cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete

Former Member

on ‎10-17-2013 8:19 PM

0 Kudos

Hello All,

Please help on the below issue I'm facing.

our scenario is https--->WebDis(https)-->ABAP

We will have to use wdisp/ssl_encrypt = 2 SSL Re-encryption,

We are generating certificates using service.sap.com/tcs for POD

I've done the following.

Created SAPSSL.pse, SAPSSLC on Webdipatcher

Generated.cer(PKCS#7 Certificate chain) file from TCS and imported to the pse

For WAS(Abap) created a .pse and generated .cer from TCS with option (SAP Web Application Server 6.20 and newer) ex:wascer.cer

imported the wascer.cer to the SAPSSLC.pse (using import_pk) option.

Now the trace file & checkconfig shows. "Error in PKs root

what could be the issue, I've searched a lot in SDN, similar issue is resolved by upgrading the kernel, we are on 7.20 so I guess Kernel update is not a issue.

can you guys help on this issue?

Server info will be retrieved from host: myhostname:8123 with protocol: https

Checking connection to message server...

[Thr 4084] Thu Oct 17 20:05:39 2013

[Thr 4084] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 4084]    session uses PSE file "E:\usr\sap\WD0\W22\sec\SAPSSLC.pse"

[Thr 4084] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 4084]   secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"

[Thr 4084] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 4084] ERROR in ssl3_get_server_certificate: (536872221/0x2000051d) Server's certificate (chain) is untrusted (or incomplete)

[Thr 4084] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=myhostname.com, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=SE"                    

[Thr 4084] ERROR in get_path: (27/0x001b) Found root certificate of <CN=myhostname.com, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community,C=SE> which does not fit the given PKRoot

[Thr 4084] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=myhostname.com, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=SE> which does not fit the given PKRoot

[Thr 4084] << ---------- End of Secude-SSL Errorstack ----------

[Thr 4084]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 4084]   SSL NI-sock: local=10.64.144.110:61783  peer=10.64.144.108:8123

[Thr 4084] <<- ERROR: SapSSLSessionStart(sssl_hdl=00000000004DA370)==SSSLERR_SSL_CONNECT

George

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (6)

Answers (6)

Former Member
‎10-18-2013 12:59 PM
0 Kudos

Yes I see CN=*.domain.ext

sapgenpse maintain_pk -p SAPSSLC.PSE -l

SubjectName:   CN=*.domain.ext, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=DE

IssuerName:    CN=*.domain.ext, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=DE

no matter what I do it always throws an SSSLERR_SERVER_CERT_MISMATCH

Regards,

George

Show replies
Show replies
Former Member
‎10-18-2013 1:19 PM
0 Kudos

Hi George,

Check the Note 1318906 - Trace analysis of SSL problems

Regards

Ram

Former Member
‎10-20-2013 4:33 AM
0 Kudos

Hello All,

I've got this error message resolved by making my Webdispather and Backend system trusted, added the self-signed certificate to make it trusted.

but still i get this error

[Thr 2508] *** ERROR => Could not connect to SAP Message Server at xxx.

I'm closing this message as the error for this message is resolved..

Thanks all for your help.

Regards,

George.

Former Member
‎10-18-2013 10:47 AM
0 Kudos

Hello All

Still the trace shows the following information., how do I make the client to connect to backendsystem (ABAP) via a https connection.?

[Thr 2800] Fri Oct 18 10:09:10 2013

[Thr 2800] SSL NI-sock: local=10.61.111.110:64198 peer=10.64.121.96:8123

[Thr 2800] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000CCDFB20)==SSSLERR_SERVER_CERT_MISMATCH

[Thr 2800] *** ERROR => Could not connect to SAP Message Server at ABAPSYTEM.COM URL=/msgserver/text/logon?version=1.2 [icrxx.c 3878]

[Thr 2800] *** ERROR => rc=-1, HTTP response code: 404 [icrxx.c 3879]

Show replies
Show replies
Former Member
‎10-18-2013 12:18 PM
0 Kudos

Hi George ,

Did  you use a "*.domain.com" request for a certificate.

Regards

Ram

Former Member
‎10-18-2013 12:55 PM
0 Kudos

Hi,

Please check the below guide as its difficult as is dont have the profile of the dispatcher.

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60b1edfb-2a5c-2d10-2294-d1777056c...

