on 03-10-2015 5:09 PM
Hi,
We recently upgraded the kernel and sap cyrptolib on one of our PI sysems (7.11 SP6 Dual Stack. CommonCryptoLib 8 Version 8.4.34.
We have three vendors, all with untrusted certificates, who we cannot communicate with any more. When we test the RFC connection we receive the following error.
[Thr 3085] SSL API error
[Thr 3085] Failed to verify peer certificate. Peer not trusted.
[Thr 3085] 0xa0600203 SSL ssl_verify_peer_certificates
[Thr 3085] Peer not trusted
[Thr 3085] 0xa0600297 SSL ssl_cert_checker_verify_certificates
[Thr 3085] peer certificate (chain) is not trusted
[Thr 3085] <<- ERROR: SapSSLSessionStart(sssl_hdl=1184803f0)==SSSLERR_PEER_CERT_UNTRUSTED
[Thr 3085] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0002e2b6} [icxxconn_mt.
The connections were working prior to the upgrade. The vendors certificates are stored in the NWA Certificate store (we don't use STRUST) and have not changes.
There is nothing wrong with the certificate OR the RFC destination. I have searched SCN without a relevant hit. Can anyone help?
Hi the Kernel is up to date. As I mentioned before, we recently upgraded the kernel and sap cyrptolib on one of our PI sysems (7.11 SP6 Dual Stack. CommonCryptoLib 8 Version 8.4.34. This interface was working before and not we get an untrusted error.
The particular vendor does not have a trust chain on his server certificate. Therefore, I do not have any other certificates to install.
As this was working before the SAP Cyrptolib library upgrade I assume that this new version does not allow untrusted certificates OR there is a parameter that needs to be set to allow untrusted certificates.
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Robert,
Assuming that nothing changed on your vendor side, maybe the vendor uses an older encryption algorithm which was supported by SAP Cryptolib and is by default not supported anymore.
Check the SAP Note
510007 - Setting up SSL on Application Server ABAP
Section 6 especially speaks about the following:
Outgoing SSL connection (SSL client) will all offer the cipher suites configured by (ssl/client_ciphersuites). Netweaver Kernels predating the Kernel patch from SAP Note 1433874 use the "ssl/ciphersuites" setting also for outgoing SSL connections. For backwards compatibility, Kernel patch 1433874 does not have a built-in default setting for "ssl/client_ciphersuites", and will use the "ssl/ciphersuites" setting as fallback unless a custom setting is configured.
Incoming SSL connections (SSL server/services) can optionally be configured to use service-specific cipher suite settings in the SSL configuration part icm/ssl_config_<xx> for an icm server port definitionicm/server_port_<xx> via the string parameter CIPHERS:
icm/server_port_<xx> = ..., SSLCONFIG=ssl_config_<yy> icm/ssl_config_<yy> = ..., CIPHERS=...
It might be the case that if you don't set these parameters, the system runs with some assumptions.
Regards,
Siddhesh
Hi,
No nothing has changed and this is the only vendor we are having a problem with since we upgraded. We see the following error in our logs. For outbound connections we are still using the same ciphers.
[Thr 3085] SSL API error
[Thr 3085] Failed to verify peer certificate. Peer not trusted.
[Thr 3085] 0xa0600203 SSL ssl_verify_peer_certificates
[Thr 3085] Peer not trusted
[Thr 3085] 0xa0600297 SSL ssl_cert_checker_verify_certificates
Hallo Robert,
Is your kernel up-to-date?
Check also:
2138175 - SM21: No SSL access to remote instances
Regards,
Serhat
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.