cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOAP:1.023 SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_SSL_ERROR")

Former Member

on ‎04-28-2015 1:58 PM

0 Kudos

Hello all,

can you pls suggest me smth for this:

I am running solman_setup and at phase 5.1 (Configure Web dispatcher) and I have errors:

SOAP:1.023 SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_SSL_ERROR")


L3 - Failed to reach test WS through System Settings (ICM/HTTPURLLOC)

L2 - Failed to reach test WS through ICM


I choosed: No SAP Web Dispatcher used


What I did:

1. re-created users SM_EXTERN_WS and SM_INTERN_WS

2. added table HTTPURLLOC with the full hostname and the port

3. created SSL server standard certificate in STRUST and its green

4. instance profile>>add login/accept_sso2_ticket=1 and login/create_sso2_ticket=2


Thx for any suggestion

Chris

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member182657
Active Contributor
‎05-04-2015 12:06 PM
0 Kudos

Don't know why looking with ICM traces,as it's simply mentioned by SAP



No SAP Web Dispatcher used


This option applies only & when




    

  • No SAP Web Dispatcher used, if there is no SAP Web Dispatcher or equivalent solution configured
    •

Just configure SAP Web Dispatcher by following my previous replies & test the connection,this will resolve your issue.

Regards,

Show replies
Show replies
former_member182657
Active Contributor
‎04-28-2015 3:13 PM
0 Kudos

Hi Chris,

I choosed: No SAP Web Dispatcher used

This option applies only & when

  • No SAP Web Dispatcher used, if there is no SAP Web Dispatcher or equivalent solution configured

Hope you're using any other equivalent solution,if not then follow SAP webdispatcher installations & configurations.

Hope this will help you.

Regards,

Show replies
Show replies
former_member182657
Active Contributor
‎04-28-2015 3:07 PM
0 Kudos

Hi Chris,

I choosed: No SAP Web Dispatcher used

In my opinion try to implement webdispatcher first & opt url port 8000 here to test the connectivity.

You can navigate with


Hope this will help you.


Regards,


Show replies
Show replies
former_member185954
Active Contributor
‎04-28-2015 3:02 PM
0 Kudos

Hello Chris,

Could you post dev_icm log from your work directory, it may have more details.

Regards,

Siddhesh

Show replies
Show replies
Former Member
‎04-29-2015 8:00 AM
0 Kudos

Hello,

I read note 1094342 - ICM trace contains verification of the server's certificate

and I installed in the IE browser the PSE saved from /strust

Thx for any idea

[Thr 140736729089792] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL[Thr 140736729089792]    session uses PSE file "/usr/sap/SID/DVEBMGS00/sec/SAPSSLA.pse"[Thr 140736729089792] SecudeSSL_SessionStart: SSL_connect() failed[Thr 140736729089792]   secude_error 536872221 (0x2000051d) = "SSLAPI error"[Thr 140736731203328] NiIBlockMode: set blockmode for hdl 92 FALSE[Thr 140736729089792] >> Begin of Secude-SSL Errorstack >>[Thr 140736729089792] 0x2000051dSAPCRYPTOLIB SSL_connect[Thr 140736729089792] SSL API error[Thr 140736729089792] Failed to verify peer certificate. Peer not trusted.

][Thr 140736729089792] << End of Secude-SSL Errorstack[Thr 140736731203328] NiIBlockMode: set blockmode for hdl 92 TRUE[Thr 140736729089792]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"[Thr 140736731203328]   SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"[Thr 140736731203328] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL[Thr 140736731203328]    session uses PSE file "/usr/sap/SID/DVEBMGS00/sec/SAPSSLS.pse"[Thr 140736731203328] SecudeSSL_SessionStart: SSL_accept() failed[Thr 140736731203328]   secude_error 536875078 (0x20001046) = "SSL API error"[Thr 140736729089792] No certificate request received from Server[Thr 140736731203328] >> Begin of Secude-SSL Errorstack >>[Thr 140736731203328] 0x20001046SAPCRYPTOLIB SSL_accept[Thr 140736731203328] SSL API error[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] 0xa0600263 SSL ssl23_accept[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] 0xa0600263 SSL ssl3_read_bytes[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] << End of Secude-SSL Errorstack[Thr 140736731203328] <<- ERROR: SapSSLSessionStart(sssl_hdl=1315bf0)==SSSLERR_SSL_ACCEPT[Thr 140736731203328] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT[Thr 140736729089792] <<- ERROR: SapSSLSessionStart(sssl_hdl=7fffcc023860)==SSSLERR_PEER_CERT_UNTRUSTED[Thr 140736729089792] <<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTED[Thr 140736731203328] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn_mt. 1713][Thr 140736729089792] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {000f3a6b} [icxxconn_mt.c 1989][Thr 140736731203328] <<- SapSSLSessionDone()==SAP_O_K[Thr 140736731203328]      in: sssl_hdl   = 1315bf0[Thr 140736731203328]          ... ni_hdl = 92[Thr 140736731203328] NiICloseHandle: shutdown and close hdl 92/sock 41[Thr 140736729089792] <<- SapSSLSessionDone()==SAP_O_K[Thr 140736729089792]      in: sssl_hdl   = 7fffcc023860[Thr 140736729089792]          ... ni_hdl = 223[Thr 140736729089792] IcmConnConnect(id=15/14955): free MPI request blocks[Thr 140736729089792] MPI<5909c>85#7 GetInbuf -1 21d220 1757 (1) -> MPI_EOS: End Of Stream

former_member185954
Active Contributor
‎04-29-2015 11:22 AM
0 Kudos

Hello Chris,

I haven't seen the steps you are doing as part of the guide, from the trace looks like you are you need to export the certificate out of PSE /usr/sap/SID/DVEBMGS00/sec/SAPSSLA.pse and import it into /usr/sap/SID/DVEBMGS00/sec/SAPSSLS.pse

Regards,

Siddhesh

Former Member
‎05-04-2015 11:35 AM
0 Kudos

hello,

can you suggest smth for this:

From /strust

Application requires PSE with RSA key pair

Message no. TRUST061

Diagnosis

The application requires the use of the Public Key Algorithm RSA. However, the PSE uses a different Public Key Algorithm.

