on 04-28-2014 10:58 AM
Hi,
In SAP NW SSO2.0 we have installed and configured for both Kerberos based authentication and X.509 certificate. Kerberos is working fine and X.509 certificate is not syncing in Secure login client and giving error as " Error Connecting SSL server. The SSL server does not contain the Servers domain name".
Following is the Secure client trace.
YYYY.MM.DD HH:MM:SS.MIL][LEVEL][PROCESS ][MODULE ][THR_ID]
[2014.04.25 19:35:28.001][ERROR][sbus.exe ][SSL ][ 4148] Function ssl3_get_server_certificate returning error code 0: OK
[2014.04.25 19:35:28.015][ERROR][sbus.exe ][URL ][ 4148] ERROR(0xA250020B) in URL->url_check_SSL_AltName(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate
[2014.04.25 19:35:28.015][ERROR][sbus.exe ][URL ][ 4148] ERROR(0xA250020B) in URL->sec_URL_API_check_ssl_server_certificate(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate
[2014.04.25 19:35:28.015][ERROR][sbus.exe ][URL ][ 4148] ERROR(0xA250020B) in URL->sec_url_conn_check_ssl_server_certificate(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate
[2014.04.25 19:35:28.015][ERROR][sbus.exe ][URL ][ 4148] ERROR(0xA250020B) in URL->sec_url_ssl_conn_check_server_certificate(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate
[2014.04.25 19:35:28.015][ERROR][sbus.exe ][URL ][ 4148] ERROR(0xA250020B) in URL->url_httpquery(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate
[2014.04.25 19:35:28.015][ERROR][sbus.exe ][URL ][ 4148] ERROR(0xA250020B) in URL->url_query(): URL: Server name does not fit to subject alternative name extension in SSL/TLS certificate
[2014.04.25 19:35:35.056][ERROR][sbus.exe ][BASE ][ 4420] ERROR(0xA0100017) in CRYPT->sec_crypt_cipher_get_cipher_len(): An attribute is missing
Hello Mukunthan Damodharan,
this means that the SSL Server Certificate has not his fully quallified name in the subject alternative name extension of the X.509 certificate.
You can create a valid one or disbale that check in the Secure Login Client.
How does the configuration gets to the clients?
With the Policy Download you can disable that check over the Secure Login Server Administration console in the corresponding authentication profile.
If manually you can change the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile name>
"sslHostAlternativeNameCheck"=dword:00000000
the value 0 disable that check on the client.
best regards
Alexander Gimbel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.