on 10-17-2013 8:19 PM
Hello All,
Please help on the below issue I'm facing.
our scenario is https--->WebDis(https)-->ABAP
We will have to use wdisp/ssl_encrypt = 2 SSL Re-encryption,
We are generating certificates using service.sap.com/tcs for POD
I've done the following.
Created SAPSSL.pse, SAPSSLC on Webdipatcher
Generated.cer(PKCS#7 Certificate chain) file from TCS and imported to the pse
For WAS(Abap) created a .pse and generated .cer from TCS with option (SAP Web Application Server 6.20 and newer) ex:wascer.cer
imported the wascer.cer to the SAPSSLC.pse (using import_pk) option.
Now the trace file & checkconfig shows. "Error in PKs root
what could be the issue, I've searched a lot in SDN, similar issue is resolved by upgrading the kernel, we are on 7.20 so I guess Kernel update is not a issue.
can you guys help on this issue?
Server info will be retrieved from host: myhostname:8123 with protocol: https
Checking connection to message server...
[Thr 4084] Thu Oct 17 20:05:39 2013
[Thr 4084] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 4084] session uses PSE file "E:\usr\sap\WD0\W22\sec\SAPSSLC.pse"
[Thr 4084] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 4084] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"
[Thr 4084] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 4084] ERROR in ssl3_get_server_certificate: (536872221/0x2000051d) Server's certificate (chain) is untrusted (or incomplete)
[Thr 4084] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=myhostname.com, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=SE"
[Thr 4084] ERROR in get_path: (27/0x001b) Found root certificate of <CN=myhostname.com, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community,C=SE> which does not fit the given PKRoot
[Thr 4084] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=myhostname.com, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=SE> which does not fit the given PKRoot
[Thr 4084] << ---------- End of Secude-SSL Errorstack ----------
[Thr 4084] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 4084] SSL NI-sock: local=10.64.144.110:61783 peer=10.64.144.108:8123
[Thr 4084] <<- ERROR: SapSSLSessionStart(sssl_hdl=00000000004DA370)==SSSLERR_SSL_CONNECT
George
Yes I see CN=*.domain.ext
sapgenpse maintain_pk -p SAPSSLC.PSE -l
SubjectName: CN=*.domain.ext, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=DE
IssuerName: CN=*.domain.ext, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=DE
no matter what I do it always throws an SSSLERR_SERVER_CERT_MISMATCH
Regards,
George
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello All,
I've got this error message resolved by making my Webdispather and Backend system trusted, added the self-signed certificate to make it trusted.
but still i get this error
[Thr 2508] *** ERROR => Could not connect to SAP Message Server at xxx.
I'm closing this message as the error for this message is resolved..
Thanks all for your help.
Regards,
George.
Hello All
Still the trace shows the following information., how do I make the client to connect to backendsystem (ABAP) via a https connection.?
[Thr 2800] Fri Oct 18 10:09:10 2013
[Thr 2800] SSL NI-sock: local=10.61.111.110:64198 peer=10.64.121.96:8123
[Thr 2800] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000CCDFB20)==SSSLERR_SERVER_CERT_MISMATCH
[Thr 2800] *** ERROR => Could not connect to SAP Message Server at ABAPSYTEM.COM URL=/msgserver/text/logon?version=1.2 [icrxx.c 3878]
[Thr 2800] *** ERROR => rc=-1, HTTP response code: 404 [icrxx.c 3879]
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Please check the below guide as its difficult as is dont have the profile of the dispatcher.
So you are trying to do the 2.2 SSL Reencreption.
icm/server_port_0 = PROT=HTTPS,PORT=60000
wdisp/ssl_encrypt = 2
icm/HTTPS/verify_client = 0
wdisp/ssl_certhost = sgpss059vm01.sin.sap.corp
Thanks
Rishi Abrol
Hi Rishi, Thanks for your reply..
Yes I followed the document, but I have created additional Client .PSE file.
i'm trying to 2.2 SSL Reencreption
no matter what I do I always end up with SSSLERR_SERVER_CERT_MISMATCH
there are no errors as I can see apart from this,
here is my profile..
rdisp/mshost = ABAPSERVER.COM
ms/https_port = 8123
icm/host_name_full = WEBDISPATCHER.COM
icm/server_port_0 = PROT=HTTP,HOST=WEBDISPATCHER,PORT=8212
icm/server_port_1 = PROT=HTTPS,HOST=WEBDISPATCHER,PORT=4086
icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=8212
icm/HTTPS/verify_client = 0
icm/HTTPS/trust_client_with_issuer = CN=*
icm/HTTPS/trust_client_with_subject = CN=*
_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)
Start_Program_00 = local $(_WD) pf=$(_PF)
ssl/ssl_lib = E:\usr\sap\WD0\W22\sec\sapcrypto.dll
ssl/server_pse = E:\usr\sap\WD0\W22\sec\SAPSSLS.pse
ssl/client_pse = E:\usr\sap\WD0\W22\sec\SAPSSLC.pse
sec/libsapsecu = $(ssl/ssl_lib)
ssf/ssfapi_lib = $(ssl/ssl_lib)
SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec
wdisp/add_clientprotocol_header = 1
wdisp/server_info_protocol = https
wdisp/ssl_encrypt = 2
wdisp/ssl_certhost = ABAPSERVER.COM
HI,
Can you please try this.
Run tcode SMMS in abap system. Once you are there open Goto=>Parameters=>Display
Please check that the
ms/https_port | Is set to 8123 |
icm/server_port_1 = PROT=HTTPS,PORT=4086
wdisp/system_1 = SID=ABAP SYSTEM SID, MSHOST=ABAPSERVER, MSPORT=8123, SRCSRV=*:4086
Try to # the below entry.
