on 07-13-2015 3:34 PM
Dear All,
to use IE11 on our instances, we're updating our Instances 7.02 SPS09 to SPS16.
you met an issue on an instance (Dual stack SAP SRM 7.00 EHP1 / SAP NW 7.02 SPS09).
OS : Windows 2008 R2 SP1 (x86_64)
DB : MS SQL Server 2008 R2 SP3
ABAP Stack was updated earlier with SPAM Tool.
Now we are updating Java with SUM Tool
All Java Component were updated but SUM is locked to this step "Portal Import Content".
After updating Java Components to SPS16, SAP want to restart NR 00 but can not
Message :
Could not restart SAP instance with number 0.
Could not send the command to start the instance with number 0 on host V0-MR100. Sapcontrol client could not perform action check started on instance 0 Return code condition success evaluated to false for process sapcontrol for action check started.
Log of IMPORT-PORTAL-CONTENT_11.LOG
following command failed : E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm <SecureField> -prot NI_HTTPS -function GetProcessList
GetProcessList
FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND: The specified class was not found.), SapSSLSessionStart failed in plugin_fopen()
When sapcontrol pass by NI_HTTPS, failes
test with sapcontrol with NI_HTTP : works
test with sapcontrol WINHTTPS : works
sapcryptolib given by SUM is more recent as with one used on the instance for SSL configuration.
I updated Cryptolib Library, configure again STRUST (System PSE, SSL Server, SSL Client)
-> still same issue.
Java updated is blocked to this step.
How to bypass this issue ?
Is that possible to force SUM sapcontrol to use NI_HTTP protocol only
if yes how please
Many thanks for any help given.
---
King Regards
François
renamed the 'sec' folder under instance directory and gave 'repeat the step' in SUM. it worked!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Francois ,
Please have alook at KBA 2177490 - Software Update Manager (SUM) Error in the phase :
INPUT-OS-USER-PASSWORDS .
It contains in detail steps to resolve the issue.
Also have alook at note 1642340 - Using SSL in sapcontrol
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
Manjunath is right - but to simplify this:
The SSL certificate of the server (sap instance) has to be trusted in SSL client (same sap instance).
export of SAPSSLS.pse certificate:
Exporting the Server's Certificate Using SAPGENPSE - SAP NetWeaver by Key Capability - SAP Library
import of certificate to SAPSSLC.pse:
Best regards,
Frank
Precision : SSL Server was done on SID Instance (self signed certificate)
Debug log :
[Thr 11408] = found CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.34 pl40 (Feb 11 2015) MT-safe
[Thr 11408] = current UserID: V11\mr1adm
[Thr 11408] = found SECUDIR environment variable
[Thr 11408] = using SECUDIR=E:\usr\sap\MR1\DVEBMGS00\sec
sapparam: sapargv(argc, argv) has not been called!
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
[Thr 11408] SapISSLComposeFilename(client_pse): using default "E:\usr\sap\MR1\DVEBMGS00\sec\SAPSSLC.pse"
[Thr 11408] = Client SSL_CTX 0000000004CAE250 pvflags = 192 (TLSv1.0,SSLv3)
[Thr 11408] = The Client SSL_CTX
[Thr 11408] = provides this ordered list of 9 ciphersuites:
[Thr 11408] = 1. TLS_RSA_WITH_AES128_CBC_SHA
[Thr 11408] = 2. TLS_RSA_WITH_AES256_CBC_SHA
[Thr 11408] = 3. SSL_RSA_WITH_RC4_128_SHA
[Thr 11408] = 4. SSL_RSA_WITH_RC4_128_MD5
[Thr 11408] = 5. SSL_RSA_WITH_3DES_EDE_CBC_SHA
[Thr 11408] = 6. SSL_RSA_WITH_DES_CBC_SHA
[Thr 11408] = 7. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
[Thr 11408] = 8. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
[Thr 11408] = 9. SSL_RSA_EXPORT_WITH_RC4_40_MD5
[Thr 11408] = Success -- SapCryptoLib SSL ready!
