on 02-11-2014 7:07 AM
Hello Guys,
I have a little problem. I am tryng to setup our Solman’s connection to OSS for continuing the initial setup, but I came across an error which I can’t solve and can’t find any solution on the internet. My OS is SLES 11SP3.
I have set everything up, I have asked SAP for the DN, which went pretty fast and I have followed the document supplied in the incident ( http://service.sap.com/saprouter-sncdoc), which went great too.
I have logged in under the <sid>adm user and:
setenv SECUDIR /usr/sap/saprouter
setenv SNC_LIB /sapmnt/<sid>/exe/libsapcrypto.so
Generated the key:
sapgenpse get_pse -v -r certreq -p local.pse "CN=SapDev, OU=<customer number>, OU=SAProuter, O=SAP, C=DE"
sapgenpse get_pse –v -onlyreq -r certreq -p local.pse
Got the contents of certreq and followed wizard on the:
http://service.sap.com/saprouter-sncadd
Got the generated cert from SAP and saved it into srcert file and launched:
sapgenpse import_own_cert -c srcert -p local.pse
Created credentials for the user:
sapgenpse seclogin -p local.pse -O <sid>adm
According to the recommendation I have changed the permissions to cred_v2 file to 600 (e.g. when using certificates for SSH login, it throws an error, because the key in user’s home doesn’t have this authorization)
chmod 600 cred_v2
When I launch this command, I correctly get the same as in the document
sapgenpse get_my_name -v -n Issuer
Opening PSE "/usr/sap/saprouter/local.pse"...
PSE (v2) open ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "sm1adm"
with PSE file "/usr/sap/saprouter/local.pse"
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
Then I have created the saprouttab file with contents:
##################################
# SNC Connection to and from SAP #
##################################
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
###########################################
# SNC Connection from SAP to local system #
###########################################
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" SapDev 3200
####################################
# Access from local network to SAP #
####################################
P 192.168.*.* 194.39.131.34 3299
######################
# DENY ANYTHING ELSE #
######################
D * * *
Of course I have sapserv2 and SapDev in the /etc/hosts file
I start the saprouter by command:
saprouter -r -V 3 -K "p:CN=SapDev, OU=<customer id>, OU=SAProuter, O=SAP, C=DE" &
And I try connection by niping:
niping -c -H /H/192.168.200.95/H/194.39.131.34/H/localhost
And I get the error:
*** ERROR => NiBufIProcMsg: hdl 1 received rc=-104 (NIEROUT_SNC_FAILURE) from peer [nibuf.cpp 2146]
*** ERROR => NiBufIConnect: route connect for non-buffered hdl 1 failed (rc=-104;/H/192.168.200.95/H/194.39.131.34/H/localhost); pong not received [nibuf.cpp 4801]
*** ERROR => NiTClientLoop: NiHandle (rc=-104) [nixxtst.cpp 2590]
*****************************************************************************
*
* LOCATION SAProuter 40.4 on 'SapDev'
* ERROR SNC processing failed:
* SncProcessInput
*
* TIME Tue Feb 11 07:53:29 2014
* RELEASE 720
* COMPONENT NI (network interface)
* VERSION 40
* RC -104
* MODULE nisnc.c
* LINE 1007
* DETAIL NiSncIProcIn: sncrc=-4;cae090
* COUNTER 14
*
*****************************************************************************
When I look into the dev_rout file I get:
->> SncPFrameIn(): state=INITIATING, role=INITIATE, p_in->used=2068
UnFrame: (len=2068, token=1998, data=46, flags=0x007e) FR_ACCEPT <<
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [sncxxall.c 3386]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3352]
GSS-API(maj): A token had an invalid signature
GSS-API(min): The name is wrong
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;cae090;2068) [nisnc.c 1010]
NiBufISetError: save rc -17 in buffer (hdl 17)
NiBufISetStatus: hdl 17 changed from OK to ERR
I have tried to look the google, scn, notes and I have found only this thread and SAP Note 95810 which has similar problem in 2.1.1 point, but I don’t understand the solution provided.
