on 07-15-2015 4:10 AM
Hi Everyone,
I have renew my sap router certificate like what I use to do, but now I have this error. And now I can not connect to OSS.
Any idea what I have done wrong?
RTCONMGR::getFreeCon: mSourceConNo 1 mFreeConNo 799
NiICreateHandle: hdl 17 state NI_INITIAL_CON
NiIInitSocket: set default settings for new hdl 17/sock 492 (I4; ST)
NiIBlockMode: set blockmode for hdl 17 FALSE
NiIConnectSocket: connection of hdl 17 to 194.39.131.34:3299 in progress (timeout=0)
NiIConnect: hdl 17 took local address 0.0.0.0:50018
NiIConnect: state of hdl 17 NI_CONN_WAIT
NiSncIInitHdlSecurity for hdl 17
<<- SncSessionInit()==SAP_O_K
out: &snc_hdl = 0000000008316F60
<<- SncSetQOP()==SAP_O_K
in: qop values = "min=8 (default), max=8 (default), use=8 (default)"
resulting = "min=3 (old:3), max=3 (old:3), use=3 (old:3)"
<<- SncSessionInitiatorAK()==SAP_O_K
'target_acl_key' (addr=000000000732C924, len=105) full hexdump
0x00000 00030401 00080606 2b240301 25010000 ........ +$..%...
0x00010 00573055 310b3009 06035504 06130244 .W0U1.0. ..U....D
0x00020 45311f30 1d060355 040a1316 53415020 E1.0...U ....SAP
0x00030 54727573 7420436f 6d6d756e 69747920 Trust Co mmunity
0x00040 49493112 30100603 55040b13 09534150 II1.0... U....SAP
0x00050 726f7574 65723111 300f0603 55040313 router1. 0...U...
0x00060 08736170 73657276 32 .sapserv 2
parses to = "p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE"
->> SncProcessOutput(snc_hdl=0000000008316F60, ibuf=0000000000000000, ilen=0,
&idone=000000000732C820, &obuf=000000000732C7F0, &oused=000000000732C7E0)
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE' [sncxxall.c 3585]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3551]
GSS-API(maj): No credentials were supplied
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE"
<<- SncProcessOutput()==SNCERR_GSSAPI
*** ERROR => NiSncIInitHdlSecurity: SncProcessOutput failed (sncrc=-4;0000000008316F60) [nisnc.c 1202]
<<- SncSessionDone()==SAP_O_K
NiICloseHandle: called for hdl 17 while waiting for connection
NiICloseHandle: shutdown and close hdl 17/sock 492
*** ERROR => NiSncHandleForAddr C9/-1, 194.39.131.34 (rc=-17) [nirout.cpp 3997]
*** ERROR => NiRClientHandle: NiRExRouteCon for C9/-1 'sapsolman.rebisco.com' failed (rc=-17) [nirout.cpp 3364]
NiBufISendErr: send ni-error rc -104 to hdl 9
NiIWrite: hdl 9 sent data (wrt=240,pac=1,MESG_IO)
NiRCloseConn: closing C9/-1
NiICloseHandle: shutdown and close hdl 9/sock 480
RTCONMGR::releaseCon: mSourceConNo 0 mFreeConNo 800
RTCONMGR::releaseCon: mSourceConNo 0 mFreeConNo 801
Hi,
We already use SAPCRYPTOLIBP_8438-20011729.SAR and saprouter 7.21 but still same error.
>> SncProcessInput(snc_hdl=0000000008235EB0, ibuf=0000000008237328, ilen=1941, &obuf=000000000737F9A0,
&olen=000000000737F990, &backbuf=000000000737F8F8, &backlen=000000000737F8F0)
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE' [sncxxall.c 3585]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3551]
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2200202:Actual server name differs from requested one.
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0000000008235EB0;1941) [nisnc.c 1010]
NiSelISelectInt: 1 handles selected (1 buffered)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
You need to add another certificate to the LOCAL PSE to let the SAPROUTER be able to talk with the old CA.
Download the certificate smprootca.der from the note 2131531 and execute the command "sapgenpse maintain_pk -a smprootca.der"
MM
already resolve the issue. resolution was to create the certificate with the correct CN = "name" (case sensitive).
