cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Communication C4C->PI SSL Error

Go to solution
raphael-l
Participant

on ‎04-08-2015 12:19 PM

0 Kudos

Dear Experts,

I have a problem to get the outbound communication for C4C with PI running.

Every time i'm testing the outbound communication in C4C i get the following error:

SOAP Runtime: SRT: Processing error in Internet CommunicationFramework: ("ICF Error when receiving the response: ICM_HTTP_SSL_ERROR") ()

I installed already the complete Certificate Chain of C4C in STRUST of the PI System and also the complete certificate chain of our certificate. I imported the certificate also in the C4C but everything with no success.

For the authentication i tested user based as well as certificate based authentication but still the same error.

I checked also the ICM Monitor (tx: SMICM) but there is no warning or error when i'm doing the outbound test.

What else needs to be done? Any suggestions would be highly recommended because i'm really stucked at the moment.

Thanks

Raphael

PS: The communication PI -> C4C is already working. Means i can send e.g. Products.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

raphael-l
Participant
‎04-15-2015 3:09 PM
0 Kudos

Hi everyone,

Thanks again to all for helping.

A small summary for the rest:

For PI Integration with just using NAT&Port Forwarding (no use of reverse proxy e.g. web dispatcher)  you have to whitelist the same range as in the HCI documentation which is 155.56.128.0/17.

It is not enough to whitelist only the IP of the cloud (ping on your tenant).

The error you get when the Port/IP is not open or when there is no communication with PI is a little bit missleading (ICM_HTTP_SSL_ERROR).

If this is done you should see traffic comming from cloud in the ICM trace file (tx: SMICM) on the PI.

Hope this helps if somebody is facing the same issue.

Regards,

Raphael

Show replies
Show replies
former_member3555
Advisor
Advisor
‎04-15-2015 3:20 PM
0 Kudos

Great- thank you Raphael- I'm sure this will help others!!!

Former Member
‎09-04-2015 7:09 AM
0 Kudos

So I have to whitelist 32766 IP adresses ?

raphael-l
Participant
‎09-04-2015 2:28 PM
0 Kudos

Hi,

something around that yes.

As SAP has some software in place that can give the Cloud some random IP Address in that range you have to whiteliste this range.

The other solution is to sniff the IP address of your cloud solution (when it hits your firewall) but keep in mind that SAP can change this IP whenever they want.

Regards,

Raphael

Answers (3)

Answers (3)

markbernabe
Active Participant
‎09-09-2015 5:22 PM
0 Kudos

Hi everyone,

Do we really need to whitelist by IP address? Wouldn't FQDN suffice?

Thanks.

Show replies
Show replies
raphael-l
Participant
‎09-11-2015 1:31 PM
0 Kudos

Hi Mark,

i'm no network guy but if the FQDN whitlisting is not translating the name into an IP Address this could be possible.

Also i haven't done any network sniffing to check if the name of the tenant is somewhere stored in the ip package. I would guess that this is not the fact.

Regards,

Raphael

former_member216422
Explorer
‎04-09-2015 3:44 PM
0 Kudos

Hi Raphael,

please explain quickly where SSL gets terminated. Is it on PI or do you have a Reverse Proxy in front of the PI. Please add also the host name/port/url you are using in the Communication Arrangement to this blog.

In principal you don't need to install the CfC certificate chain into PI - but you have to upload the root certificate of the server certificate (PI or Reverseproxy) into the CfC tenant - as mentioned also by Shiva.

Also the port specified in the Communication Arrangement might be important since we do not support all ports for SSL outbound communication. If you use 443 then this is not a problem.

Best regards,

Berthold

Show replies
Show replies
former_member3555
Advisor
Advisor
‎04-09-2015 3:45 PM
0 Kudos

Thanks, Berthold!!!

raphael-l
Participant
‎04-09-2015 4:00 PM
0 Kudos

Hi Berthold,

thanks for your answer and also thanks to you ginger for investigating.

We do not have a reverse proxy. There will be just a port forwarding when traffic is comming from the C4C to the internal network.

The Port in the communication arrangment is 44301 (which should be fine what i read in some posts) and we checked that the public address (sorry but i don't want to post the public address here in this blog) matches the certificate.

I imported also the wildcard certificate in C4C.

What i discovered till now is that the IP range of HCI should fit for the communication C4C->internal network. Can you confirm that?

Because this is the range we need to "whitelist" and forward to the PI.

Regards,

Raphael

former_member216422
Explorer
‎04-09-2015 5:44 PM
0 Kudos

Hello Raphael,

if you filter on the IP address of SAP network - then you have to filter on our outbound proxy range and not on the IP address of HCI system.

Here's the correct IP range you can use for filtering (supposed your HCI tenant is hosted in germany):

155.56.128.0/17

Best regards,

Berthold


Former Member
‎04-09-2015 12:34 PM
0 Kudos

Hi Raphael,

Are you using Reverse proxy or web dispatcher for on prem?

Install the certificate from that Reverse proxy or web dispatcher into your IE.

Also, add that cetificate in C4C in 'Admintrator -> Edit certificate trust list.

If this doesnt work, let me know. i can explain you how to get this.

Regards

Shiva

Show replies
Show replies
raphael-l
Participant
‎04-09-2015 2:36 PM
0 Kudos

HI Shiva,

thanks for your answer.

I've went a little bit more ahead. Seems that the problem was the whitelisting/port forwarding of the ip address in our Firewall. Because in contrast to some posts in the forum it seems that it's not enough to forward only the IP address of the Cloud tenant you get back from a ping.

The error message is therefore a little bit misleading because this i not really a SSL error.

So i'm at the moment testing the whitelist range of the HCI Operations Guide.

Thanks again for your answer.

Regards,

Raphael

former_member3555
Advisor
Advisor
‎04-09-2015 3:01 PM
0 Kudos

- do you have any input here?  Since Raphael is using PI - I'm wondering if the range from HCI operations guide will help?  

Ask a Question