on 07-11-2015 7:43 PM
Hello Friends,
We renewed a saprouter certificate, It was successfull and we dint face any error during the process. But when we start the router it throws the below error in dev_rout file..
"Sat Jul 11 14:01:22 2015
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'
[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3340]
GSS-API(maj): A token had an invalid signature
GSS-API(min): Certification path incomplete
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (rc=-4;0022FB98;1803) [nisnc.c 998]
*** WARNING => NiBufISetHS: ready could not be freed (hdl 2) [nibuf.cpp 4356]
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'
[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3340]
GSS-API(maj): A token had an invalid signature
GSS-API(min): Certification path incomplete
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (rc=-4;0022FB98;1803) [nisnc.c 998]"
I found the note 95810 - Problem analysis when using SNC with Secude with the fallowing solution.
"2.1 Errors in the Security Network Layer
------------------------------------
2.1.1 Signature of a certificate cannot be checked
----------------------------------------------------------
The PSE (Personal Security Environment) of the user and application server are issued by different CAs (Certification Authorities). The PSE of the user does not contain a public key of a CA with which the certificate of the application server can be verified.
Use PSEs of the same CA. If this is impossible, check out the option of cross certification with Secude support."
But we do not understand solution. Where and in which file i have to change the public key of CA.
Please help me to to resolve this issue.
Thanks&Regards
Farkath C
Hi Farkath,
Have you followed the 2131531 - New Root Certification Authority for SAProuter certificates ?
Also, to understand, take a look at
Regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Divyan,
Yes in the note 2131531, i fallowed
"From 04/15/2015 11:00 AM CET until 07/16/2015 11:00 AM CET
All certificates signed by SAP during this period will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.
If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET the following steps are mandatory:
In addition, using the latest SAProuter version is strongly recommended."
How to import old saprouter root CA ? Can you please help me.
Our saprouter system is 32 bit system. So latest saprouter file is not available. So i used latest SAPCRYPTOLIB 5.5.5(Which also contains 2048 key size) only and fallowed usual renewal steps.
Help me if you have any idea.
Regards,
Farkath C
Check this
From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:
The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.
Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.
In same note download the attachment.
Use below command
sapgenpse maintain_pk -a smprootca.der -p local.pse
This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established
Regards,
Hello Friends,
Sorry I missed this step, Once i add the below file my issue has resolved.
Thanks
Farkath C
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Farkathulla,
Can you please check follow sap links
Creating a Key Pair and Public-Key Certificate and Signing It - System Security - SAP Library
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c06c8846-c160-2d10-d18e-d9961e9c7...
I hope this helps you in resolving the issue.
Regards
Anand
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.