cancel
Showing results for 
Search instead for 
Did you mean: 

Saprouter SNC connection to OSS certificate problem

petrsourek
Explorer
0 Kudos

Hello Guys,

I have a little problem. I am tryng to setup our Solman’s connection to OSS for continuing the initial setup, but I came across an error which I can’t solve and can’t find any solution on the internet. My OS is SLES 11SP3.

I have set everything up, I have asked SAP for the DN, which went pretty fast and I have followed the document supplied in the incident ( http://service.sap.com/saprouter-sncdoc), which went great too.

I have logged in under the <sid>adm user and:

setenv SECUDIR /usr/sap/saprouter

setenv SNC_LIB /sapmnt/<sid>/exe/libsapcrypto.so

Generated the key:

sapgenpse get_pse -v -r certreq -p local.pse "CN=SapDev, OU=<customer number>, OU=SAProuter, O=SAP, C=DE"

sapgenpse get_pse –v -onlyreq -r certreq -p local.pse

Got the contents of certreq and followed wizard on the:

http://service.sap.com/saprouter-sncadd

Got the generated cert from SAP and saved it into srcert file and launched:

sapgenpse import_own_cert -c srcert -p local.pse

Created credentials for the user:

sapgenpse seclogin -p local.pse -O <sid>adm

According to the recommendation I have changed the permissions to cred_v2 file to 600 (e.g. when using certificates for SSH login, it throws an error, because the key in user’s home doesn’t have this authorization)

chmod 600 cred_v2

When I launch this command, I correctly get the same as in the document

sapgenpse get_my_name -v -n Issuer

Opening PSE "/usr/sap/saprouter/local.pse"...

PSE (v2) open ok.

Retrieving my certificate... ok.

Getting requested information... ok.

SSO for USER "sm1adm"

  with PSE file "/usr/sap/saprouter/local.pse"

Issuer  : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE

Then I have created the saprouttab file with contents:

##################################

# SNC Connection to and from SAP #

##################################

KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

###########################################

# SNC Connection from SAP to local system #

###########################################

KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" SapDev 3200

####################################

# Access from local network to SAP #

####################################

P 192.168.*.* 194.39.131.34 3299

######################

# DENY ANYTHING ELSE #

######################

D * * *

Of course I have sapserv2 and SapDev in the /etc/hosts file

I start the saprouter by command:

saprouter -r -V 3 -K "p:CN=SapDev, OU=<customer id>, OU=SAProuter, O=SAP, C=DE" &

And I try connection by niping:

niping -c -H /H/192.168.200.95/H/194.39.131.34/H/localhost

And I get the error:

*** ERROR => NiBufIProcMsg: hdl 1 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp    2146]

*** ERROR => NiBufIConnect: route connect for non-buffered hdl 1 failed (rc=-104;/H/192.168.200.95/H/194.39.131.34/H/localhost); pong not received [nibuf.cpp    4801]

*** ERROR => NiTClientLoop: NiHandle (rc=-104) [nixxtst.cpp  2590]

*****************************************************************************

*

*  LOCATION    SAProuter 40.4 on 'SapDev'

*  ERROR       SNC processing failed:

*              SncProcessInput

*

*  TIME        Tue Feb 11 07:53:29 2014

*  RELEASE     720

*  COMPONENT   NI (network interface)

*  VERSION     40

*  RC          -104

*  MODULE      nisnc.c

*  LINE        1007

*  DETAIL      NiSncIProcIn: sncrc=-4;cae090

*  COUNTER     14

*

*****************************************************************************

When I look into the dev_rout file I get:

->> SncPFrameIn(): state=INITIATING, role=INITIATE, p_in->used=2068

      UnFrame: (len=2068, token=1998, data=46, flags=0x007e) FR_ACCEPT <<

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [sncxxall.c 3386]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3352]

      GSS-API(maj): A token had an invalid signature

      GSS-API(min): The name is wrong

    Unable to establish the security context

    target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;cae090;2068) [nisnc.c      1010]

NiBufISetError: save rc -17 in buffer (hdl 17)

NiBufISetStatus: hdl 17 changed from OK to ERR

I have tried to look the google, scn, notes and I have found only this thread and SAP Note 95810 which has similar problem in 2.1.1 point, but I don’t understand the solution provided.

The only think, my fellow colleagues told me is, that the CN=SapDev is incorrect, because it is not pingable from the Internet. Are they correct or am I missing something out?

Thank you in advance,

Best Regards,

Petr Sourek

Accepted Solutions (1)

Accepted Solutions (1)

former_member182657
Active Contributor
0 Kudos

Hi Petr,

I request you to once go through with the document http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c06c8846-c160-2d10-d18e-d9961e9c7...

and follow the steps again to configure sap router at your end.

