Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

SAPOSS error (SAP Router)


I´m facing an error in the RFC SAPOSS that is related with our SAP Router... because of this error we can´t implement SAP notes using the SNOTE transaction. Some weeks ago I changed the SAP Router certificate with the new configuration that is described in SAP note 2131531 (New Root Certification Authority for saprouter certificates). I believe this error is related with this change.

Error in SAPOSS rfc:

I see the following details in the SAP Router log files logfile.txt and dev_rout:



Thu May 21 16:04:50 2015 CONNECT ERR  S40/51 NIESNC_FAILURE on 'SAProuter 40.4 on 'ORION''

Thu May 21 16:04:50 2015 DISCONNECT   S40/51 host (

Thu May 21 16:05:38 2015 CONNECT FROM C41/- host (

Thu May 21 16:05:38 2015 CONNECT TO   S41/52 host ( (p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE)

Thu May 21 16:05:39 2015 CONNECT ERR  S41/52 NIESNC_FAILURE on 'SAProuter 40.4 on 'ORION''

Thu May 21 16:05:39 2015 DISCONNECT   S41/52 host (

Thu May 21 16:38:11 2015 DISCONNECT   C35/28 host (



Thu May 21 16:05:39 2015

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [D:/depot/b 3386]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [D:/depot/bas/74 3352]

      GSS-API(maj): Miscellaneous failure

      GSS-API(min): A2200223:Peer certificate path not trusted

    Unable to establish the security context

    target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0000000004C000B0;1941) [nisnc.c      1003]

I already performed some telnet tests, for example, from our SAP Router server I ran the telnet 3299 and everything is Ok, also a telnet from our SAP Router server to the SAP servers to the 32xx port (telnet 3200) and everything is working too.

Can you help me please to understand what is the main problem here?!

Kind regards,


Former Member replied

Hi Joao,

Have you performed below, during setup of New root certificate for saprouter

  1. From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:

The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.

Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.

sapgenpse maintain_pk -a smprootca.der -p local.pse

This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.


2 View this answer in context
Not what you were looking for? View more on this topic or Ask a question