cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Http Destination SSL Error

Former Member

on ‎05-28-2012 10:09 AM

0 Kudos

Hello Experts

We are having an annoying problem with some of our RFC destinations of type G ( http ) . We have recently move our SAP application onto a new machine and since then we are facing SSL error.

The SSL error itself is ICM_HTTP_SSL_ERROR

The trace from ICM says

[Thr 2057] ->> SapSSLSetSessionCredential(sssl_hdl=1117bab90, &cred_name=1117baab0)                                                

[Thr 2057]   SapISSLComposeFilename(): Filename = "/usr/sap/PID/DVEBMGS05/sec/SAPSSLC.pse"                                         

[Thr 2057]   SecudeSSL_SetSessionCred(): request for default client credentials                                                    

[Thr 2057] <<- SapSSLSetSessionCredential(sssl_hdl=1117bab90)==SAP_O_K                                                             

[Thr 2057]      in: cred_name = "/usr/sap/PID/DVEBMGS05/sec/SAPSSLC.pse"                                                           

[Thr 2057] IcmConnInitClientSSL: using pse /usr/sap/PID/DVEBMGS05/sec/SAPSSLC.pse, show client certificate if available            

[Thr 2057] ->> SapSSLSetTargetHostname(sssl_hdl=1117bab90, &hostname=1117ba9d0)                                                    

[Thr 2057] <<- SapSSLSetTargetHostname(sssl_hdl=1117bab90)==SAP_O_K                                                                

[Thr 2057]      in: hostname = "www.editest.odeurope.com"                                                                          

[Thr 2057] ->> SapSSLSessionStart(sssl_hdl=1117bab90)                                                                              

[Thr 2057]   SapISSLUseSessionCache(): Creating NEW session (0 cached)                                                             

[Thr 2057] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL                                             

[Thr 2057]    session uses PSE file "/usr/sap/PID/DVEBMGS05/sec/SAPSSLC.pse"                                                       

[Thr 2057] SecudeSSL_SessionStart: SSL_connect() failed --                                                                         

[Thr 2057]   secude_error 536871970 (0x20000422) = "SSL record with the wrong SSLPlaintext.version received"                       

[Thr 2057] >> ---------- Begin of Secude-SSL Errorstack ---------- >>                                                              

[Thr 2057] ERROR in ssl3_get_record: (536871970/0x20000422) SSL record with the wrong SSLPlaintext.version received                

[Thr 2057] << ---------- End of Secude-SSL Errorstack ----------                                                                   

[Thr 2057]   SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"                                                       

[Thr 2057]   No certificate request received from Server                                                                           

[Thr 2057] <<- ERROR: SapSSLSessionStart(sssl_hdl=1117bab90)==SSSLERR_SSL_CONNECT                                                  

[Thr 2057] ->> SapSSLErrorName(rc=-57)                                                                                             

[Thr 2057] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT                                                                              

[Thr 2057] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00040f44} [icxxconn_mt.c 1954] 

[Thr 2057] ->> SapSSLSessionDone(&sssl_hdl=1108c0258)                                                                              

[Thr 2057] <<- SapSSLSessionDone()==SAP_O_K                                                                                        

[Thr 2057]      in: sssl_hdl   = 1117bab90                                                                                         

[Thr 2057]          ... ni_hdl = 235                                                                                               

[Thr 2057] IcmConnConnect(id=4/3908): free MPI request blocks                                                                      

[Thr 2057] MPI<6f0>1c#7 GetInbuf -1 286fe0 319 (1) -> MPI_EOS: End Of Stream                                                       

[Thr 2057] MPI<6f0>1c#8 FreeInbuf#1 0 286fe0  0 -> MPI_OK                                                                          

[Thr 2057] MPI<6ef>e#4 GetOutbuf -1 286fe0 65536 (0) -> a00000040287000 20971520 MPI_OK                                            

[Thr 2057] NiIGetServNo: servicename '50500' = port 50500                                                                          

[Thr 2057] MPI<6ef>e#5 FlushOutbuf -1 1 1 286fe0 2237 6 -> a00000040286fe0 MPI_OK                                                  

[Thr 2057] NiICloseHandle: shutdown and close hdl 235/sock 31                                                                      

[Thr 2057] IcmConnFreeContext: context 4 released                                                                                  

[Thr 2057] IcmServDecrRefCount: gb02ap010sccx.surreycc.gov.uk:1443 - new serv_ref_count: 0                                         

[Thr 2057] IcmWorkerThread: Thread 3: Waiting for event 

Any thoughts or suggestions as to what's going wrong here ? Strangely the same RFC destination on the old machine works fine.

Any ideas would be much appreciated and rewarded.

Thank you

Sudheer

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎05-28-2012 10:27 AM
0 Kudos

In the new machine, have you generated the new Server SSL Certificate or imported the old SSL Certificates?

Check also the HostName file on the new Sap PI System (you need to map correctly hostname->ip and maintain the relationship between Hostname and the related SSL Certificate (hostname into the SSL Certificate need to match with RFC's Hostname)

Show replies
Show replies
Former Member
‎05-28-2012 10:57 AM
0 Kudos

Hi Simone

Yes I have imported the old SSL certificate into the new machine. From the trace it looks like SAP is able to reach out to the SSL server , but the Server is either not sending the response back with the certificate or the response is not reaching SAP. Have checked the hostname in RFC and certificate , they are the same.

Former Member
‎05-28-2012 2:54 PM
0 Kudos

Probably this could be a Networking/Firewall issue.

The called system can't reach back your PI System

Former Member
‎05-28-2012 3:52 PM
0 Kudos

I got that particular RFC destination working by manually by specifying proxy server details along with port number.

It turns out that in our old landscape proxy servers were not used to reach internet. But in the new landscape we had to specify  proxy details.

However some of the connections worked even without proxy details which is confusing. I now think the firewall rules are set-up inconsistently.

Thanks for your reply Simone.

Ask a Question