From trace file

[Thr 140736732423936] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-25): SSSLERR_NO_SSL_REQUEST [icxxconn_mt. 171

[Thr 140736728196864] Thu Apr 30 11:36:20 2015

[Thr 140736728196864] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-25): SSSLERR_NO_SSL_REQUEST [icxxconn_mt. 171

[Thr 140736732423936] Thu Apr 30 11:36:19 2015

[Thr 140736732423936] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-25): SSSLERR_NO_SSL_REQUEST [icxxconn_mt. 171

[Thr 140736728196864] Thu Apr 30 11:36:20 2015

[Thr 140736728196864] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-25): SSSLERR_NO_SSL_REQUEST [icxxconn_mt. 171

[Thr 140736730838784] Thu Apr 30 11:38:03 2015

I still didnt find a solution

Thx

former_member185954
Active Contributor
‎05-04-2015 11:54 AM
0 Kudos

Hello Chris,

That shouldn't happen as you are still doing setup, did you change / upgrade your SAP Cryptographic library to the latest before starting configuration ?

Regards,

Siddhesh

Former Member
‎05-04-2015 1:17 PM
0 Kudos

Is this important? Cause this was not done by me and I dont know

Kernel is 7.21_400, Linux 64bit, Sybase 15.7_721.02_330

Thx

former_member185954
Active Contributor
‎05-04-2015 1:48 PM
0 Kudos

Hello Chris,

The error says that the PSE is encrypted with a different algorithm (which means it was potentially created by a different version of libraries) and when you are trying to do the setup today,the libraries are potentially updated which is why there is a mismatch.

Also, honestly I have got myself confused between what you have posted and responses by Gaurav below, cause I thought you skipped Webdispatcher configuration and went ahead.

Regards,

Siddhesh

Former Member
‎05-04-2015 2:06 PM
0 Kudos

This is what I said by "No SAP WEB Dispatcher used" at step 5.1 Configure Web Dispatcher

and I got these:

L3 - Failed to reach test WS through System Settings (ICM/HTTPURLLOC)

L2 - Failed to reach test WS through ICM


In /strust, I am getting


Application requires PSE with RSA key pair

Message no. TRUST061

Diagnosis

The application requires the use of the Public Key Algorithm RSA. However, the PSE uses a different Public Key Algorithm.

Thx

Chris

former_member185954
Active Contributor
‎05-04-2015 2:51 PM
0 Kudos

Hello Chris,

so as per note 1898685 - Connect the Diagnostics Agent to Solution Manager using SSL


Can you please let me know which 'Case' is applicable to you ?


Regards,

Siddhesh

Former Member
‎05-05-2015 10:26 AM
0 Kudos

Hello,

these are notes I looked in:

1318906 - Trace analysis of SSL problems

1791457 - Http/SOAP error while calling a Web Service

1822831 - Web Service Soap Errors in solman_setup

1898685 - Connect the Diagnostics Agent to Solution Manager using SSL

852688 - "SSL Client PSE DFAULT does not exist" in Transaction SM59

2076338 - HTTP connection fail

1094342 - ICM trace contains verification of the server's certificate

2012035 - System failure HTTP client code 407 reason ICM_HTTP_SSL_ERROR

2018632 - SOLMAN_SETUP: Step Configure Web Dispatcher shows warning 'Cannot check WS connection through ICM, as parameters are missing'

510007 - Setting up SSL on Application Server ABAP

but none gave me a solution.

I found that the system has SAPCryptoLib version 8.4.32 pl 40. So, I guess the libraries were updated before starting to configure solman_setup.

Do you have more ideas for me?

thx

former_member185954
Active Contributor
‎05-05-2015 11:18 AM
0 Kudos

Hello Chris,

From the screenshot and the issue you described so far. You are trying to connect the Diagnostics Agent to Solman (without a Web dispatcher),

however as per the note 1898685 - Connect the Diagnostics Agent to Solution Manager using SSL, you need some pre-requisites to be met as per 3 or 4 cases/scenarios described.

Can you please tell me as per note 1898685 - Connect the Diagnostics Agent to Solution Manager using SSL which Case is applicable to you.

The root cause (and potentially the solution) lies in that note, once you have determined which scenario is applicable to what you are trying to do, we can discuss it further.

Regards,

Siddhesh

Former Member
‎05-07-2015 8:31 AM
0 Kudos

Hello Siddhesh,

I dont understand why note 1898685 should have something for me?


I am at step 5.1 Configure Web Dispatcher, so at this point I dont need Diag Agent. I did installed it on SolMan.


At step 1. Maintain Users,user solman_admin needs updates which I did, but its not "green" ( according to )


Thx for any suggestion

Chris

Ask a Question