on 05-17-2012 10:59 AM
I have installed a webdisp infront of our 2 abap systems. Namely SRM and ECC. Here is the setup.
ECC and SRM instances are on cluster (RAC) and have different host names for message server and CI. It has 2 DI servers too.
so message server SRMabap.abc.com
CI server SRMCI.abc.com
DI srmdi01.abc.com and srmdi02.abc.com
All these hosts have a CA signed certificate.
Now I installed a webdispatcher in front of it on a different host and got the certificate signed by CA. So it has SSL.
Both abap and webdisp only have SAPSSLS.pse not client pse
I am using following webdisp profile
wdisp/system_0 = SID=SRM, MSHOST=srmabap.abc.com, MSSPORT=8142, SRCSRV=*:8000
wdisp/system_1 = SID=ECC, MSHOST=eccabap.abc.com, MSSPORT=8140, SRCSRV=*:8080
icm/server_port_0 = PROT=HTTP,PORT=80, EXTBIND=1
icm/server_port_1 = PROT=HTTPS,PORT=443, EXTBIND=1
exe/icmbnd = /sapmnt/WD1/exe/uc/linuxx86_64/icmbnd.new
icm/server_port_2 = PROT=HTTPS,PORT=8000
icm/server_port_3 = PROT=HTTPS,PORT=8080
wdisp/ssl_certhost = *.abc.com
wdisp/HTTPS/dest_logon_group = HTTPS
ssl/server_pse =/usr/sap/WD1/W00/sec/SAPSSLS.pse
wdisp/ssl_cred =SAPSSLS.pse
icm/HTTPS/verify_client = 1
wdisp/ssl_cred = /usr/sap/WD1/W00/sec/cred_v2
wdisp/HTTPS/dest_logon_group = HTTPS
wdisp/HTTPS/max_client_ip_entries = 100000
wdisp/HTTPS/sticky_mask = 255.255.255.255
Now when I do check config and after starting and processing a request I get this error.
Issuer DN: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US
[Thr 1103399232] Current Cipher: TLS_RSA_WITH_AES128_CBC_SHA
[Thr 1103399232] MatchTargetName("*.abc.com", dNSName="srmci.abc.com") MISmatch
[Thr 1103399232] MatchTargetName("*.abc.com", CN="srmci.abc.com") MISmatch
[Thr 1103399232] <<- ERROR: SapSSLSessionStart(sssl_hdl=b2bb210)==SSSLERR_SERVER_CERT_MISMATCH
ERROR: SapSSLSessionStart(sssl_hdl=2aaab4000a20)==SSSLERR_SERVER_CERT_MISMATCH
[Thr 1147722048] SSL NI-sock: local=166.77.8.63:30121 peer=166.77.193.77:8142
[Thr 1147722048] <<- ERROR: SapSSLSessionStart(sssl_hdl=2aaab402e640)==SSSLERR_SERVER_CERT_MISMATCH
When webdisp queries the app servers it gets srmabap.abc.com and it does not have any certificate installed.
How to solve this?
When I do telnet for MSSPORT from webdisp its working. When I do individual servers direct https request its working. What is that I am missing here.
Hello Joshi,
Please note that the message "SSSLERR_SERVER_CERT_MISMATCH" is telling
you that the certificate received does not match the actual hostname of
the sender; it means that a remote host is sending a certificate that
should not belong to it.
Let me try to give you a more concrete example:
Certificate with CN = aaa.bbb.com, but installed in host ccc.bbb.com.
The correct certificate for ccc.bbb.com would have the CN = ccc.bbb.com.
So, you need to identify the host that is sending the incorrect certificate and replace it for a valid (correct) certificate.
Please, see also note 1318906.
I hope this helps you.
Regards,
Blanca
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As I wrote earlier I have 3 hosts where abap instance is installed and they all have CA signed certificate but the messege server is on sapsrmabap.abc.com and it does not have valid CA signed certificate.
When I ran the trace with 3,
It queries with message server, gets the name and loads CI certificate as I pointed out the CI SSL.pse to message server pse. (with cluster setup I have ASCS instance which has its own sec directory but I softlinked it to CI SSL.pse)
Once it gets the certificate it throws this error
Current Cipher: TLS_RSA_WITH_AES128_CBC_SHA
[Thr 1103399232] MatchTargetName("*.abc.com", dNSName="sapsrmci.abc.com") MISmatch
[Thr 1103399232] MatchTargetName("*.abc.com", CN="sapsrmci.abc.com") MISmatch
[Thr 1103399232] <<- ERROR: SapSSLSessionStart(sssl_hdl=b221a60)==SSSLERR_SERVER_CERT_MISMATCH
So its mismatching that *.abc.com and real certificate.
If I get rid of that still I get SSL_MISMATCH error.
Do I need to use one signed certificate on message server and copy that ssl to all (ci and DI appserver ?)
I checked the note it says
Solution:You must be able to access the server under the address for which the certificate was issued. For example, if the server certificate was issued to the name "CN=www.sap.com, C=DE", then you must be able to access the server using the URL "https://www.sap.com".
so does that mean I should use only one "DN" for all app servers?
Kedar
User | Count |
---|---|
83 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.