cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SUM SP13 patch 5 - SSL Issue

Go to solution
Former Member

on ‎09-15-2015 11:50 PM

0 Kudos

Hi All,

We are performing upgrade on NW 7.0 dual stack system to NW 7.31 SP16 and using SUM SP13 Patch5.

During step "Specify User credentials" SUM is giving error that it is not able to fetch instance properties using HTTPS -

sapcontrol -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList

sapparam: sapargv( argc, argv) has not been called.

sapparam(1c): No Profile used.

sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline

15.09.2015 15:39:29

GetProcessList

FAIL: SSSLERR_SSL_CONNECT, SapSSLSessionStart failed in plugin_fopen()

We ran this command in debug mode also which is also giving error -

sapcontrol -debug -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList

Tue Sep 15 14:39:03 2015

NiIInit: allocated nitab (2048 at 6000000000674150)

NiIHSBufInit: initialize hostname buffer (IPv4)

NiHLInit: alloc host buf (100 entries)

NiSrvLInit: alloc serv bufs (100 entries)

***LOG Q0I=> NiPGetServByName: 'sapctrls01' not found: getaddrinfo (9: Bad file number) [niuxi.c 1823]

NiSrvLGetServNo: service name 'sapctrls01' not found by operating system

<<- SapSSLSetTraceFile()==SAP_O_K

->> SapSSLInit(read_profile=0, &init_params=87ffffffffff1190, &return_reserved=0000000000000000)

=================================================

= SSL Initialization    platform tag=(hpia64_11.23_64)

=   (720_REL,Jul  5 2014,mt,ascii,SAP_UC/size_t/void* = 8/64/64)

  SapISSLComposeFilename(ssl_lib): using default "libsapcrypto.so"