So you are trying to do the 2.2 SSL Reencreption.

icm/server_port_0 = PROT=HTTPS,PORT=60000

wdisp/ssl_encrypt = 2

icm/HTTPS/verify_client = 0

wdisp/ssl_certhost = sgpss059vm01.sin.sap.corp

Thanks

Rishi Abrol

Former Member
‎10-18-2013 1:17 PM
0 Kudos

Hi Rishi, Thanks for your reply..

Yes I followed the document, but I have created additional Client .PSE file.

i'm trying to 2.2 SSL Reencreption

no matter what I do I always end up with SSSLERR_SERVER_CERT_MISMATCH

there are no errors as I can see apart from this,

  

here is my profile..

rdisp/mshost = ABAPSERVER.COM

ms/https_port = 8123

icm/host_name_full = WEBDISPATCHER.COM

icm/server_port_0 = PROT=HTTP,HOST=WEBDISPATCHER,PORT=8212

icm/server_port_1 = PROT=HTTPS,HOST=WEBDISPATCHER,PORT=4086

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=8212

 

icm/HTTPS/verify_client = 0

icm/HTTPS/trust_client_with_issuer  = CN=*

icm/HTTPS/trust_client_with_subject = CN=*

_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)

Start_Program_00 = local $(_WD) pf=$(_PF)

ssl/ssl_lib = E:\usr\sap\WD0\W22\sec\sapcrypto.dll

ssl/server_pse = E:\usr\sap\WD0\W22\sec\SAPSSLS.pse

ssl/client_pse = E:\usr\sap\WD0\W22\sec\SAPSSLC.pse

sec/libsapsecu = $(ssl/ssl_lib)

ssf/ssfapi_lib = $(ssl/ssl_lib)

SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec

   wdisp/add_clientprotocol_header = 1

wdisp/server_info_protocol = https

wdisp/ssl_encrypt = 2

wdisp/ssl_certhost = ABAPSERVER.COM

Former Member
‎10-18-2013 2:25 PM
0 Kudos

HI,

Can you please try this.

Run tcode SMMS in abap system. Once you are there open Goto=>Parameters=>Display

Please check that the

ms/https_port  Is set to 8123

icm/server_port_1 = PROT=HTTPS,PORT=4086

wdisp/system_1 = SID=ABAP SYSTEM SID, MSHOST=ABAPSERVER, MSPORT=8123, SRCSRV=*:4086

Try to # the below entry.

#rdisp/mshost = ABAPSERVER.COM

#ms/https_port = 8123

Dont forget the take the copy of the profile. So that you can restore back if i have done some mistake.

Thanks

Rishi Abrol

Former Member
‎10-18-2013 7:37 AM
0 Kudos

Hi Georg wang,

Below notes will be a good reference to you:

Note 506314 - SAPHTTP and SSL

Note 1318906 - Trace analysis of SSL problems

Note 1094342 - ICM trace contains verification of the server's certificate

Regards

Ram

Show replies
Show replies
Former Member
‎10-18-2013 6:39 AM
0 Kudos

Hi,

Please check the below notes which will help you.

OSS 510007 - Setting up SSL on Web Application Server ABAP

OSS 1770585 - How to configure SSL on the AS Java

OSS 694290

OSS 1799620 - Logs required for analysis of SSL related issues

OSS 1688991 - How To Test A WebDynpro Java Application Outside The Enterprise Portal

OSS 1800901 - SLT: 500 Connection timed out after logging into WebDynpro via transaction LTR

BR,

Prabhakar

Show replies
Show replies
former_member188883
Active Contributor
‎10-18-2013 3:43 AM
0 Kudos

Hi George,

Could you check SAP note 694290.

Hope this helps.

Regards,

Deepak Kori

Show replies
Show replies
Former Member
‎10-18-2013 4:30 AM
0 Kudos

Hi,

thanks for your advice, I followed note Note 1094342 exported the root Certificate from STRUST of the WAS and imported to Web dispatcher (import_pk),

but it results the same. " which does not fit the given PKRoot"

error shows.

Found root certificate of <CN=b001host.com, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot

where "b001host.com" is our backend(ABAP) system.

not sure what could be the problem.

note 694290 seems not relevant to us as our backend-system is ABAP.

Regards,

George

Sriram2009
Active Contributor
‎10-18-2013 4:36 AM
0 Kudos

HI Gerge

Kindly refer the SAP Note 1249794 - Call of the involved service for SOAMANAGER fails

Regards

Sriram

Former Member
‎10-18-2013 8:50 AM
0 Kudos

Hi,

first of all i would check the below things.