#rdisp/mshost = ABAPSERVER.COM
#ms/https_port = 8123
Dont forget the take the copy of the profile. So that you can restore back if i have done some mistake.
Thanks
Rishi Abrol
Hi Georg wang,
Below notes will be a good reference to you:
Note 506314 - SAPHTTP and SSL
Note 1318906 - Trace analysis of SSL problems
Note 1094342 - ICM trace contains verification of the server's certificate
Regards
Ram
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Please check the below notes which will help you.
OSS 510007 - Setting up SSL on Web Application Server ABAP
OSS 1770585 - How to configure SSL on the AS Java
OSS 694290
OSS 1799620 - Logs required for analysis of SSL related issues
OSS 1688991 - How To Test A WebDynpro Java Application Outside The Enterprise Portal
OSS 1800901 - SLT: 500 Connection timed out after logging into WebDynpro via transaction LTR
BR,
Prabhakar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi George,
Could you check SAP note 694290.
Hope this helps.
Regards,
Deepak Kori
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
thanks for your advice, I followed note Note 1094342 exported the root Certificate from STRUST of the WAS and imported to Web dispatcher (import_pk),
but it results the same. " which does not fit the given PKRoot"
error shows.
Found root certificate of <CN=b001host.com, OU=I0020207525, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
where "b001host.com" is our backend(ABAP) system.
not sure what could be the problem.
note 694290 seems not relevant to us as our backend-system is ABAP.
Regards,
George
HI Gerge
Kindly refer the SAP Note 1249794 - Call of the involved service for SOAMANAGER fails
Regards
Sriram
Hi,
first of all i would check the below things.
As a start of the process you would have generated the csr file and then gone to some web site and got the cer file.
You would have received the Root and CA and you would have imported in the web dispatcher.
and you can run this command and check this.
sapgenpse maintain_pk -p SAPSSLS.pse –l
Now comes the turn of the Backend system in strustsso2
For the System PSE: right click SYSTEM PSE and choose replace. Pop-up screen displays.
CN=<SID>, OU=ABAP System, O=<give the company that you gave while creating for web dispatcher>, C=<give the company that you gave while creating for web dispatcher>
Hope you have already downloaded the crypo file so you can do for all the tabs in strustsso2
Now do the above step for all the othere tabs.
Once that is done go in the
SSL Server PSE and click on Create Certificate Request get the csr and then do the same as you did for the web dispatcher and get root and CA.
Hit the import response button and paste the certificate response into the document and hit the green checkmark
Do the same for SSL Client (Anonymous) PSE and SSL Client (Standard) PSE
Hope you have below parameters set in the ABAP system.
icm/HTTPS/trust_client_with_subject = CN=<web dipatcher CN name>, O=<web dipatcher ORG name>, C=<web dipatcher countary name>
icm/HTTPS/trust_client_with_issuer = CN=<> Issuing CA , DC=<>, DC=<>
Thanks
Rishi Abrol
Hi Rishsi Abrol,
Thanks a lot for a detailed resolution.
These are the steps I've done from the start
I've Created the SAPSSLS.PSE file on Webdispatcher.
generated SAPSSLS.CER from servic.../tcs
imported sapgenpse import_own_cert -c SAPSSLS.cer -p SAPSSLS.pse
Created the SAPSSLC.PSE file on Webdispatcher.
generated SAPSSLC.CER from servic.../tcs
imported sapgenpse import_own_cert -c SAPSSLC.cer -p SAPSSLC.pse
on the backend server STRUSTSS02
Created CSR for all the below servic.../tcs
SSL server Standard
SSL system client SSL Client (
SSL system client SSL Client (
exported the Certificate for System PSE which produced a root certificate
now imported this to the webdispatch client pse(import_pk)
also the the following parameters are active
icm/HTTPS/trust_client_with_subject = CN*
icm/HTTPS/trust_client_with_issuer = CN*
Now the error when i try to connect via https: is
SSSLERR_SERVER_CERT_MISMATCH
[Thr 2800] Fri Oct 18 10:09:10 2013
[Thr 2800] SSL NI-sock: local=10.61.111.110:64198 peer=10.64.121.96:8123
[Thr 2800] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000CCDFB20)==SSSLERR_SERVER_CERT_MISMATCH
[Thr 2800] *** ERROR => Could not connect to SAP Message Server at ABAPSYTEM.COM URL=/msgserver/text/logon?version=1.2 [icrxx.c 3878]
[Thr 2800] *** ERROR => rc=-1, HTTP response code: 404 [icrxx.c 3879]
Hi Rishi,
Yes its running, I tried to do a checkconfig. gave me the following error.
Server info will be retrieved from host: ABAPSYTEM.COM:8123 with protocol: https
Checking connection to message server...
[Thr 1292] Fri Oct 18 12:07:11 2013
[Thr 1292] SSL NI-sock: local=10.61.111.110:64537 peer=10.64.121.96:8123
[Thr 1292] <<- ERROR: SapSSLSessionStart(sssl_hdl=00000000006FA370)==SSSLERR_SERVER_CERT_MISMATCH
ERROR: Unexpected HTTP OK code 404 received -
please check that ABAPSYTEM.COM:8123 is really the HTTPS port of the Message Server
Check ended with 1 errors, 0 warnings
Hi George
Kindly refer the SAP Note 1094342 - ICM trace contains verification of the server's certificate
Regards
Sriram
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.