DlLoadLib() success: dlopen("libsapcrypto.so"), hdl 0

DlLoadFunc (SSL_API_startup) from libsapcrypto.so

DlLoadFunc (SSL_API_cleanup) from libsapcrypto.so

DlLoadFunc (SSL_API_get_last_error) from libsapcrypto.so

DlLoadFunc (SSL_check_last_io) from libsapcrypto.so

DlLoadFunc (SSL_new) from libsapcrypto.so

DlLoadFunc (SSL_duplicate) from libsapcrypto.so

DlLoadFunc (SSL_set_session_by_ssl) from libsapcrypto.so

DlLoadFunc (SSL_clear) from libsapcrypto.so

DlLoadFunc (SSL_set_fd) from libsapcrypto.so

DlLoadFunc (SSL_accept) from libsapcrypto.so

DlLoadFunc (SSL_connect) from libsapcrypto.so

DlLoadFunc (SSL_set_verify_mode) from libsapcrypto.so

DlLoadFunc (SSL_set_options) from libsapcrypto.so

DlLoadFunc (SSL_get_state) from libsapcrypto.so

DlLoadFunc (SSL_read) from libsapcrypto.so

DlLoadFunc (SSL_write) from libsapcrypto.so

DlLoadFunc (SSL_peek) from libsapcrypto.so

DlLoadFunc (SSL_pending) from libsapcrypto.so

DlLoadFunc (SSL_set_shutdown_mode) from libsapcrypto.so

DlLoadFunc (SSL_shutdown) from libsapcrypto.so

DlLoadFunc (SSL_free) from libsapcrypto.so

DlLoadFunc (SSL_renegotiate) from libsapcrypto.so

DlLoadFunc (SSL_do_handshake) from libsapcrypto.so

DlLoadFunc (SSL_is_session_resumed) from libsapcrypto.so

DlLoadFunc (SSL_get_session) from libsapcrypto.so

DlLoadFunc (SSL_get_state_description_long) from libsapcrypto.so

DlLoadFunc (SSL_get_certificate_request_ca_dnames) from libsapcrypto.so

DlLoadFunc (SSL_CTX_new) from libsapcrypto.so

DlLoadFunc (SSL_CTX_set_default_pse_by_name) from libsapcrypto.so

DlLoadFunc (SSL_CTX_set_default_verify_mode) from libsapcrypto.so

DlLoadFunc (SSL_CTX_set_options) from libsapcrypto.so

DlLoadFunc (SSL_CTX_set_session_cache_mode) from libsapcrypto.so

DlLoadFunc (SSL_CTX_set_session_cache_max_items) from libsapcrypto.so

DlLoadFunc (SSL_CTX_get_session_cache_number) from libsapcrypto.so

DlLoadFunc (SSL_CTX_get_default_cipher_suites) from libsapcrypto.so

DlLoadFunc (SSL_CTX_set_default_cipher_suites) from libsapcrypto.so

DlLoadFunc (SSL_CTX_flush_session_cache) from libsapcrypto.so

DlLoadFunc (SSL_CTX_free) from libsapcrypto.so

DlLoadFunc: dlsym(SSL_CTX_set_protocol_version_flags)= dlsym: Unknown symbol SSL_CTX_set_protocol_version_flags -> DLENOACCESS

DlLoadFunc: dlsym(SSL_CTX_get_protocol_version_flags)= dlsym: Unknown symbol SSL_CTX_get_protocol_version_flags -> DLENOACCESS

DlLoadFunc: dlsym(SSL_get_protocol_version_numbers)= dlsym: Unknown symbol SSL_get_protocol_version_numbers -> DLENOACCESS

DlLoadFunc (SSL_get_peer_certificates) from libsapcrypto.so

DlLoadFunc (SSL_CIPHER_SUITE_get_name_info) from libsapcrypto.so

DlLoadFunc (SSL_CIPHER_SUITE_get_info) from libsapcrypto.so

DlLoadFunc (SSL_CIPHER_SUITE_get_sym_key_size) from libsapcrypto.so

DlLoadFunc (SSL_get_cipher_suite_used) from libsapcrypto.so

DlLoadFunc (SSL_get_cipher_suite_used_id) from libsapcrypto.so

DlLoadFunc (SSL_get_cipher_suites) from libsapcrypto.so

DlLoadFunc (SSL_get_cipher_suites_peer) from libsapcrypto.so

DlLoadFunc (SSL_SESSION_set_timeout) from libsapcrypto.so

DlLoadFunc (SSL_SESSION_get_session_id) from libsapcrypto.so

DlLoadFunc (aux_sprint_error) from libsapcrypto.so

DlLoadFunc (th_last_error) from libsapcrypto.so

DlLoadFunc (th_get_last_error_text) from libsapcrypto.so

DlLoadFunc (aux_free) from libsapcrypto.so

DlLoadFunc (aux_free_error) from libsapcrypto.so

DlLoadFunc (aux_get_Certificate_n_from_Certificates) from libsapcrypto.so

DlLoadFunc (aux_get_tbs_DERcode_of_Certificate) from libsapcrypto.so

DlLoadFunc (e_Certificate) from libsapcrypto.so

DlLoadFunc (aux_get_serialnumber_of_Certificate) from libsapcrypto.so

DlLoadFunc (aux_get_subject_of_Certificate) from libsapcrypto.so

DlLoadFunc (aux_get_issuer_of_Certificate) from libsapcrypto.so

DlLoadFunc (aux_cmp_DName) from libsapcrypto.so

DlLoadFunc (aux_sprint_DName) from libsapcrypto.so

DlLoadFunc (aux_free_String) from libsapcrypto.so

DlLoadFunc (aux_free_OctetString) from libsapcrypto.so

DlLoadFunc (aux_putenv) from libsapcrypto.so

DlLoadFunc (sapcr_init) from libsapcrypto.so

DlLoadFunc (sapcr_done) from libsapcrypto.so

DlLoadFunc (sapcr_get_version) from libsapcrypto.so

DlLoadFunc (sapcr_get_secudir) from libsapcrypto.so

DlLoadFunc (sapcr_set_secudir) from libsapcrypto.so

DlLoadFunc (sapcr_config) from libsapcrypto.so

DlLoadFunc: dlsym(sapsecu_create_CertEntryList)= dlsym: Unknown symbol sapsecu_create_CertEntryList -> DLENOACCESS

