cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Getting Certificate Request signed from SAP CA

Go to solution
Former Member

on ‎05-29-2015 11:57 AM

0 Kudos

Hi guys,

I've upgraded solman to 7.1 SP12 recently and I'm currently configuring Technical operations. At one stage, there's a requirement to configure SSL for ABAP and enable HTTPS in SMICM. I'm following note 510007. I've done the following steps:

1) In t-code STRUSTSSO2, under 'SSL Server Standard', I created a PSE.

2) Under 'Own Certificate', I clicked on 'Create Certificate Request' which gives me a text file having the 'Begin certificate request' and 'End certificate request' details.

From here, I'm supposed to get the request signed from sapmarketplace under Trust Center Services. From here, I don't know how to proceed. Please advise.

regards,

Suraj

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

mamartins
Active Contributor
‎05-29-2015 1:13 PM
0 Kudos

Hi,

When you create the PSE, automatically a self signed certificate is created.

Then you make double click on it. It's data will be shown on the "Certificate" tab (second one on right). After that click on button "Add to ACL". From now on it can be used on for SSL logon tickets.

Regards,

M

Show replies
Show replies

Answers (2)

Answers (2)

Matt_Fraser
Active Contributor
‎05-29-2015 6:17 PM
0 Kudos

Does it have to be signed by SAP CA? For SolMan purposes, I'm guessing you really only need your internal servers and clients to trust the certificate. So, you can either use an internal CA, such as Microsoft Certificate Services (which is handy for pushing trust of the CA to internal IE browsers via group policy), or you can manually add the self-signed certificate to the trust stores of those servers and clients that actually need it.

Show replies
Show replies
Former Member
‎06-03-2015 10:53 AM
0 Kudos

Thanks all,

Sorry for late reply. I followed Manuel's suggestion and indeed the SSL is now working.

I now have another similar config related to the Technical Operations (Rapid Content Delivery). Please guide me how to do it before I close this discussion. As per the related documentation (Rapid Content Delivery - Technical Operations - SCN Wiki):

In transaction STRUST, you have registered the following certificates for the SSL Client SSL Client (Standard) server:

How do I register the above certificates in SOLMAN?

regards,

Suraj

mamartins
Active Contributor
‎06-03-2015 11:01 AM
0 Kudos

Hi Suraj,

Glad that I helped.

To add the 3 certificates you need to download the .cer files to your PC.

Then, you go to STRUSTSSO2 and on the tab CERTIFICATE click on button "Import Certificate". After each import, click on "Add to certificate list". Then the certificate will appear on the upper tab.

Regards,

MM

Matt_Fraser
Active Contributor
‎06-03-2015 4:27 PM
0 Kudos

STRUST will work for this too, as this part isn't really about the Single-Sign-On. However, the process is identical, and STRUSTSSO2 certainly works. Remember that after saving you will probably need to restart the ICM (via transaction SMICM) for this to take effect.

Former Member
‎06-04-2015 6:39 AM
0 Kudos

Hi Manuel & Matt,

Thanks again for the info.

I imported the certificates in STRUSTSSO2 and restarted the ICM. Then I tried to test the RFC destination SMPAUDWNLD (SM59) for which I was doing this certificate configuration. However, it is giving the error:

ICM_HTTP_SSL_ERROR.

Below is an extract of the ICM log:

[Thr 16] Thu Jun  4 09:28:19 2015

[Thr 16] IcmNetCheck: network check passed without detecting problems

[Thr 13] HttpExtractArchive: files from archive /usr/sap/S01/DVEBMGS00/exe/ITS.SAR in directory /usr/sap/S01/DVEBMGS00/data/icmandir

[Thr 12] Thu Jun  4 09:28:35 2015

[Thr 12] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 12]    session uses PSE file "/usr/sap/S01/DVEBMGS00/sec/SAPSSLC.pse"

[Thr 12] SecudeSSL_SessionStart: SSL_connect() failed

[Thr 12]   secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"

[Thr 12] >>            Begin of Secude-SSL Errorstack            >>

[Thr 12] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer

[Thr 12] <<            End of Secude-SSL Errorstack

[Thr 12]   SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

[Thr 12]   No certificate request received from Server

[Thr 12]   SSL NI-sock: local=172.16.20.221:35980  peer=125.252.237.34:443

[Thr 12] <<- ERROR: SapSSLSessionStart(sssl_hdl=107004e90)==SSSLERR_SSL_CONNECT

[Thr 12] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000006} [icxxconn_mt.c 1989]

Is there something specific I need to focus on?

regards,

Suraj

Former Member
‎06-04-2015 6:59 AM
0 Kudos

Hello Suraj,

For that particular error, please check the following OSS note noting point #7 and set the parameter as shown below. You will have to restart your system after you have set the parameter.

510007 - Setting up SSL on Application Server ABAP

ssl/client_ciphersuites=208:HIGH:MEDIUM:+e3DES

Kind Regards,

Amerjit

Former Member
‎06-04-2015 8:05 AM
0 Kudos

Hi Amerjit,

I tried the parameter but still same problem.

Any other idea?

regards,

Suraj

Former Member
‎06-04-2015 8:32 AM
0 Kudos

Hi Suraj,

1. You restarted your system ?

2. Please tell us the version of sapcrypto/commoncrypto you are using.

/nSTRUSTSSO2 => Environment => Display SSF Version.

KR,

Amerjit

Former Member
‎06-04-2015 8:36 AM
0 Kudos

Hi Amerjit,

The version details is as follows:

regards,

Suraj

Former Member
‎06-04-2015 8:42 AM
0 Kudos

Hi Amerjit,

Please see below version details:

SSFLIB Version 1.555.23 ; SECUDE(tm)

SAPCRYPTOLIB

- SNC for SAP Server components and SSL -

Version

5.5.5C (c) SECUDE GmbH 1990-2004#installed with

sapcryptolib release tag=sun_5.9_64 mt opt 64 for

Su

regards,

Suraj

Former Member
‎06-04-2015 8:55 AM
0 Kudos

Hi Suraj,

Thanks for that.

Please update your sapcryptolib to a recent version of commoncryptolib.

KR,

Amerjit

Former Member
‎06-05-2015 6:16 AM
0 Kudos

Hi all,

The issue got resolved after updating the sapcryptolib.

I'll close the discussion now.

Thanks & regards,

Suraj

former_member185954
Active Contributor
‎05-29-2015 1:38 PM
0 Kudos

Hello Suraj,

Earlier it was possible to submit the CSR request that you created in STRUST in SAP's Test SSL CA.

And SAP portal would provide a signed response , which you then import back into your PSE.

Followed by downloading the 'root' certificate of SAP Test CA into your STRUST root database.

You then had 30 days untill you make a decision to buy the SSL certificate.

However, now I can't see a link to submit the CSR, I can see the link to download 'root' certificate of SAP Test CA though.

You will have to find/purchase an SSL certificate from another CA or SAP CA.  You could also try enabling SSL using self signed certificates. Self signed certificates can be generated using openssl, you can find commands if you google them.

Regards,

Siddhesh

Show replies
Show replies
Ask a Question