CN=sapxxxx, OU=00007XXXXX, OU=SAProuter, O=SAP, C=D is different from CN=SAPXXXX, OU=00007XXXXX, OU=SAProuter, O=SAP, C=D
I think the main issue here was mismanagement of registered saprouter certificate.
To validate the correct Distinguished Name go to service > SAProuter > Properties > General tab > see the path to execute and validate what Distinguished Name is being executed.
Thank you every one,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Michael,
As per SAP has new CA for SNC after 15 April 2015. So you have to configure new router and certificate.
Below are steps by which you can configure.
You're using an obsolete version of sapcryptolib file (5.5.5c) and
1) Remove the following folder
-ntia64
-ntintel
-nt-x86_64
2) Go to https://support.sap.com/software.html
>Support Packages & Patches
> A-Z Alphabetical List of Products
> S
> SAPCRYPTOLIB
> COMMONCRYPTOLIB 8
> your preferred O.S. version
> SAPCRYPTOLIBP_XXXX-XXXXXXXX.SAR
decompress the file to get the new sapcrypto.dll.
3) Go to https://support.sap.com/software.html
> Support Packages & Patches
> A-Z Alphabetical List of Products
> S
> SAPROUTER
> SAPROUTER (latest version)
> your preferred O.S. version
> saprouter_XXX-XXXXXXXX.sar
decompress the file to get the new saprouter.exe. Replace the old
4) Point your SNC_LIB to the new sapcrypto.dll and reboot your
saprouter server for the new environment variable to take effect.
5) Do the following :
- Follow the steps in SAP Note 2131531 - New Root Certification
Authority for saprouter certificates
- On your SAProuter, delete your existing PSE file and old certificate
file (local.pse, cred_v2)
- Go to the
https://support.sap.com/remote-support/saprouter/saprouter-certificates.html
- Click on "Apply Now!"
- Follow the steps detailed in the documentation closely
https://support.sap.com/remote-support/help/installing-saprouter.html
-> Creating the certificate request
IMPORTANT : Please do step 11, import of old SAProuter SMP Root CA
Certificate
Regards,
Himanshu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Before anything else, Thank you all for your reply. I have follow all the step here;
http://scn.sap.com/community/it-management/alm/solution-manager/blog/2015/04/21/clock-is-ticking
But still I cannot connect with the following error from dev_rout;
->> SncProcessInput(snc_hdl=0000000008555EB0, ibuf=0000000008557328, ilen=1941, &obuf=000000000730F9A0,
&olen=000000000730F990, &backbuf=000000000730F8F8, &backlen=000000000730F8F0)
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE' [sncxxall.c 3585]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3551]
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2200202:Actual server name differs from requested one.
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0000000008555EB0;1941) [nisnc.c 1010]
NiSelISelectInt: 1 handles selected (1 buffered)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I believe something went wrong during the setup.
Please crosscheck using "Installing the sapcrypto library and starting the SAProuter" section in below guide.
Installing the sapcrypto library and starting the SAProuter | SAP Support Portal
Regards,
Ho Mondelo,
You wrote
I have renew my sap router certificate like what I use to do, but now I have this error. And now I can not connect to OSS.
There are some changes on how we have to deal with renewal of saprouter certificates as SAP is now signing the certificates using new root CA.
As per the KBA - 2131531 - New Root Certification Authority for SAProuter certificates - which is floating everywhere, you need to take care of below following section.
From 04/15/2015 11:00 AM CET until 07/16/2015 11:00 AM CET
All certificates signed by SAP during this period will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.
If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET the following steps are mandatory:
- Use latest Common Crypto Library
- Use a PSE with a key size of 2048
- Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015)
In addition, using the latest SAProuter version is strongly recommended.
Also,
From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:
The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.
Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.
sapgenpse maintain_pk -a smprootca.der -p local.pse
This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.
Now, as Gaurav Rana has mentioned the steps in his blog, you can follow the instruction and get this fixed.
There is one more blog, which you should also refer
Regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Michael,
Please check SAP note :-
1525059 - Analysis of Problems Accessing a PSE via Credentials
2131531 - New Root Certification Authority for SAProuter certificates
Regards
Anand
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.