DlLoadFunc: dlsym(sapsecu_free_CertEntryList)= dlsym: Unknown symbol sapsecu_free_CertEntryList -> DLENOACCESS

DlLoadFunc: dlsym(sapsecu_sprint_CertEntryList)= dlsym: Unknown symbol sapsecu_sprint_CertEntryList -> DLENOACCESS

DlLoadFunc (sap_create_memory_PSE) from libsapcrypto.so

DlLoadFunc (sap_delete_memory_PSE) from libsapcrypto.so

DlLoadFunc (sap_load_memory_PSE) from libsapcrypto.so

=   found SAPCRYPTOLIB  5.5.5C pl21  (May  7 2007) MT-safe

=   current UserID: "ppxadm",  env-var USER="ppxadm"

=   found SECUDIR environment variable

=   using SECUDIR=/usr/sap/PPX/DVEBMGS01/sec

sapparam: sapargv(argc, argv) has not been called!

sapparam(1c): No Profile used.

sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline

  SapISSLComposeFilename(client_pse): using default "/usr/sap/PPX/DVEBMGS01/sec/SAPSSLC.pse"

= The Client SSL_CTX

=    provides this ordered list of 7 ciphersuites:

=       1.  SSL_RSA_WITH_RC4_128_SHA

=       2.  SSL_RSA_WITH_RC4_128_MD5

=       3.  SSL_RSA_WITH_3DES_EDE_CBC_SHA

=       4.  SSL_RSA_WITH_DES_CBC_SHA

=       5.  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

=       6.  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

=       7.  SSL_RSA_EXPORT_WITH_RC4_40_MD5

= Success -- SapCryptoLib SSL ready!

=================================================

<<- SapSSLInit(read_profile=0)==SAP_O_K

NiInit3: NI already initializes (init=1;cur=2048)

addrinfo of 'camgsdp1 ':

0: 10.199.128.8:0 'camgsdp1 .nike.com' RAW (0-2-3-0-16)

NiHLGetNodeAddr: got hostname 'camgsdp1 ' from operating system

NiIGetNodeAddr: hostname 'camgsdp1 ' = addr 10.199.128.8

NiIGetServNo: servicename '50114' = port 50114

NiICreateHandle: hdl 1 state NI_INITIAL_CON

NiIInitSocket: set default settings for new hdl 1/sock 4 (UD; ST)

NiIBlockMode: set blockmode for hdl 1 FALSE

NiITraceByteOrder: CPU byte order: big endian, network, high val..low val

NiIConnectSocket: hdl 1 is connecting to /tmp/.sapstream50114 (timeout=-1)

NiIConnectSocket: connection of hdl 1 established to /tmp/.sapstream50114

NiIConnect: state of hdl 1 NI_CONNECTED

NiIBlockMode: set blockmode for hdl 1 TRUE

->> SapSSLSessionInit(&sssl_hdl=87fffffffffed508, role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT))

<<- SapSSLSessionInit()==SAP_O_K

     in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

    out: sssl_hdl = 60000000007a5e70

->> SapSSLSetNiHdl(sssl_hdl=60000000007a5e70, ni_hdl=1)

NiIBlockMode: leave blockmode for hdl 1 TRUE

  SSL NI-sock: unix domain socket="/tmp/.sapstream50114"

<<- SapSSLSetNiHdl(sssl_hdl=60000000007a5e70, ni_hdl=1)==SAP_O_K

->> SapSSLSetTargetHostname(sssl_hdl=60000000007a5e70, &hostname=87fffffffffed530)

<<- SapSSLSetTargetHostname(sssl_hdl=60000000007a5e70)==SAP_O_K

     in: hostname = "camgsdp1 "

