cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Router Issue - GSS-API(maj): A token had an invalid signature...

Go to solution
farkathulla_cikkanther
Active Participant

on ‎07-11-2015 7:43 PM

0 Kudos

Hello Friends,

  We renewed a saprouter certificate, It was successfull and we dint face any error during the process. But when we start the router it throws the below error in dev_rout file..

"Sat Jul 11 14:01:22 2015

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'

[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3340]

      GSS-API(maj): A token had an invalid signature

      GSS-API(min): Certification path incomplete

    Unable to establish the security context

    target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (rc=-4;0022FB98;1803) [nisnc.c      998]

*** WARNING => NiBufISetHS: ready could not be freed (hdl 2) [nibuf.cpp    4356]

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'

[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3340]

      GSS-API(maj): A token had an invalid signature

      GSS-API(min): Certification path incomplete

    Unable to establish the security context

    target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (rc=-4;0022FB98;1803) [nisnc.c      998]"

I found the note 95810 - Problem analysis when using SNC with Secude  with the fallowing solution.

"2.1 Errors in the Security Network Layer

------------------------------------

2.1.1 Signature of a certificate cannot be checked

----------------------------------------------------------

The PSE (Personal Security Environment) of the user and application server are issued by different CAs (Certification Authorities). The PSE of the user does not contain a public key of a CA with which the certificate of the application server can be verified.

Use PSEs of the same CA. If this is impossible, check out the option of cross certification with Secude support."



But we do not understand solution. Where and in which file i have to change the public key of CA.


Please help me to to resolve this issue.



Thanks&Regards


Farkath C




Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

divyanshu_srivastava3
Active Contributor
‎07-11-2015 7:54 PM
0 Kudos

Hi Farkath,

Have you followed the 2131531 - New Root Certification Authority for SAProuter certificates ?

Also, to understand, take a look at

Regards,

Show replies
Show replies
farkathulla_cikkanther
Active Participant
‎07-11-2015 8:29 PM
0 Kudos

Hello Divyan,

  Yes in the note 2131531, i fallowed

"From 04/15/2015 11:00 AM CET until 07/16/2015 11:00 AM CET

All certificates signed by SAP during this period will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.

If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET the following steps are mandatory:

  • Use latest Common Crypto Library
  • Use a PSE with a key size of 2048
  • Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015)

In addition, using the latest SAProuter version is strongly recommended."

How to import old saprouter root CA ? Can you please help me.

Our saprouter system is 32 bit system. So latest saprouter file is not available. So i used latest SAPCRYPTOLIB 5.5.5(Which also contains 2048 key size) only and fallowed usual renewal steps.

Help me if you have any idea.

Regards,

Farkath C

divyanshu_srivastava3
Active Contributor
‎07-11-2015 8:44 PM
0 Kudos

Check this



From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:


The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.


Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.


In same note download the attachment.


Use below command 




sapgenpse maintain_pk -a smprootca.der -p local.pse 




This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established

Regards,

Answers (2)

Answers (2)

farkathulla_cikkanther
Active Participant
‎07-11-2015 8:56 PM
0 Kudos

Hello Friends,

  Sorry I missed this step, Once i add the below file my issue has resolved.

  • Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015)

Thanks

Farkath C

Show replies
Show replies
divyanshu_srivastava3
Active Contributor
‎07-11-2015 8:58 PM
0 Kudos

That is what I told you in my last reply.

Good Luck..

Regards,

Former Member
‎07-11-2015 8:14 PM
0 Kudos

Hello Farkathulla,

Can you please check follow sap links

Creating a Key Pair and Public-Key Certificate and Signing It - System Security - SAP Library

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c06c8846-c160-2d10-d18e-d9961e9c7...

I hope this helps you in resolving the issue.

Regards

Anand

Show replies
Show replies
Ask a Question