Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

resumed SSL session, NO client cert

Former Member

‎11-25-2013 8:19 AM

0 Kudos

hi SAP Expert,

Currently i was trying to setup the SSO using X.509 Certificate, but after perform the steps below, i still having this log "resumed SSL session, NO client cert" in my smicm logs trace level 3. any clue? thanks.

RZ10 :

icm/HTTPS/verify_client                     1

ssf/name                                    SAPSECULIB

sec/libsapsecu                              E:\usr\sap\CSB\SYS\exe\uc\NTAMD64\sapcrypto.dll

ssf/ssfapi_lib                              E:\usr\sap\CSB\SYS\exe\uc\NTAMD64\sapcrypto.dll

ssl/ssl_lib                                 E:\usr\sap\CSB\SYS\exe\uc\NTAMD64\sapcrypto.dll

Strust :

server name : aws-sandbox-sap-crm-app.domain.com

SSL server Standart created with detail :

- owner : CN=sandbox-hcilink.domain.com, O=company, L=Port Washington, SP=New York, C=US

- certificate list : CN=sandbox-hcilink.domain.com, O=company, L=Port Washington, SP=New York, C=US

- issuer : CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US

SM30 : VUSREXTID (DN)

external ID : CN=sandbox-hcilink.domain.com, O=company, L=Port Washington, SP=New York, C=US

user : yangha <- my SAP user id

issuer : CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entru

6 REPLIES 6

guilherme_deoliveira
Participant

‎11-25-2013 4:41 PM

0 Kudos

Hello Hariyono,

The message "resumed SSL session, NO client cert" means that your client and server does not trust each other, therefore client certificates are not being used for authentication.

There is more than one reason for such message... The most common is if your Server PSE uses a self-signed certificate and this certificate is not imported into your client PSE (which does not seems to be the case here)... It seems that your CA Root and Intermediate certificates are not imported into your

Client PSE. Please double check such settings...

You might have to restart your ICM after changing the STRUST configuration:

-> Transaction SMICM -> Administration -> ICM -> Exit Soft -> Global -> Yes

I hope this helps.

Best Regards,

Guilherme de Oliveira

Former Member
In response to guilherme_deoliveira

‎11-26-2013 5:07 AM

0 Kudos

hi Guilherme,

i check my certificate under SSL System Client SSL Client under strust and there is no self-sign stated over there, with this can i confirm that the Root and Intermediate certificate had already imported into the Client PSE?

Preview file
124 KB

Former Member

‎11-25-2013 7:46 PM

0 Kudos

Not all browsers support SSL resume, you might want to try with different browsers as well.

jimguo
Advisor
Advisor

‎11-26-2013 1:13 AM

0 Kudos

Hi,

Have you installed client certficate in your browser?

See the following link:

http://wiki.scn.sap.com/wiki/x/VYVXFQ

Thanks.

Jim

Former Member
In response to jimguo

‎11-26-2013 5:01 AM

0 Kudos

Not yet, initially we have purchase the certificate for our SSL Server Standard from entrust :

CSR sent to entrust and as return they sent ur the 1 root file, 1 chain file and another 1 .pfx file.

Is there any steps how to generate the client certificate? so that i can you this certificate and import it into my browser?

guilherme_deoliveira
Participant
In response to jimguo

‎11-27-2013 12:52 PM

0 Kudos

Hello Hariyono,

To improt the certificate response into your PSE, you can follow the wiki page:

http://wiki.sdn.sap.com/wiki/x/qoz_Eg

To import the CA Root certificate into your browser, it depends on the browser itself... In the IE, for example:

IE: Tools -> Internet Options -> Content -> Certificates -> Trusted Root Certification Authorities -> Import

I hope this clarifies.

Best Regards,

Guilherme de Oliveira