Also suggest you to recheck your distinguished name with proper network settings as i tried to receive any ping with your previous mentioned IP's but i didn't get any response at my end.Here i would like to point one more thing from your last revert

add 1. yes, I have saprouter running on internal address and the port 3299 is forwarded to the external IP. I have found out, that there has been one problem. The router had 2 addresses so every request from saprouter went out through 192.168.200.10, but from outside to the saprouter came from 192.168.200.186. I figured out it might be a problem and asked our virtual machine provider to let only one IP so it is ok now.


Here you mentioned about two IP's on router with one used for outgoing request & one for incoming request,In context this is wrong prerequisite to configure router as you've registered router with one specific static IP at SAP end (like in our case we mapped one local IP of our network with one fixed static IP 202.164.x.x registered one at SAP).

Also the answer of point The only think, my fellow colleagues told me is, that the CN=SapDev is incorrect, because it is not pingable from the Internet.


Because SapDev is your hostname and you binded this hostname with one Public IP,So if you ping your router by hostname it would not be pingable as it's not configured with MX records (like what we did in case of email servers domain).This means your router will ping by IP assignment only.


Last please check with your network & firewall people to provide you one single IP for both incoming & outgoing requests (Registered IP at SAP) on the router.


Hope you understand what i want to convey to you.


Regards,

Gaurav

petrsourek
Explorer
0 Kudos

Hello Gaurav,

thank you for your reply, I really appreciate your help. I have gone through the document:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c06c8846-c160-2d10-d18e-d9961e9c7...

Have done everything again, but nothing helped. I am in the same error again.

About the IP addresses, you can’t ping em, because I have been talking about internal (private) network. There are 3 IP ranges, which are reserved for private network environements and 192.168.0.0 is one of them, please see this wikipedia article:

Private network - Wikipedia, the free encyclopedia

The external IP of the SAP is 94.112.250.86.

About the ports it is forwarded so 192.168.200.95:3299 <-> 94.112.250.86:3299, etc. The firewall is Ok, since I have disabled it (for a while) and still no luck. The problem is not, that it won’t connect to SAP, but there is some problem about establishing the security connection after handshake.

Thank you,

Best regards,

Petr Sourek

Sriram2009
Active Contributor
0 Kudos

Hi Petr

Kindly check this SCN link

http://scn.sap.com/thread/3502880

Regards

Answers (4)

Answers (4)

petrsourek
Explorer
0 Kudos

Hello guys,

thank you all for helpfull tips, the problem was in the virtual applience supported to us by 3rd party. It blocked the ports according to the rule:

permit ​tcp ​host ​host gt ​1023 established


We have put it outside with no middleman and everything started to work.


Thank you all for your patience and helpfull advice.


Regards,

Petr Sourek

Former Member
0 Kudos

>> The only think, my fellow colleagues told me is, that the CN=SapDev is incorrect, because it is not pingable from the Internet.

Your colleages may be correct here.
Well, I am not sure if your saprouter SapDev has to be pingable from the internet, but it has to be reachable.
In any case it will need a public IP address, so that sapserv2 will be able to contact it.

So please check this with your network admin!

regards

petrsourek
Explorer
0 Kudos

I have provided the SAP Connection sheet with hostname and with external IP, which is pingable and has 3299 saprouter port is tunneled into the correct machine, is it correct?

Former Member
0 Kudos

This looks correct. I am not a network admin though.
But what is confusing now: Is it pingable, or isn't it?
First you wrote, it isn't. Now you wrote it is.
?!
But it will be sufficient if the external (or public) IP can be reached from the internet.

regards

petrsourek
Explorer
0 Kudos

It is pingable on IP 94.112.250.*, but not on SapDev, at least not without record in /etc/host file (on my osx or windows c:\Windows\System32\drivers\etc\hosts)

Regards,

former_member182657
Active Contributor
0 Kudos

Hi Petr,

Set the instance parameter "snc/identity/as" to the specific name of the server.

For example: "snc/identity/as p:CN=IDS, OU=IT, O=CSW, C=DE" (Do not forget to add "p:" in front of the name, as shown below).

Then restart your server & try again.

Also correct/clear me on following.

1.You mapped your Internal IP on which saprouter is installed with the external IP (which is registered at SAP side).

2.You are able to ping this external IP from remote location or from internal as well with name resolution.

3.sapdp00 3299 entry available under /etc/services file.

And re post dev_rout & host file entries as well.