The only think, my fellow colleagues told me is, that the CN=SapDev is incorrect, because it is not pingable from the Internet. Are they correct or am I missing something out?
Thank you in advance,
Best Regards,
Petr Sourek
Hi Petr,
I request you to once go through with the document http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c06c8846-c160-2d10-d18e-d9961e9c7...
and follow the steps again to configure sap router at your end.
Also suggest you to recheck your distinguished name with proper network settings as i tried to receive any ping with your previous mentioned IP's but i didn't get any response at my end.Here i would like to point one more thing from your last revert
add 1. yes, I have saprouter running on internal address and the port 3299 is forwarded to the external IP. I have found out, that there has been one problem. The router had 2 addresses so every request from saprouter went out through 192.168.200.10, but from outside to the saprouter came from 192.168.200.186. I figured out it might be a problem and asked our virtual machine provider to let only one IP so it is ok now.
Here you mentioned about two IP's on router with one used for outgoing request & one for incoming request,In context this is wrong prerequisite to configure router as you've registered router with one specific static IP at SAP end (like in our case we mapped one local IP of our network with one fixed static IP 202.164.x.x registered one at SAP).
Also the answer of point The only think, my fellow colleagues told me is, that the CN=SapDev is incorrect, because it is not pingable from the Internet.
Because SapDev is your hostname and you binded this hostname with one Public IP,So if you ping your router by hostname it would not be pingable as it's not configured with MX records (like what we did in case of email servers domain).This means your router will ping by IP assignment only.
Last please check with your network & firewall people to provide you one single IP for both incoming & outgoing requests (Registered IP at SAP) on the router.
Hope you understand what i want to convey to you.
Regards,
Gaurav
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Gaurav,
thank you for your reply, I really appreciate your help. I have gone through the document:
Have done everything again, but nothing helped. I am in the same error again.
About the IP addresses, you can’t ping em, because I have been talking about internal (private) network. There are 3 IP ranges, which are reserved for private network environements and 192.168.0.0 is one of them, please see this wikipedia article:
Private network - Wikipedia, the free encyclopedia
The external IP of the SAP is 94.112.250.86.
About the ports it is forwarded so 192.168.200.95:3299 <-> 94.112.250.86:3299, etc. The firewall is Ok, since I have disabled it (for a while) and still no luck. The problem is not, that it won’t connect to SAP, but there is some problem about establishing the security connection after handshake.
Thank you,
Best regards,
Petr Sourek
Hello guys,
thank you all for helpfull tips, the problem was in the virtual applience supported to us by 3rd party. It blocked the ports according to the rule:
permit tcp host host gt 1023 established
We have put it outside with no middleman and everything started to work.
Thank you all for your patience and helpfull advice.
Regards,
Petr Sourek
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
>> The only think, my fellow colleagues told me is, that the CN=SapDev is incorrect, because it is not pingable from the Internet.
Your colleages may be correct here.
Well, I am not sure if your saprouter SapDev has to be pingable from the internet, but it has to be reachable.
In any case it will need a public IP address, so that sapserv2 will be able to contact it.
So please check this with your network admin!
regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Petr,
Set the instance parameter "snc/identity/as" to the specific name of the server.
For example: "snc/identity/as p:CN=IDS, OU=IT, O=CSW, C=DE" (Do not forget to add "p:" in front of the name, as shown below).
Then restart your server & try again.
Also correct/clear me on following.
1.You mapped your Internal IP on which saprouter is installed with the external IP (which is registered at SAP side).
2.You are able to ping this external IP from remote location or from internal as well with name resolution.
3.sapdp00 3299 entry available under /etc/services file.
And re post dev_rout & host file entries as well.