As a start of the process you would have generated the csr file and then gone to some web site and got the cer file.

You would have received the Root and CA and you would have imported in the web dispatcher.

and you can run this command and check this.

sapgenpse maintain_pk -p SAPSSLS.pse –l

Now comes the turn of the Backend system in strustsso2

For the System PSE: right click SYSTEM PSE and choose  replace. Pop-up screen displays.

               CN=<SID>, OU=ABAP System, O=<give the company that you gave while creating for web dispatcher>, C=<give the company that you gave while creating for web dispatcher>

Hope you have already downloaded the crypo file so you can do for all the tabs in strustsso2

Now do the above step for all the othere tabs.

Once that is done go in the

SSL Server PSE and click on Create Certificate Request get the csr and then do the same as you did for the web dispatcher and get root and CA.

Hit the import response button and paste the certificate response into the document and hit the green checkmark

Do the same for SSL Client (Anonymous) PSE  and  SSL Client (Standard) PSE

Hope you have below parameters set in the ABAP system.

icm/HTTPS/trust_client_with_subject = CN=<web dipatcher CN name>, O=<web dipatcher ORG name>, C=<web dipatcher countary name>

icm/HTTPS/trust_client_with_issuer = CN=<> Issuing CA , DC=<>, DC=<>

Thanks

Rishi Abrol

Former Member
‎10-18-2013 10:17 AM
0 Kudos

Hi Rishsi Abrol,

Thanks a lot for a detailed resolution.

These are the steps I've done from the start

I've Created the SAPSSLS.PSE file on Webdispatcher.

generated SAPSSLS.CER from servic.../tcs

imported  sapgenpse import_own_cert -c SAPSSLS.cer -p SAPSSLS.pse

Created the SAPSSLC.PSE file on Webdispatcher.

generated SAPSSLC.CER from servic.../tcs

imported  sapgenpse import_own_cert -c SAPSSLC.cer -p SAPSSLC.pse

on the backend server STRUSTSS02

Created CSR for all the below servic.../tcs

SSL server Standard

SSL system client SSL Client (

SSL system client SSL Client (

exported the Certificate for System PSE which produced a root certificate

now imported this to the webdispatch client pse(import_pk)

also the the following parameters are active

icm/HTTPS/trust_client_with_subject = CN*

icm/HTTPS/trust_client_with_issuer = CN*

Now the error when i try to connect via https: is

SSSLERR_SERVER_CERT_MISMATCH

[Thr 2800] Fri Oct 18 10:09:10 2013

[Thr 2800] SSL NI-sock: local=10.61.111.110:64198 peer=10.64.121.96:8123

[Thr 2800] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000CCDFB20)==SSSLERR_SERVER_CERT_MISMATCH

[Thr 2800] *** ERROR => Could not connect to SAP Message Server at ABAPSYTEM.COM URL=/msgserver/text/logon?version=1.2 [icrxx.c 3878]

[Thr 2800] *** ERROR => rc=-1, HTTP response code: 404 [icrxx.c 3879]

Former Member
‎10-18-2013 10:50 AM
0 Kudos

Hi,

Can you please check SMICM that the https service is running in 8123.

Can you please share the profile of the web dispatcher.

Thanks

Rishi Abrol

Former Member
‎10-18-2013 11:10 AM
0 Kudos

Hi Rishi,

Yes its running, I tried to do a checkconfig. gave me the following error.

Server info will be retrieved from host: ABAPSYTEM.COM:8123 with protocol: https

Checking connection to message server...

[Thr 1292] Fri Oct 18 12:07:11 2013

[Thr 1292]   SSL NI-sock: local=10.61.111.110:64537 peer=10.64.121.96:8123

[Thr 1292] <<- ERROR: SapSSLSessionStart(sssl_hdl=00000000006FA370)==SSSLERR_SERVER_CERT_MISMATCH

ERROR: Unexpected HTTP OK code 404 received -

please check that ABAPSYTEM.COM:8123 is really the HTTPS port of the Message Server

Check ended with 1 errors, 0 warnings

Sriram2009
Active Contributor
‎10-17-2013 8:46 PM
0 Kudos

Hi George

Kindly refer the SAP Note 1094342 - ICM trace contains verification of the server's certificate

Regards

Sriram

Show replies
Show replies
Ask a Question