[Thr 11408] =================================================
[Thr 11408]
[Thr 11408] <<- SapSSLInit(read_profile=0)==SAP_O_K
[Thr 11408] NiInit3: NI already initializes (init=1;cur=2048)
[Thr 11408] addrinfo of 'V0-MR100':
[Thr 11408] 0: 10.10.209.93:0 'V0-MR100' <unknown socket type 0> (0-2-0-0-16)
[Thr 11408] NiHLGetNodeAddr: got hostname 'V0-MR100' from operating system
[Thr 11408] NiIGetNodeAddr: hostname 'V0-MR100' = addr 10.10.209.93
[Thr 11408] NiIGetServNo: servicename '50014' = port 50014
[Thr 11408] NiICreateHandle: hdl 1 state NI_INITIAL_CON
[Thr 11408] NiIInitSocket: set default settings for new hdl 1/sock 544 (I4; ST)
[Thr 11408] NiIBlockMode: set blockmode for hdl 1 FALSE
[Thr 11408] NiThrInit enter
[Thr 11408] NiITraceByteOrder: CPU byte order: little endian, reverse network, low val .. high val
[Thr 11408] NiIConnectSocket: hdl 1 is connecting to 10.10.209.93:50014 (timeout=-1)
[Thr 11408] SiPeekPendConn: connection of sock 544 established
[Thr 11408] NiICheckPendConnection: connection of hdl 1 to 10.10.209.93:50014 established
[Thr 11408] NiIConnect: hdl 1 took local address 10.10.209.93:63300
[Thr 11408] NiIConnect: state of hdl 1 NI_CONNECTED
[Thr 11408] NiIBlockMode: set blockmode for hdl 1 TRUE
[Thr 11408] ->> SapSSLSessionInit(&sssl_hdl=00000000020213B0, role=1 (CLIENT), auth_type=3 USE_CLIENT_CERT))
[Thr 11408] <<- SapSSLSessionInit()==SAP_O_K
[Thr 11408] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"
[Thr 11408] out: sssl_hdl = 0000000003CAF1B0
[Thr 11408] ->> SapSSLSetNiHdl(sssl_hdl=0000000003CAF1B0, ni_hdl=1)
[Thr 11408] NiIBlockMode: leave blockmode for hdl 1 TRUE
[Thr 11408] SSL NI-sock: local=10.10.209.93:63300 peer=10.10.209.93:50014
[Thr 11408] <<- SapSSLSetNiHdl(sssl_hdl=0000000003CAF1B0, ni_hdl=1)==SAP_O_K
[Thr 11408] ->> SapSSLSetTargetHostname(sssl_hdl=0000000003CAF1B0, &hostname=0000000002021400)
[Thr 11408] <<- SapSSLSetTargetHostname(sssl_hdl=0000000003CAF1B0)==SAP_O_K
[Thr 11408] in: hostname = "V0-MR100"
[Thr 11408] ->> SapSSLSessionStart(sssl_hdl=0000000003CAF1B0)
[Thr 11408] SapISSLUseSessionCache(): Creating NEW session (0 cached)
[Thr 11408] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 11408] session uses PSE file "E:\usr\sap\MR1\DVEBMGS00\sec\SAPSSLC.pse"
[Thr 11408] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 11408] secude_error 536872221 (0x2000051d) = "SSL API error"
[Thr 11408] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 11408] 0x2000051d | SAPCRYPTOLIB | SSL_connect
[Thr 11408] SSL API error
[Thr 11408] Failed to verify peer certificate. Peer not trusted.
