on 02-27-2013 7:56 PM
Hi,
I have troubles with renewing SSL Client Standard certificate, which is used for connection from SAP to external HTTPS.
I have generated new client SSL pse from P12 (validity 02/2015), uploaded to STRUST, restarted ICM. But when I call https page from SM59 (type G connection to HTTP), I can see in icm log alert regarding expired certificate. Old certificate expired 21/02/2013, but the messages are about 11/11/2012 (?).
I checked all entries in STRUST/STRUSTSSO2, no such expiration (11.11.2012) found in any certificate. I tried to delete all entries in STRUST and do everything from scratch, the message about expired certificate is still appearing. I have checked the SAPSSLC.pse, all certificates have validity for few next years.
Please, have you got any idea, where this validity could have its origin?
Thank you,
Vaclav
[Thr 140341408675600] session uses PSE file "/usr/sap/MMM/DVEBMGS01/sec/SAPSSLC.pse"
[Thr 140341408675600] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 140341408675600] >> Begin of Secude-SSL Errorstack >>
[Thr 140341408675600] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (101/0x0065) Certificate expired (notbefore=101112113412Z, notafter=121111113412Z, now=13022715
ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (notbefore=101112113412Z, notafter=121111113412Z, no
[Thr 140341408675600] << End of Secude-SSL Errorstack
[Thr 140341408675600] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 140341408675600] SSL NI-sock: local=172.20.2.140:41932 peer=195.113.95.45:4660
[Thr 140341408675600] <<- ERROR: SapSSLSessionStart(sssl_hdl=0xe42850)==SSSLERR_SSL_CONNECT
[Thr 140341408675600] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {0000004f} [icxxco
Hi Vaclav,
The error message is related to the server's certificate, not the client certificate on SAP side. You could connect to the same URL with a Web Browser and then inspect the certificate which the server presents to the browser.
Regards,
Tobias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tobias,
thanks for your answer.
I have checked also server certificates in SAP and these are ok. When I connect to web page with browser (with the same client certificate imported) and I check the certificates there, everything seems to be fine too and I can connect. All validities are between 2015-20xx.
I tried to change web address in SM59 to "hostnamexxx", and I get still the same error - that's why I think the error is on SAP side and the connection doesn't start at all (seems to me).
Vaclav
Hi,
Can you verify few things :
1. The SAPSSLC.pse has the CA(certification authority) response ?
2. did u try re-creating credentials for yourseld(sidadm) using sapgenpse ?
3. once the new certificates are imported, please try recycling sap (cleanipc, stop the sapstartsrv as well)
Thanks.
Jayesh
Hi,
the issue is solved now. The problem was on the https page, to which we connect (It seems they have some kind of "cluster", on one server/IP the certificate was up-to-date, on other server/IP the certificate is out-of-date. After we forced the connection to specific=correct server, everything was fine.
Thanks to everybody for your hints!
Vaclav
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
you can refer to sap note
Note 1094342 - ICM trace contains verification of the server's certificate
Regards,
Yong Luo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.