Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STRUST/SM59: Getting Root/Intermediate Cert into HTTPS request

Former Member

‎07-25-2014 7:48 PM

0 Kudos

All,

We are working with a Vendor of ours, using a web service to communicate some information regarding business transactions.  The vendor requires that we use HTTPS Client authentication using a client certificate which has been signed by a major trusted root certificate authority (ex: Verisign).

We've used STRUST to setup the PSE and certificate.  We then used SM59 to setup an RFC (Connection Type "G" for external HTTP connection) to communicate with our vendor partner.  When we test the RFC the following happens: ICM_HTTP_SSL_ERROR.

Looking in the dev_icm file we see:

[Thr 09] Fri Jul 25 14:44:09 2014

[Thr 09] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 09]    session uses PSE file "/usr/sap/ED1/DVEBMGS11/sec/SAPSSLPAYCON.pse"

[Thr 09] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 09]   secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 09] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 09] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer

[Thr 09] WARNING in ssl3_get_certificate_request: (536871681/0x20000301) CertRequest with empty certificate_autorities list received (violation of SSLv3/TLSv1.0 spec) -- declining request

[Thr 09] << ---------- End of Secude-SSL Errorstack ----------

[Thr 09]   SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"

[Thr 09]   No certificate request received from Server

[Thr 09]   SSL NI-sock: local=W.X.Y.Z:48439  peer=A.B,C,D:XXXX

[Thr 09] <<- ERROR: SapSSLSessionStart(sssl_hdl=10222cd90)==SSSLERR_SSL_CONNECT

[Thr 09] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000209d5} [icxxconn_mt.c 1957]

We extracted the certificate/public and private key out of the PSE using sapgenpse export_p12.  We used soapUI to diagnose the problem.  We eventually figured out the Root and Intermediate certificate was missing from the .p12 file.  Once we edited the P12 to include the root/intermediate certificate, we were able to proceed with communicating with our vendor using the p12 and SOAP UI.

Any idea how to get these root and intermediate certificates into AS ABAP and then have AS ABAP send the root/intermediate certificate to our vendor/peer when performing a RFC call or test?

Preview file
28 KB
2 REPLIES 2

mvoros
Active Contributor

‎07-25-2014 10:14 PM

0 Kudos

Hi,

check note http://service.sap.com/sap/support/notes/1468249. It describes how to import whole chain of certificates.

Cheers

Former Member
In response to mvoros

‎07-28-2014 3:50 PM

0 Kudos

Greeting Martin,

I appreciate the reply.  In our case we DO have our certificate already imported into STRUST.  Part of that import procedure was we had to supply the intermediate and root certificate to SAP.  So in our case we have the certificate, its intermediate, and the root imported into SAP, but it seems SAP is not supplying these to these to its peer (server) when we try to use the RFC configured to use the PSE.

Any other thoughts?