Hello everyone,

I have the following requirement with SAP PI 7.3 EHP1:

SAP ECC (ABAP Proxy) -> SAP PI -> (HTTPS) SAP SUS

I.m using classic scenario, meaning using ABAP HTTP Adapter for receiver comm channel.

Now, for production systems CA Certificates will be obtained from SAPServerCA, but these will be obtained for Production systems, as for the moment we are in Sandbox landscape to verify if HTTPS with SAP PI it's possible in the customer's scenario, so we do not have CA Certificates for Sandbox servers, my question is, is it possible to make the scenario work in sandbox landscape using self signed certificates obtained from NWA on each system, even if we get a warning regarding the need of CA sign for certificates, or CA certificates are mandatory when trying to use HTTPS in SAP PI?, what I'm trying to define is if scenario is possible without CA in testing environments or the error below it's because I need to obtain CA signed certificates, where I will have to ask for customer to pay for this in this phase, or maybe there is an error in Certificates creation and import tasks by BASIS Team, thanks in advance to everybody for your help and support.

Certificates already created and imported in each system by BASIS Team, but we are getting an error in SAP PI as follows:

  <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>

- <!--  Call Adapter

  -->

- <SAP:Error SOAP:mustUnderstand="1" xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">

  <SAP:Category>XIServer</SAP:Category>

  <SAP:Code area="INTERNAL">CLIENT_RECEIVE_FAILED</SAP:Code>

  <SAP:P1>407</SAP:P1>

  <SAP:P2>ICM_HTTP_SSL_ERROR</SAP:P2>

  <SAP:P3>(See attachment HTMLError for details)</SAP:P3>

  <SAP:P4 />

  <SAP:AdditionalText />

  <SAP:Stack>Error while receiving by HTTP (error code: 407 , error text: ICM_HTTP_SSL_ERROR) (See attachment HTMLError for details)</SAP:Stack>

  <SAP:Retry>A</SAP:Retry>

  </SAP:Error>

In HTML attachment get the following error:

500 Native SSL error

Error is logged with Tag: {00031dc3}

--------------------------------------------------------------------------------

Sat Feb 23 17:14:58 2013

In SAP PI SM59 testing for the HTTP RFC(referenced in receiver comm channel) type T with SSL Active as DEFAULT get error as ICM_HTTP_SSL_ERROR.

Trace in PI ICM:

[Thr 06] Sat Feb 23 17:25:41 2013

[Thr 06] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 06]    session uses PSE file "/usr/sap/XIX/DVEBMGS82/sec/SAPSSLC.pse"

[Thr 06] SecudeSSL_SessionStart: SSL_connect() failed

[Thr 06]   secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 06] >>            Begin of Secude-SSL Errorstack            >>

[Thr 06] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

[Thr 06] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=mvisud.gan.com.mx, OU=I0020314711, O

[Thr 06] ERROR in get_path: (27/0x001b) Found root certificate of <CN=mvisud.gan.com.mx, OU=I0020314711, OU=SAP Web AS, O=SAP Trust

[Thr 06] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=mvisud.gan.com.mx, OU=I0020314711, OU=SAP Web AS, O=SAP

[Thr 06] <<            End of Secude-SSL Errorstack

[Thr 06]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 06]   SSL NI-sock: unix domain socket="/tmp/.sapicm8290"

[Thr 06] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000075d17f0)==SSSLERR_SSL_CONNECT

[Thr 06] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00031dea} [icxxconn_mt.c 1957]

In STRUST TCode on both systems and error regarding SNC SAPCryptolib under System PSE folder,  even when Local PSE OK message returned and green icon reported.

Thanks again for your answers.

Regards,

Julio Cesar