[Thr 11408] 0xa0600203 | SSL | ssl_verify_peer_certificates
[Thr 11408] Peer not trusted
[Thr 11408] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates
[Thr 11408] peer certificate (chain) is not trusted
[Thr 11408] Certificate:
[Thr 11408] Certificate:
[Thr 11408] Subject :CN=V0-MR100..FULL.QUALIFIED.DOMAINE
[Thr 11408] Issuer :CN=V0-MR100..FULL.QUALIFIED.DOMAINE
[Thr 11408] Serial number:0x0a20150714133801
[Thr 11408] Validity:
[Thr 11408] Not before :Tue Jul 14 14:38:01 2015
[Thr 11408] Not after :Fri Jan 1 01:00:01 2038
[Thr 11408] Key:
[Thr 11408] Key type :rsaEncryption (1.2.840.113549.1.1.1)
[Thr 11408] Key size :2048
[Thr 11408] PK_Fingerprint_MD5:7F01 5A69 08A1 F61A 4547 7ACC FA44 DD14
[Thr 11408] Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)
[Thr 11408] Fingerprint_MD5:6A:F4:B0:DA:7A:7E:E8:B8:6B:8D:80:B3:D4:8D:77:08
[Thr 11408] Fingerprint_SHA1:1766 D413 A5A4 466D 265A 0771 2FA7 5CCD A750 4307
[Thr 11408] Verification result:
[Thr 11408] Status :Not successful
[Thr 11408] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 11408] DirectlyTrusted:Not successful
[Thr 11408]
[Thr 11408] << ---------- End of Secude-SSL Errorstack ----------
[Thr 11408] Wed Jul 15 17:08:47 2015
[Thr 11408] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 11408] No certificate request received from Server
[Thr 11408] Base64-Dump of peer certificate (len=711 bytes)
[Thr 11408]
[Thr 11408] -----BEGIN CERTIFICATE-----
[Thr 11408] bla bla bla bla bla bla bla bla bla bla bla bla
[Thr 11408] -----END CERTIFICATE-----
[Thr 11408] Subject DN: CN=V0-MR100..FULL.QUALIFIED.DOMAINE
[Thr 11408] Issuer DN: CN=V0-MR100..FULL.QUALIFIED.DOMAINE
[Thr 11408] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000003CAF1B0)==SSSLERR_PEER_CERT_UNTRUSTED
[Thr 11408] NiICloseHandle: shutdown and close hdl 1/sock 544
[Thr 11408] ->> SapSSLSessionDone(&sssl_hdl=00000000020213B0)
[Thr 11408] <<- SapSSLSessionDone()==SAP_O_K
[Thr 11408] in: sssl_hdl = 0000000003CAF1B0
[Thr 11408] ... ni_hdl = 1
[Thr 11408] ->> SapSSLErrorName(rc=-102)
[Thr 11408] <<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTED
15.07.2015 17:08:47
GetProcessList
FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND: The specified class was not found.), SapSSLSessionStart failed in plugin_fopen()
---
Regards
François
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
This is strange...
sapparam: sapargv(argc, argv) has not been called!
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
Can you try applying the latest kernel patch level?
If the issue persists, try creating a "test.cer" file with the following content:
-----BEGIN CERTIFICATE-----
MIICJzCCAZCgAwIBAgIFAKd2cC0wDQYJKoZIhvcNAQEEBQAwRjETMBEGA1UEChMK
YXBwLXNlcnZlcjEbMBkGA1UECxMSc3NsLWVuYWJsZWQtc2VydmVyMRIwEAYDVQQD
Ewlsb2NhbGhvc3QwHhcNMDYwMzMwMDYzOTAwWhcNMjcwMzMwMDc1NDM2WjBGMRMw
EQYDVQQKEwphcHAtc2VydmVyMRswGQYDVQQLExJzc2wtZW5hYmxlZC1zZXJ2ZXIx
EjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wvRgyXzVIxChBsUkZN096pQPRisWgMNattEeSHhCXsdNia99NANBvKOL9pWcDcUM
m8s+59huOtHBZzSvkKB28ojS/G/C2d7wQ4NNtX2ON18a1e+yuwJ7ozzWmjWJ5tJ1
T00mOsu566EdXVOY5JOGdrihCHs2kzDpvSe/DDlMc4ECAwEAAaMhMB8wHQYDVR0O
BBYEFJIixbsxpNLUw2B5uL78uwaunhviMA0GCSqGSIb3DQEBBAUAA4GBAGDHK14f
9OAIQnaFSS13hLbsx7kcvF/YOdEw5oVrt1nxcRSGsm0tSh4QV1YNzqzMaINmiMMN
l5yeVN1ePud/Lx9dYzN1cpAA0PrWFJ4Y2nkgmmFSb6hXI/QJZnzYW8M8+Foe23qd
PaVCwWoy8Vc2in/fs2DXQ9YfGbMGZdgk9n+X
-----END CERTIFICATE-----
Then, import the "test.cer" file with the command:
sapgenpse maintain_pk -p SAPSSLC.pse -a /path/to/test.cer
You can remove this certificate from the "SAPSSLC.pse" file afterwards.
