on 04-14-2005 4:42 PM
Hi,
I'm trying to make an SSL connection from XI, but keep getting the same error:
[Thr 3] session uses PSE file "/usr/sap/XID/DVEBMGS00/sec/SAPSSLA.pse"
[Thr 3] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 3] >> Begin of Secude-SSL Errorstack >>
[Thr 3] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=GlobalSign Root CA, OU=Root CA, O=GlobalS
ERROR in get_path: (27/0x001b) Found root certificate of <CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE> which doe
ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE> wh
[Thr 3] << End of Secude-SSL Errorstack
[Thr 3] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 3] No certificate request from Server
[Thr 3] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1052ff370)==SSSLERR_SSL_CONNECT
[Thr 3] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT
I already imported the certificate in STRUST and assigned it to the PSE. Please help!!!
Rasmus
Hi Rasmus,
If it is a self-signed certificate, don't upload it with STRUST in the Client anonymous, but in Standard.
Cheers,
Frank
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Rasmus,
How do you setup the ssl connection?
- via a HTTP RFC destination
- via a URL in the Receiver Channel
Did you put the receiving system's certificate in the SSL Client(standard) or XI's certificate?
You only have put the receiving system's certificate in the SSL Client(standard) if it is a self-signed certificat. If it is a certificate for example from Verisign, you don't have to put a certificate in SSL Client(standard).
Cheers,
Frank
Hi frank,
I use HTTP RFC connection.
The certificate is a self-signed global root certificate.
I tried the following combinations:
1. Using Anonymous SSL with the certificate
2. Using Stadnard SSL with the certificate
3. Using Anonymous SSL without the certificate
4. Using Stadnard SSL without the certificate
They all give the same error.
Cheers Rasmus
Hi Rasmus,
Leave the certificate in SSL Client Standard and try to configure the connection with the Receiver Channel.
Transport protocol: HTTPS 1.0
Address type: URL address
Target host: <full qualified system name, same as in certificate>
Portnumber: <portnumber used for SSL>
Path: <path to service>
Cheers,
Frank
Dear Ly-Na Phu,
certificates are self signed by default. That is if you create a PSE e.g. for SSL Server Anonymous it is self signed. STRUST will show this information in the certificate details section when double clicking on the PSE.
In case you what a signed "SSL Server" test certificate:
Excuse that the above links point to SAP Web Dispatcher documentation. The procedure using STRUST are the same - simply use the PSEs of the Web AS ABAP.
SAP Trust Center SSL Server Test certificates are valid for 4 weeks only.
In order for the client to accept the SSL Server Certificates, you need to import the CA root certificate into the client.
Download the certificates from https://service.sap.com/tcs then go to "Download Areas > Root Certificates". Here you find a download link for ServerCA.cer - used by the TCS SSL Server Test certificates.
In case you use a Web AS ABAP system as the client (calling the system referred to above) you need to import CA root certificate into PSE labeled SSL Client Anonymous (again: on the client system!). In case you want to conntect to the server using a Web Browser, you can ignore a certificate warning - or import the certificate into the Browser's certificate management e.g. as described in http://windows.microsoft.com/en-US/windows-vista/Import-or-export-certificates-and-private-keys.
Regards,
Andreas
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.