cancel
Showing results for 
Search instead for 
Did you mean: 

SSap web dispatcher SSL - SSSLERR_SERVER_CERT_MISMATCH

Former Member
0 Kudos

I have installed a webdisp infront of our 2 abap systems.  Namely SRM and ECC.  Here is the setup.

ECC and SRM instances are on cluster (RAC) and have different host names for message server and CI. It has 2 DI servers too.

so message server     SRMabap.abc.com

CI server                  SRMCI.abc.com

DI                             srmdi01.abc.com and srmdi02.abc.com

All these hosts have a CA signed certificate.

Now I installed a webdispatcher in front of it on a different host and got the certificate signed by CA. So it has SSL.

Both abap and webdisp only have SAPSSLS.pse not client pse

I am using following webdisp profile

wdisp/system_0 = SID=SRM, MSHOST=srmabap.abc.com, MSSPORT=8142, SRCSRV=*:8000

wdisp/system_1 = SID=ECC, MSHOST=eccabap.abc.com, MSSPORT=8140, SRCSRV=*:8080

icm/server_port_0 = PROT=HTTP,PORT=80, EXTBIND=1

icm/server_port_1 = PROT=HTTPS,PORT=443, EXTBIND=1

exe/icmbnd = /sapmnt/WD1/exe/uc/linuxx86_64/icmbnd.new

icm/server_port_2 = PROT=HTTPS,PORT=8000

icm/server_port_3 = PROT=HTTPS,PORT=8080

wdisp/ssl_certhost = *.abc.com

wdisp/HTTPS/dest_logon_group = HTTPS

ssl/server_pse =/usr/sap/WD1/W00/sec/SAPSSLS.pse

wdisp/ssl_cred =SAPSSLS.pse

icm/HTTPS/verify_client = 1

wdisp/ssl_cred = /usr/sap/WD1/W00/sec/cred_v2

wdisp/HTTPS/dest_logon_group = HTTPS

wdisp/HTTPS/max_client_ip_entries = 100000

wdisp/HTTPS/sticky_mask = 255.255.255.255

Now when I do check config and after starting and processing a request I get this error. 

Issuer  DN: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US

[Thr 1103399232]   Current Cipher: TLS_RSA_WITH_AES128_CBC_SHA

[Thr 1103399232]   MatchTargetName("*.abc.com", dNSName="srmci.abc.com") MISmatch

[Thr 1103399232]   MatchTargetName("*.abc.com", CN="srmci.abc.com") MISmatch

[Thr 1103399232] <<- ERROR: SapSSLSessionStart(sssl_hdl=b2bb210)==SSSLERR_SERVER_CERT_MISMATCH

ERROR: SapSSLSessionStart(sssl_hdl=2aaab4000a20)==SSSLERR_SERVER_CERT_MISMATCH

[Thr 1147722048]   SSL NI-sock: local=166.77.8.63:30121  peer=166.77.193.77:8142

[Thr 1147722048] <<- ERROR: SapSSLSessionStart(sssl_hdl=2aaab402e640)==SSSLERR_SERVER_CERT_MISMATCH

When webdisp queries the app servers it gets srmabap.abc.com and it does not have any certificate installed.

How to solve this?

When I do telnet for MSSPORT from webdisp its working. When I do individual servers direct https request its working.  What is that  I am missing here.

Accepted Solutions (0)

Answers (1)

Answers (1)

blanca_serrano
Advisor
Advisor
0 Kudos

Hello Joshi,

Please note that the message "SSSLERR_SERVER_CERT_MISMATCH" is telling
you that the certificate received does not match the actual hostname of
the sender; it means that a remote host is sending a certificate that
should not belong to it.

Let me try to give you a more concrete example:

   Certificate with CN = aaa.bbb.com, but installed in host ccc.bbb.com.


The correct certificate for ccc.bbb.com would have the CN = ccc.bbb.com.

So, you need to identify the host that is sending the incorrect certificate and replace it for a valid (correct) certificate.

Please, see also note 1318906.

I hope this helps you.

Regards,

Blanca

Former Member
0 Kudos

As I wrote earlier I have 3 hosts where abap instance is installed and they all have CA signed certificate but the messege server is on  sapsrmabap.abc.com and it does not have valid CA signed certificate.

When I ran the trace with 3,

It queries with message server, gets the name and loads CI certificate as I pointed out the CI SSL.pse to message server pse.  (with cluster setup I have ASCS instance which has its own sec directory but I softlinked it to CI SSL.pse)

Once it gets the certificate it throws this error

Current Cipher: TLS_RSA_WITH_AES128_CBC_SHA

[Thr 1103399232]   MatchTargetName("*.abc.com", dNSName="sapsrmci.abc.com") MISmatch

[Thr 1103399232]   MatchTargetName("*.abc.com", CN="sapsrmci.abc.com") MISmatch

[Thr 1103399232] <<- ERROR: SapSSLSessionStart(sssl_hdl=b221a60)==SSSLERR_SERVER_CERT_MISMATCH

So its mismatching that *.abc.com and real certificate.

If I get rid of that still I get SSL_MISMATCH error.

Do I need to use one signed certificate on message server and copy that ssl to all (ci and DI appserver ?)

I checked the note  it says

Solution:You must be able to access the server under the address for which the certificate was issued. For example, if the server certificate was issued to the name "CN=www.sap.com, C=DE", then you must be able to access the server using the URL "https://www.sap.com".

so does that mean I should use only one "DN" for all app servers?

Kedar