cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error Connecting SSL Server for X.509 certificates

Go to solution
dm_mukunthan
Explorer

on ‎04-28-2014 10:58 AM

0 Kudos

Hi,

In SAP NW SSO2.0 we have installed and configured for both Kerberos based authentication and X.509 certificate. Kerberos is working fine and X.509 certificate is not syncing in Secure login client and giving error as  " Error Connecting SSL server. The SSL server does not contain the Servers domain name".

Following is the Secure client trace.

YYYY.MM.DD HH:MM:SS.MIL][LEVEL][PROCESS             ][MODULE      ][THR_ID]

[2014.04.25 19:35:28.001][ERROR][sbus.exe            ][SSL         ][  4148] Function ssl3_get_server_certificate returning error code 0: OK

[2014.04.25 19:35:28.015][ERROR][sbus.exe            ][URL         ][  4148] ERROR(0xA250020B) in URL->url_check_SSL_AltName(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate

[2014.04.25 19:35:28.015][ERROR][sbus.exe            ][URL         ][  4148] ERROR(0xA250020B) in URL->sec_URL_API_check_ssl_server_certificate(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate

[2014.04.25 19:35:28.015][ERROR][sbus.exe            ][URL         ][  4148] ERROR(0xA250020B) in URL->sec_url_conn_check_ssl_server_certificate(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate

[2014.04.25 19:35:28.015][ERROR][sbus.exe            ][URL         ][  4148] ERROR(0xA250020B) in URL->sec_url_ssl_conn_check_server_certificate(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate

[2014.04.25 19:35:28.015][ERROR][sbus.exe            ][URL         ][  4148] ERROR(0xA250020B) in URL->url_httpquery(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate

[2014.04.25 19:35:28.015][ERROR][sbus.exe            ][URL         ][  4148] ERROR(0xA250020B) in URL->url_query(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate

[2014.04.25 19:35:35.056][ERROR][sbus.exe            ][BASE        ][  4420] ERROR(0xA0100017) in CRYPT->sec_crypt_cipher_get_cipher_len(): An attribute is missing

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-28-2014 11:42 AM
0 Kudos

Hello Mukunthan Damodharan,

this means that the SSL Server Certificate has not his fully quallified name in the subject alternative name extension of the X.509 certificate.

You can create a valid one or disbale that check in the Secure Login Client.

How does the configuration gets to the clients?

With the Policy Download you can disable that check over the Secure Login Server Administration console in the corresponding authentication profile.


If manually you can change the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile name>

"sslHostAlternativeNameCheck"=dword:00000000

the value 0 disable that check on the client.

best regards

Alexander Gimbel

Show replies
Show replies
dm_mukunthan
Explorer
‎04-28-2014 12:09 PM
0 Kudos

Hi Gimbel,

Now that i am getting the X.509 certificate. however without the  Canonical name. Any help in that will be greatful.

Regards

Mukunthan

Former Member
‎04-28-2014 12:55 PM
0 Kudos

Hello Mukunthan,

So it works now?

Be strikt that your enrollURLs are with fully qualified names and the SSL Server certificates (CommonName(CN) part) too. They must be equal.

That is what I would recommend.

best regards

Alexander Gimbel


Answers (0)

Ask a Question