SAPOSS error (SAP Router)
I´m facing an error in the RFC SAPOSS that is related with our SAP Router... because of this error we can´t implement SAP notes using the SNOTE transaction. Some weeks ago I changed the SAP Router certificate with the new configuration that is described in SAP note 2131531 (New Root Certification Authority for saprouter certificates). I believe this error is related with this change.
Error in SAPOSS rfc:
I see the following details in the SAP Router log files logfile.txt and dev_rout:
Thu May 21 16:04:50 2015 CONNECT ERR S40/51 NIESNC_FAILURE on 'SAProuter 40.4 on 'ORION''
Thu May 21 16:04:50 2015 DISCONNECT S40/51 host 22.214.171.124/3299 (126.96.36.199)
Thu May 21 16:05:38 2015 CONNECT FROM C41/- host 10.10.0.39/49952 (nelt526.noesis.pt)
Thu May 21 16:05:38 2015 CONNECT TO S41/52 host 188.8.131.52/sapdp99 (184.108.40.206) (p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE)
Thu May 21 16:05:39 2015 CONNECT ERR S41/52 NIESNC_FAILURE on 'SAProuter 40.4 on 'ORION''
Thu May 21 16:05:39 2015 DISCONNECT S41/52 host 220.127.116.11/3299 (18.104.22.168)
Thu May 21 16:38:11 2015 DISCONNECT C35/28 host 22.214.171.124/54515 (a95-94-229-16.cpe.netcabo.pt)
Thu May 21 16:05:39 2015
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [D:/depot/b 3386]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [D:/depot/bas/74 3352]
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2200223:Peer certificate path not trusted
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0000000004C000B0;1941) [nisnc.c 1003]
I already performed some telnet tests, for example, from our SAP Router server I ran the telnet 126.96.36.199 3299 and everything is Ok, also a telnet from our SAP Router server to the SAP servers to the 32xx port (telnet 188.8.131.52 3200) and everything is working too.
Can you help me please to understand what is the main problem here?!
Have you performed below, during setup of New root certificate for saprouter
- From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:
The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.
Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.
sapgenpse maintain_pk -a smprootca.der -p local.pse
This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.