Thanks,
Gaurav
Hi Gurav,
I tried to add the snc/identity/as, but it haven’t worked. I have tried to add the same DN as providing to SAP and mentioned above, or I have tried to supply it the DN from STRUST transaction "CN=SM1, OU=I0020811359, OU=SAP Web AS, O=SAP Trust Community, C=DE“, it has worked neither.
add 1. yes, I have saprouter running on internal address and the port 3299 is forwarded to the external IP. I have found out, that there has been one problem. The router had 2 addresses so every request from saprouter went out through 192.168.200.10, but from outside to the saprouter came from 192.168.200.186. I figured out it might be a problem and asked our virtual machine provider to let only one IP so it is ok now. I have restarted the SLES, SAP and saprouter. Tried again and still the same error,
add 2. from internal ip/name resolution, from external network only the IP,
add 3. yes, sapdp00 through 99 is there, but sapdp00 is 3200/tcp
I have also tried to use different sapcryptolib. I have the newest and tried to download the „common“ one, but I get different error which is more or less the same:
NiIRead: hdl 17 received data (rcd=778,pac=1,MESG_IO)
->> SncProcessInput(snc_hdl=0xcb2db0, ibuf=0xcbc6f8, ilen=2222, &obuf=0x7fff2e70b8a8,
&olen=0x7fff2e70b8b8, &backbuf=0x7fff2e70b6a0, &backlen=0x7fff2e70b6b0)
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [sncxxall.c 3386]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3352]
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2200202:Actual server name differs from requested one.
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;cb2db0;2222) [nisnc.c 1010]
Hi Petr,
As per your recent logs i found for
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2200202:Actual server name differs from requested one.
Now this error happens when
A2200202 Actual server name differs from requested one.
The name of the server's certificate used for authentication does not match the configured SNC name on the client.
Have a look SAP Note 1867829 - List of SNC Error Codes
So generate certificate for the actual server (distinguished name) on which you are running saprouter
Thanks,
Gaurav
Hello Gaurav,
I am sorry I might be a little slow here, and thank you for your patience, but how can I „regenerate“ the certificate for actual server in SAP to Customer relationship when nothing has changed?
I take it will work, when I am doing SNC connection to SAP Frontend, but how does it work with SNC connection to SAP? I have filled in the datasheet with hostname and external IP, got DN, generated certificate and imported the SAP fingerprint into it. Depending on the cryptolibrary (sapcryptolibp_8413-20011697, sapcryptolib_36-10010845) I am getting the messages above one is wrong name the other is about server name and I gues it is the same. When I am generating the certificates I can’t specify the sysid of my server nor the sapservX into it. Should I import the certificate into STRUST transaction to make it the same?
Thank you,
Regards,
Petr
Hi Petr,
Please follow Sap Note 95810 - Problem analysis
Thanks,
Gaurav
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you, to be honest I am kind of lost in this note. The only thing applicable from there is article 2.1.1, but it is about certification path incomplete:
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c ....]
GSS-API(maj): A token had an invalid signature
GSS-API(min): Certification path incomplete
Unable to establish the security context
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc. ....]
And the resolution should be like:
2.1.1 Signature of a certificate cannot be checked
----------------------------------------------------------
The PSE (Personal Security Environment) of the user and application server are issued by different CAs (Certification Authorities). The PSE of the user does not contain a public key of a CA with which the certificate of the application server can be verified.
Use PSEs of the same CA. If this is impossible, check out the option of cross certification with Secude support.
I have generated the certificate against SAP Market place and as I can see in the progress mentioned in the first post, the line:
sapgenpse import_own_cert -c srcert -p local.pse
It should have imported the Marketplace fingerprint back to the generated certificate I dunno what else I can do. I think that this SAP note is for connecting to SAP system through frontend, not for connecting to SAPOSS, but I might be wrong.
Hi Petr
Kindly check this SCN link
and SAP Note 698181 - IPC security: Maintaining parameters for SNC-RFC connections
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.