Thanks,

Gaurav

petrsourek
Explorer
0 Kudos

Hi Gurav,

I tried to add the snc/identity/as, but it haven’t worked. I have tried to add the same DN as providing to SAP and mentioned above, or I have tried to supply it the DN from STRUST transaction "CN=SM1, OU=I0020811359, OU=SAP Web AS, O=SAP Trust Community, C=DE“, it has worked neither.

add 1. yes, I have saprouter running on internal address and the port 3299 is forwarded to the external IP. I have found out, that there has been one problem. The router had 2 addresses so every request from saprouter went out through 192.168.200.10, but from outside to the saprouter came from 192.168.200.186. I figured out it might be a problem and asked our virtual machine provider to let only one IP so it is ok now. I have restarted the SLES, SAP and saprouter. Tried again and still the same error,

add 2. from internal ip/name resolution, from external network only the IP,

add 3. yes, sapdp00 through 99 is there, but sapdp00 is 3200/tcp

I have also tried to use different sapcryptolib. I have the newest and tried to download the „common“ one, but I get different error which is more or less the same:

NiIRead: hdl 17 received data (rcd=778,pac=1,MESG_IO)

->> SncProcessInput(snc_hdl=0xcb2db0, ibuf=0xcbc6f8, ilen=2222, &obuf=0x7fff2e70b8a8,

          &olen=0x7fff2e70b8b8, &backbuf=0x7fff2e70b6a0, &backlen=0x7fff2e70b6b0)

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [sncxxall.c 3386]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3352]

      GSS-API(maj): Miscellaneous failure

      GSS-API(min): A2200202:Actual server name differs from requested one.

    Unable to establish the security context

    target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;cb2db0;2222) [nisnc.c      1010]

former_member182657
Active Contributor
0 Kudos

Hi Petr,

As per your recent logs i found for

GSS-API(maj): Miscellaneous failure

GSS-API(min): A2200202:Actual server name differs from requested one.

Now this error happens when

A2200202 Actual server name differs from requested one.

The name of the server's certificate used for authentication does not match the configured SNC name on the client.

Have a look  SAP Note 1867829 - List of SNC Error Codes

So generate certificate for the actual server (distinguished name) on which you are running saprouter

Thanks,

Gaurav

petrsourek
Explorer
0 Kudos

Hello Gaurav,

I am sorry I might be a little slow here, and thank you for your patience, but how can I „regenerate“ the certificate for actual server in SAP to Customer relationship when nothing has changed?

I take it will work, when I am doing SNC connection to SAP Frontend, but how does it work with SNC connection to SAP? I have filled in the datasheet with hostname and external IP, got DN, generated certificate and imported the SAP fingerprint into it. Depending on the cryptolibrary (sapcryptolibp_8413-20011697, sapcryptolib_36-10010845) I am getting the messages above one is wrong name the other is about server name and I gues it is the same. When I am generating the certificates I can’t specify the sysid of my server nor the sapservX into it. Should I import the certificate into STRUST transaction to make it the same?

Thank you,

Regards,

Petr

former_member182657
Active Contributor
0 Kudos

Hi Petr,

Please follow Sap Note 95810 - Problem analysis


Thanks,

Gaurav

petrsourek
Explorer
0 Kudos

Thank you, to be honest I am kind of lost in this note. The only thing applicable from there is article 2.1.1, but it is about certification path incomplete:

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c ....]

      GSS-API(maj): A token had an invalid signature

      GSS-API(min): Certification path incomplete

    Unable to establish the security context

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc. ....]


And the resolution should be like:

2.1.1 Signature of a certificate cannot be checked

----------------------------------------------------------

The PSE (Personal Security Environment) of the user and application server are issued by different CAs (Certification Authorities). The PSE of the user does not contain a public key of a CA with which the certificate of the application server can be verified.

Use PSEs of the same CA. If this is impossible, check out the option of cross certification with Secude support.


I have generated the certificate against SAP Market place and as I can see in the progress mentioned in the first post, the line:

sapgenpse import_own_cert -c srcert -p local.pse


It should have imported the Marketplace fingerprint back to the generated certificate I dunno what else I can do. I think that this SAP note is for connecting to SAP system through frontend, not for connecting to SAPOSS, but I might be wrong.

Sriram2009
Active Contributor
0 Kudos
petrsourek
Explorer
0 Kudos

Hello Sriram,

thank you for your quick reply, but I have forgot to mention, that I have found and tried this document and it ended with the same error.

Thank you,

Regards,

Sriram2009
Active Contributor
0 Kudos

Hi

What about the SAP Note?

Regards

Ram

petrsourek
Explorer
0 Kudos

I am looking into the note and trying to apply it, will let you know.

Thank you,

Regards,

petrsourek
Explorer
0 Kudos

Hello,

I am sorry for the late reply, I had some work for customer and I tried to read the SAP note and the included references twice, but I might be missing something. I have found some error, please see bellow reply against the network.