5:35 PM
0 Kudos

Hi Vamshi

No Fedex don't need any certificate in response. This RFC was working fine 4 days back. Don't know what exactly have changed.

I tried to delete all the certificates in Anonymous, restarted the ICM and tried to add self certificate & Fedex certificates in ACL.

Any other idea or any other try do I need to do ?

Thanks

Srikar

prashb
Participant
‎03-07-2011 5:46 PM
0 Kudos

Hi Srikar,

This looks like problem with certificate, i don't see "CN=" details. can you open the FedEx certificate on your desktop and see see details like "Issued to" & "Issued by" & certficate path.

Regards

Prashanth

Former Member
‎03-07-2011 5:54 PM
0 Kudos

Hi

Here are the details of the Certificate of Fedex:

Issued to: gateway.fedex.com

Issued by: Verisign class 3 Secure Server CA - G2

Valid from 8/30/2010 to 9/22/2011

Do let me know if you need any more inputs.

Thanks

Srikar

prashb
Participant
‎03-08-2011 8:36 PM
0 Kudos

Hi Srikar,

as the problem resolved ? did you try importing Verising root certificate into strustsso2 anonymous client.

Former Member
‎03-10-2011 3:07 PM
0 Kudos

Hi Bidare

Tried to get an answer from SAP, here are the inputs I got from them. Somehow I am not understanding what is missing here.

in this case the PSE being used is the anonymous SSL pse

ie C:\usr\sap\IDS\DVEBMGS02\sec\SAPSSLA.pse. The target system is using

an SSL certifcate signed by verisign ->

OU=Class 3 Public Primary Certification Auth

therefore check on versigns website for the root certiifcate matching

this - checking it they do have one with the same OU -> import it

into the anaonymous SSL pse and test again.

Can you put some light on this

Thanks

Sri

Former Member
‎03-15-2011 1:02 PM
0 Kudos

Hi All

The issue is resolved by downloading the "OU=Class 3 Public Primary Certification Auth" certificate and adding it to ACL.

Thanks for all the helpful answers.

Regards

Sri

Ask a Question