cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PSE SSL Client anonymous

Go to solution
Former Member

on ‎04-14-2005 4:42 PM

0 Kudos

Hi,

I'm trying to make an SSL connection from XI, but keep getting the same error:

[Thr 3] session uses PSE file "/usr/sap/XID/DVEBMGS00/sec/SAPSSLA.pse"

[Thr 3] SecudeSSL_SessionStart: SSL_connect() failed

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 3] >> Begin of Secude-SSL Errorstack >>

[Thr 3] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=GlobalSign Root CA, OU=Root CA, O=GlobalS

ERROR in get_path: (27/0x001b) Found root certificate of <CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE> which doe

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE> wh

[Thr 3] << End of Secude-SSL Errorstack

[Thr 3] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 3] No certificate request from Server

[Thr 3] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1052ff370)==SSSLERR_SSL_CONNECT

[Thr 3] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

I already imported the certificate in STRUST and assigned it to the PSE. Please help!!!

Rasmus

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-14-2005 4:59 PM
0 Kudos

Hi Rasmus,

If it is a self-signed certificate, don't upload it with STRUST in the Client anonymous, but in Standard.

Cheers,

Frank

Show replies
Show replies
Former Member
‎04-15-2005 7:25 AM
0 Kudos

Hi Frank,

thank you for your input, but its a root certificate. I tried uploading it in the standard, but get the same problem.

Cheers Rasmus

Former Member
‎04-15-2005 8:51 AM
0 Kudos

HI Rasmus,

How do you setup the ssl connection?

- via a HTTP RFC destination

- via a URL in the Receiver Channel

Did you put the receiving system's certificate in the SSL Client(standard) or XI's certificate?

You only have put the receiving system's certificate in the SSL Client(standard) if it is a self-signed certificat. If it is a certificate for example from Verisign, you don't have to put a certificate in SSL Client(standard).

Cheers,

Frank

Former Member
‎04-15-2005 9:54 AM
0 Kudos

Hi frank,

I use HTTP RFC connection.

The certificate is a self-signed global root certificate.

I tried the following combinations:

1. Using Anonymous SSL with the certificate

2. Using Stadnard SSL with the certificate

3. Using Anonymous SSL without the certificate

4. Using Stadnard SSL without the certificate

They all give the same error.

Cheers Rasmus

Former Member
‎04-15-2005 12:25 PM
0 Kudos

Hi Rasmus,

Leave the certificate in SSL Client Standard and try to configure the connection with the Receiver Channel.

Transport protocol: HTTPS 1.0

Address type: URL address

Target host: <full qualified system name, same as in certificate>

Portnumber: <portnumber used for SSL>

Path: <path to service>

Cheers,

Frank

Former Member
‎04-15-2005 1:12 PM
0 Kudos

Don't forget to restart the ICM after importing the certificate into one of the PSE's.

Good luck, Guy Crets

Former Member
‎07-29-2005 11:06 AM
0 Kudos

Hi Frank,

can you tell us how to get a self-signed certificate

for testing purpose? Is there a tool to generate test

certificate or can one get from SAP temporarely?

Thanks,

Ly-Na Phu

former_member663136
Member
‎08-28-2012 2:50 PM
0 Kudos

Dear Ly-Na Phu,

certificates are self signed by default. That is if you create a PSE e.g. for SSL Server Anonymous it is self signed. STRUST will show this information in the certificate details section when double clicking on the PSE.

In case you what a signed "SSL Server" test certificate:

  1. Start STRUST
  2. Double click SSL Server Standard to display certificate details. Make sure it is SSL Server Standard and Self Signed.
  3. Perform steps as described in http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a6/f19a3dc0d82453e10000000a114084/content.htm
  4. Get the certificate request signed by a Certification Authority as descibed in http://help.sap.com/saphelp_nw70ehp1/helpdata/en/41/fc9fe41571814ab5779d5482ce6e55/content.htm.
    The procedure refers to the SAP Trust Center https://service.sap.com/tcs which comprises a "SSL Server Test Certificate".
  5. Import the certificate response as decribed in http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a6/f19a3dc0d82453e10000000a114084/frameset.htm
  6. Restart ICM (via SMICM).

Excuse that the above links point to SAP Web Dispatcher documentation. The procedure using STRUST are the same - simply use the PSEs of the Web AS ABAP.

SAP Trust Center SSL Server Test certificates are valid for 4 weeks only.

In order for the client to accept the SSL Server Certificates, you need to import the CA root certificate into the client.

Download the certificates from https://service.sap.com/tcs then go to "Download Areas > Root Certificates". Here you find a download link for ServerCA.cer - used by the TCS SSL Server Test certificates.

In case you use a Web AS ABAP system as the client (calling the system referred to above) you need to import CA root certificate into PSE labeled SSL Client Anonymous (again: on the client system!). In case you want to conntect to the server using a Web Browser, you can ignore a certificate warning - or import the certificate into the Browser's certificate management e.g. as described in http://windows.microsoft.com/en-US/windows-vista/Import-or-export-certificates-and-private-keys.

Regards,

Andreas

Answers (0)

Ask a Question