->> SapSSLSessionStart(sssl_hdl=60000000007a5e70)

  SapISSLUseSessionCache(): Creating NEW session (0 cached)

Tue Sep 15 14:39:04 2015

*** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

   session uses PSE file "/usr/sap/PPX/DVEBMGS01/sec/SAPSSLC.pse"

SecudeSSL_SessionStart: SSL_connect() failed --

  secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

>> ---------- Begin of Secude-SSL Errorstack ---------- >>

ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (101/0x0065) Certificate expired (notbefore=050829203734Z, notafter=060829203734Z, now=150915213904Z)

ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (notbefore=050829203734Z, notafter=060829203734Z, now=150915213904Z)

<< ---------- End of Secude-SSL Errorstack ----------

  SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

  No certificate request received from Server

<<- ERROR: SapSSLSessionStart(sssl_hdl=60000000007a5e70)==SSSLERR_SSL_CONNECT

NiICloseHandle: shutdown and close hdl 1/sock 4

->> SapSSLSessionDone(&sssl_hdl=87fffffffffed508)

<<- SapSSLSessionDone()==SAP_O_K

     in: sssl_hdl   = 60000000007a5e70

         ... ni_hdl = 1

->> SapSSLErrorName(rc=-57)

<<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

15.09.2015 14:39:04

GetProcessList

FAIL: SSSLERR_SSL_CONNECT (Bad file number), SapSSLSessionStart failed in plugin_fopen()

Debug shows some certificate expired while I checked at ABAP Level and Java Level and do not see any certificate which is expired on 29 Aug 2006.

We have also recently refreshed also this system.

Even SSL is not configured in our system and not sure why SUM is forcing to use SSL.

SMICM also does not have any HTTPS port active.

Please suggest how can we solve this problem, Which expired certificate SUM is checking and what is the way to not use SSL during SUM instance check.

Regards,

Shivam

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member185239
Active Contributor
‎09-16-2015 8:51 PM
0 Kudos

Dear Shivam,

Run the sapcontrol command in debug mode and then copy the text from begin to end and then import the certificate in SAPSSLC.pse

sapcontrol -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList -debug


Copy the text starting from Begin Certificate to End Certificate in a test.cer file.


----BEGIN CERTIFICATE-----

MIICJzCCAZCgAwIBAgIFAKd2cC0wDQYJKoZIhvcNAQEEBQAwRjETMBEGA1UEChMK

YXBwLXNlcnZlcjEbMBkGA1UECxMSc3NsLWVuYWJsZWQtc2VydmVyMRIwEAYDVQQD

Ewlsb2NhbGhvc3QwHhcNMDYwMzMwMDYzOTAwWhcNMjcwMzMwMDc1NDM2WjBGMRMw

EQYDVQQKEwphcHAtc2VydmVyMRswGQYDVQQLExJzc2wtZW5hYmxlZC1zZXJ2ZXIx

EjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

wvRgyXzVIxChBsUkZN096pQPRisWgMNattEeSHhCXsdNia99NANBvKOL9pWcDcUM

m8s+59huOtHBZzSvkKB28ojS/G/C2d7wQ4NNtX2ON18a1e+yuwJ7ozzWmjWJ5tJ1

T00mOsu566EdXVOY5JOGdrihCHs2kzDpvSe/DDlMc4ECAwEAAaMhMB8wHQYDVR0O

BBYEFJIixbsxpNLUw2B5uL78uwaunhviMA0GCSqGSIb3DQEBBAUAA4GBAGDHK14f

9OAIQnaFSS13hLbsx7kcvF/YOdEw5oVrt1nxcRSGsm0tSh4QV1YNzqzMaINmiMMN

l5yeVN1ePud/Lx9dYzN1cpAA0PrWFJ4Y2nkgmmFSb6hXI/QJZnzYW8M8+Foe23qd

PaVCwWoy8Vc2in/fs2DXQ9YfGbMGZdgk9n+X

-----END CERTIFICATE-----


After that import the certificate in SAPSSLC.pse file with the help of the below command


sapgenpse maintain_pk -p SAPSSLC.pse -a < /path/to/test.cer>


Then again run the command


sapcontrol -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList .


With Regards

Ashutosh Chaturvedi

Show replies
Show replies
Former Member
‎09-16-2015 10:29 PM
0 Kudos

Hi All,

Thank you so much for your replies.

Not sure what was the reason but I executed below activity -

1) I renamed existing sec directory to sec_old which caused my error description change to SSLInitial failed.

2) Then I changed back the sec_old to sec directory and it went fine.

Wondering if it was stuck or was not able to read sec directory and renaming sec directory helped SUM to read it.

Regards,

Shivam

former_member227283
Active Contributor
‎09-03-2016 9:18 AM
0 Kudos

Dear Ashutosh,

I was having the same problem.

The steps mentioned by you has solved my problem.

Regards,

Anil Bhandary

Answers (3)

Answers (3)

former_member206857
Active Participant
‎09-17-2015 3:51 PM
0 Kudos

Heres my similar issue

http://scn.sap.com/thread/3790372

OK I found a workaround for my case.

See I knew all along that the issue resided with my SSL key and a trust between SUM and my PSE on the server.

But I wanted the freedom of not using SSL for SUM regardless if my server is configured for it.

So here is what I did.

I was using SUM SP13 PL06.

I downgraded to SUM SP11 PL03.

So at this point,

Open the jump_config.txt file contained in the
\usr\sap\SUM\sdt\param directory

Edit the last parameter value (/sapstartsrv/httpsconnection)
from true to false and execute the step again.

 

 

It then prompts you for the SIDADM and password and moves.

 

The difference between the two SUM tools. SP 13 would not take this parameter change and also it prompts for the SIDADM/Password first then does the check, where in SUM SP 11 it checks first, takes the override parameter then asks for the password.

 

Also, you must have this setting in your profiles  service/protectedwebmethods = DEFAULT

 

So now I can continue without SSL in SUM.

Show replies
Show replies
Former Member
‎09-16-2015 2:18 AM
0 Kudos

Hi Shivam,

Please check the guide below

(SUM)INPUT-OS-USER-PASSWORDS SCS instance is not detected - Technology Troubleshooting Guide - SCN W...

Regards,

Piyawat

Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎09-16-2015 12:03 AM
0 Kudos

Hello,

Please apply the latest SAP kernel patch.

There are some issues with the sapcontrol and SSL handling.

Regards,

Isaías

Show replies
Show replies
Former Member
‎09-16-2015 8:09 PM
0 Kudos

Hi,

I performed Kernel Upgrade but it did not help.

But I tried to delete all SSL certificates and regenerate and now I am getting -

FAIL: NIECONN_REFUSED (Connection refused), NiRawConnect failed in plugin_fopen()

When I run sapcontrol with debug, it shows that it is not able to reach

NiIConnectSocket: hdl 1 is connecting to 10.199.128.8:50114 (timeout=-1)

***LOG Q0I=> NiPConnect: 10.199.128.8:50114: connect (239: Connection refused) [nixxi.cpp 2895]

*** ERROR => NiPConnect: SiConnect failed for hdl 1/sock 3

    (SI_ECONN_REFUSE/239; I4; ST; 10.199.128.8:50114) [nixxi.cpp    2895]

NiICloseHandle: closing initial hdl 1

Is there a way we tell sapcontrol to use different https sapmmc port to fetch instance properties.

Regards,

Shivam

isaias_freitas
Advisor
Advisor
‎09-16-2015 8:58 PM
0 Kudos

This indicates that the sapstartsrv process of the instance 01 is not running, or it is not using SSL anymore.

Do you see the sapstartsrv running?

    ps -ef|grep sapstartsrv

If yes, does the following command work?

   sapcontrol -nr 01 -function GetProcessList

Ask a Question