Regards,
Isaías
Hello François,
You can open the ".cer" file at Windows.
You will see it is a self-signed certificate issued by "localhost" to "localhost", and it is valid for a long time .
This was just an attempt to workaround the error entry:
[Thr 11408] <<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTED
Anyway, that "sapparam" entries are still puzzling me.
Regards,
Isaías
Hello Isaias,
you were correct.
I did sapcontrol test in debug mode
E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm password -prot NI_HTTPS -function GetProcessList -debug
It gives lots of information, specially the base64 certificate
-----BEGIN CERTIFICATE-----
MIICwzCCAasCCAogFQcUE1cBMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNVBAMTGVYw
..................................................................................
NUlzvncUKpH2ASKa+ENwZmuOkHZBgkmG8ybY1T3uxuJf4vY+oS8v
-----END CERTIFICATE-----
I copy this certificate in a txt file
Then i integrate it to SAPSSLC.pse
sapgenpse maintain_pk -p E:\usr\sap\SID\DVEBMGS00\sec\SAPSSLC.pse -a C:\SID.txt
=> test again of sapcontrol
E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm password -prot NI_HTTPS -function GetProcessList
GetProcessList
OK
name, description, dispstatus, textstatus, starttime, elapsedtime, pid
msg_server.EXE, MessageServer, GREEN, Running, 2015 07 16 18:31:40, 15:50:24, 4996
disp+work.EXE, Dispatcher, GREEN, Running, Message Server connection ok,
Dialog Queue time: 0.00 sec, AS Java: All processes running, 2015 07 16 18:31:40, 15:50:24, 3128
igswd.EXE, IGS Watchdog, GREEN, Running, 2015 07 16 18:31:40, 15:50:24, 8180
-> Repeat step in SUM : OK
-> SUM finished until End
Hi François,
Thanks, good to know yours working.
I had tried the given solutions and managed to get the process list OK. However I'm getting error "No instance were detected via sapcontrol. Most probably there is no local sapstartsrv process running." when repeat the steps in SUM.
Had escalated this to SAP for checking.
Regards,
Will
Hi Francois,
I believe , you have select the Option "Authentication with user and password is not required" in the SUM tool.
If yes , then you have to reset the upgrade , and start it from begining without selecting the above option.
Check the sapnote
http://service.sap.com/sap/support/notes/2189669
With Regards
Ashutosh Chaturvedi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello François,
Once SUM detects that HTTPS is available, it will force the usage of NI_HTTPS and there is no way to change that afterwards.
The only way would be to disable HTTPS completely, and then reset SUM, starting from the beginning as well.
However, I do not think this is required. The error indicates that there is something wrong with the certificates:
following command failed : E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm <SecureField> -prot NI_HTTPS -function GetProcessList
GetProcessList
FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND: The specified class was not found.), SapSSLSessionStart failed in plugin_fopen()
Try running the same command, but adding "-debug":
E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -debug -nr 0 -host V0-SID00 -user V11\sidadm <SIDadm password> -prot NI_HTTPS -function GetProcessList
Share the output here so we can further assist you.
Kind regards,
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Isaias,
Yes, SUM detects HTTPS is on this instance, so wants only to communicate with this protocol.
SAP wants to pass by NI_HTTPS evenif we select WINHTTPS in SUM steps ...
as we'are with kernel 721 PL500, so we applied following OSS Notes :
- 1495075
- and 1439348
Issue is better now but i'm still locked
E:\usr\sap\MR1\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm <password>
-prot NI_HTTPS -function GetProcessList
sapparam: sapargv(argc, argv) has not been called!
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
13.07.2015 17:54:20
GetProcessList
FAIL: NIECONN_REFUSED (WSAECONNREFUSED: Connection refused), NiRawConnect failed
in plugin_fopen()
i have to find how to well configure ACL authorization.
HTTPS in configured on all SRM instance, we start DEV platform this weekend, we have to solve it.
No reset possible to bypass. issue met here will serve for others plafforms.
---
Best Regards
François
Hello Francois,
Please check following SAP note:-
955233 - Upgrade to J2EE 6.40 SP17/NW04s SP8 fails during deployment
Regards
Anand
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.