on 11-10-2011 1:25 PM
hello giuys,
I need an help for a webservices that needs to be interfaced with an https website.
We have succesfully implmented the sapcryptolib and the https port is available in SMICM.
We imported the certificate on client 000 for SSL - PSE - WS. The certificate is in all the certificate list place.
We restarted clearly ICM at the end.
But when we try to connect with this website thru SOAMANAGER we get this error (visible in SMICM trace)
[Thr 1084774720] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 536871970 (0x20000422) = "SSL record with the wrong SSLPlaintext.version received"
[Thr 1084774720] >> Begin of Secude-SSL Errorstack >>
[Thr 1084774720] ERROR in ssl3_get_record: (536871970/0x20000422) SSL record with the wrong SSLPlaintext.version received
[Thr 1084774720] << End of Secude-SSL Errorstack
[Thr 1084774720] SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"
DO you one of you have any advice to give?
regards
Edited by: Kir Sam on Nov 10, 2011 2:25 PM
This error message usually is linked to a couple of issues.
1. Your Certificate is not right
or
2. A problem with your SAP Cryptographic library.
I will suggest you to update your SAP cryptolib and try again... also check with the vendor that the certificates are ok
Regards
Juan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Juan,
thank you for the quick answer. The sap crypto library is already updated to the latest version.
Can be the problem related to the certificate of the customer. He gave us a self-signed certificate with .pfx extension.
We tried to import with sapgenpse bt have a problem with the chained certificate named "root agency".
Do you have any suggestion?
Regards
Hello, we have made those attempts:
Certificate .PFX is one SELF SIGNED made in .net ambience without password.
likely by "MakeCert.exe" program which is provided by the .NET Framework SDK.
By default, the Certificate Creation Tool (MakeCert.exe) creates certificates whose root authority is called "Root Agency." Because the "Root Agency" is not in the Trusted Root Certification Authorities store
The Big problem:
The certicate is working on several client so we can't ask to change the certificate because this would mean changing the infrastructure of our partner.
Note 662340 - SSF Encryption Using the SAPCryptolib - was implemented.
Below tests without successfu:
1)
we tried to transcode the certificate in format .PEM. by "OpenSSL" tool
This is the result:
*************************************************************************
Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft Strong Cryptographic Provider
friendlyName: PvkTmp:8184c3e4-....-4a6d-a6e5-............
Key Attributes
X509v3 Key Usage: 10
-
BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMfNZ+aRxCUwY/Fk
y2k4SokEr60rLQQhVZHpT0MXFxwS/pYw+bfB37Y8YT8/R1FBaWGKqVUaoosVSQJZ
....
ZPEz42NnWPe10Bw=
-
END PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/CN=x00Gx00Ux00Nx00_x0...
issuer=/CN=Root Agency
-
BEGIN CERTIFICATE-----
MIIBxjCCAXCgAwIBAgIQpK83Lv0cGqtBuXPxfAWS3zANBgkqhkiG9w0BAQQFADAW
MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw0wODEyMzEyMjAwMDBaFw00MDEyMzAy
...
-
END CERTIFICATE-----
*************************************************************************
2)
We tried to eliminated section PRIVATE KEY and to import in STRUST the new certifcate.
3)
We tried to import by "MMC console" the certificate in section "Trusted Root Certification Authorities store"and than to download it with all elements, running a new conversion in .PEM fomat
This is the result:
*************************************************************************
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: {2F0D28D5-A25F-....-816D-............}
Microsoft CSP Name: Microsoft Strong Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-
BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMfNZ+aRxCUwY/Fk
y2k4SokEr60rLQQhVZHpT0MXFxwS/pYw+bfB37Y8YT8/R1FBaWGKqVUaoosVSQJZ
...
-
END PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/CN=x00Gx00Ux00Nx00_x0...
issuer=/CN=Root Agency
-
BEGIN CERTIFICATE-----
MIIBxjCCAXCgAwIBAgIQpK83Lv0cGqtBuXPxfAWS3zANBgkqhkiG9w0BAQQFADAW
MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw0wODEyMzEyMjAwMDBaFw00MDEyMzAy
...
-
END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/CN=Root Agency
issuer=/CN=Root Agency
-
BEGIN CERTIFICATE-----
MIIByjCCAXSgAwIBAgIQBjdsAKoAZIoRz7jUqlw19DANBgkqhkiG9w0BAQQFADAW
MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw05NjA1MjgyMjAyNTlaFw0zOTEyMzEy
...
-
END CERTIFICATE-----
*************************************************************************
4)
we tried to follow blogs "Note" -> ERROR: Incomplete certification path -- NEED certificate of of "Root-CA"!
By SAPGENPSE we tried to generate a new cerificate adding Root Agency downloaded by IE
Command line:
sapgenpse import_p12 -v -r "C:RootAgency.cer" -p "C:CERT.pse" "C:CERT.pfx"
we have a new error:
******************************************************************************
C:CAR tintel>sapgenpse import_p12 -v -r "C:RootAgency.cer" -p "C:CERT.pse" "C:CERT.pfx"
got absolute PSE path "C:CERT.pse".
pkcs12_decode("C:CERT.pfx") ... OK
P12 file version 3
MAC was verified successfully!
MAC algorithm: SHA-1
internal encryption algorithm: pbeWithSHA1........2-CBC
external key shrouding algorithm: pbeWithSHA1And3-........-CBC
minimal iteration count: 2000
SafeBag 1 (int_encryption FALSE):
+ FriendlyName: PvkTmp:8184c3e4-70c0-.....-a6e5-..........
+ LocalKeyID: OctetString (4 octets): 0 01000000 |.... |
(1) Private Key (Info version 0)
AlgId: Algorithm RSA (OID 1.2.840.//////.1.1.1), NULL
SafeBag 2 (int_encryption TRUE):
+ FriendlyName: -
+ LocalKeyID: OctetString (4 octets): 0 01000000 |.... |
(1) X.509 certificate
-
Subject : CN=CERT
Issuer : CN=Root Agency
Serialno: A4:AF:37:2E:FD:1C:1A://://://://:F1:7C:05:92:DF
KeyInfo : RSA, 1024-bit
Validity - NotBefore: Wed Dec 31 23:00:00 2008 (081231220000Z)
NotAfter: Sun Dec 30 23:00:00 2040 (401230220000Z)
-
P12 file contains 2 SafeBags (1 key, 1 cert, 1 keypair, 0 other)
-
PKCS#12/PFX file contains 1 keypair:
1. FriendlyName = "PvkTmp:8184c3e4-70c0-....-a6e5-..........."
X.509v3 (type=Both) RSA-1024 (signed with md5WithRsaEncryption)
Subject="CN=CERT"
Issuer ="CN=Root Agency"
Reading additional certificates from supplied files
Found binary ASN.1 Certificate
-
Subject : CN=Root Agency
Issuer : CN=Root Agency
Serialno: 06:37:6C:00:AA:00:64://://://://:D4:AA:5C:35:F4
KeyInfo : RSA, 512-bit
Validity - NotBefore: Wed May 29 00:02:59 1996 (960528220259Z)
NotAfter: Sun Jan 1 00:59:59 2040 (391231235959Z)
-
Found 1 additional cert in supplied extra files
ERROR in import_p12: (9/0x0009) af_verify_Certificates failed
ERROR in af_verify_Certificates: (12851/0x3233) Verification of one certificate of path failed because there are no basic constraints
ERROR in check_basicConstraints: (12851/0x3233) Verification of one certificate of path failed because there are no basic constraints
***********************************************************************************
5)
We try to consume Web services by SoapUI 4.0, we have the same problem:
<s:Fault>
<faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode>
<faultstring xml:lang="en-US">An error occurred when verifying security for the message.</faultstring>
</s:Fault>
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.