on 09-15-2015 11:50 PM
Hi All,
We are performing upgrade on NW 7.0 dual stack system to NW 7.31 SP16 and using SUM SP13 Patch5.
During step "Specify User credentials" SUM is giving error that it is not able to fetch instance properties using HTTPS -
sapcontrol -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList
sapparam: sapargv( argc, argv) has not been called.
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
15.09.2015 15:39:29
GetProcessList
FAIL: SSSLERR_SSL_CONNECT, SapSSLSessionStart failed in plugin_fopen()
We ran this command in debug mode also which is also giving error -
sapcontrol -debug -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList
Tue Sep 15 14:39:03 2015
NiIInit: allocated nitab (2048 at 6000000000674150)
NiIHSBufInit: initialize hostname buffer (IPv4)
NiHLInit: alloc host buf (100 entries)
NiSrvLInit: alloc serv bufs (100 entries)
***LOG Q0I=> NiPGetServByName: 'sapctrls01' not found: getaddrinfo (9: Bad file number) [niuxi.c 1823]
NiSrvLGetServNo: service name 'sapctrls01' not found by operating system
<<- SapSSLSetTraceFile()==SAP_O_K
->> SapSSLInit(read_profile=0, &init_params=87ffffffffff1190, &return_reserved=0000000000000000)
=================================================
= SSL Initialization platform tag=(hpia64_11.23_64)
= (720_REL,Jul 5 2014,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
SapISSLComposeFilename(ssl_lib): using default "libsapcrypto.so"
DlLoadLib() success: dlopen("libsapcrypto.so"), hdl 0
DlLoadFunc (SSL_API_startup) from libsapcrypto.so
DlLoadFunc (SSL_API_cleanup) from libsapcrypto.so
DlLoadFunc (SSL_API_get_last_error) from libsapcrypto.so
DlLoadFunc (SSL_check_last_io) from libsapcrypto.so
DlLoadFunc (SSL_new) from libsapcrypto.so
DlLoadFunc (SSL_duplicate) from libsapcrypto.so
DlLoadFunc (SSL_set_session_by_ssl) from libsapcrypto.so
DlLoadFunc (SSL_clear) from libsapcrypto.so
DlLoadFunc (SSL_set_fd) from libsapcrypto.so
DlLoadFunc (SSL_accept) from libsapcrypto.so
DlLoadFunc (SSL_connect) from libsapcrypto.so
DlLoadFunc (SSL_set_verify_mode) from libsapcrypto.so
DlLoadFunc (SSL_set_options) from libsapcrypto.so
DlLoadFunc (SSL_get_state) from libsapcrypto.so
DlLoadFunc (SSL_read) from libsapcrypto.so
DlLoadFunc (SSL_write) from libsapcrypto.so
DlLoadFunc (SSL_peek) from libsapcrypto.so
DlLoadFunc (SSL_pending) from libsapcrypto.so
DlLoadFunc (SSL_set_shutdown_mode) from libsapcrypto.so
DlLoadFunc (SSL_shutdown) from libsapcrypto.so
DlLoadFunc (SSL_free) from libsapcrypto.so
DlLoadFunc (SSL_renegotiate) from libsapcrypto.so
DlLoadFunc (SSL_do_handshake) from libsapcrypto.so
DlLoadFunc (SSL_is_session_resumed) from libsapcrypto.so
DlLoadFunc (SSL_get_session) from libsapcrypto.so
DlLoadFunc (SSL_get_state_description_long) from libsapcrypto.so
DlLoadFunc (SSL_get_certificate_request_ca_dnames) from libsapcrypto.so
DlLoadFunc (SSL_CTX_new) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_default_pse_by_name) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_default_verify_mode) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_options) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_session_cache_mode) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_session_cache_max_items) from libsapcrypto.so
DlLoadFunc (SSL_CTX_get_session_cache_number) from libsapcrypto.so
DlLoadFunc (SSL_CTX_get_default_cipher_suites) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_default_cipher_suites) from libsapcrypto.so
DlLoadFunc (SSL_CTX_flush_session_cache) from libsapcrypto.so
DlLoadFunc (SSL_CTX_free) from libsapcrypto.so
DlLoadFunc: dlsym(SSL_CTX_set_protocol_version_flags)= dlsym: Unknown symbol SSL_CTX_set_protocol_version_flags -> DLENOACCESS
DlLoadFunc: dlsym(SSL_CTX_get_protocol_version_flags)= dlsym: Unknown symbol SSL_CTX_get_protocol_version_flags -> DLENOACCESS
DlLoadFunc: dlsym(SSL_get_protocol_version_numbers)= dlsym: Unknown symbol SSL_get_protocol_version_numbers -> DLENOACCESS
DlLoadFunc (SSL_get_peer_certificates) from libsapcrypto.so
DlLoadFunc (SSL_CIPHER_SUITE_get_name_info) from libsapcrypto.so
DlLoadFunc (SSL_CIPHER_SUITE_get_info) from libsapcrypto.so
DlLoadFunc (SSL_CIPHER_SUITE_get_sym_key_size) from libsapcrypto.so
DlLoadFunc (SSL_get_cipher_suite_used) from libsapcrypto.so
DlLoadFunc (SSL_get_cipher_suite_used_id) from libsapcrypto.so
DlLoadFunc (SSL_get_cipher_suites) from libsapcrypto.so
DlLoadFunc (SSL_get_cipher_suites_peer) from libsapcrypto.so
DlLoadFunc (SSL_SESSION_set_timeout) from libsapcrypto.so
DlLoadFunc (SSL_SESSION_get_session_id) from libsapcrypto.so
DlLoadFunc (aux_sprint_error) from libsapcrypto.so
DlLoadFunc (th_last_error) from libsapcrypto.so
DlLoadFunc (th_get_last_error_text) from libsapcrypto.so
DlLoadFunc (aux_free) from libsapcrypto.so
DlLoadFunc (aux_free_error) from libsapcrypto.so
DlLoadFunc (aux_get_Certificate_n_from_Certificates) from libsapcrypto.so
DlLoadFunc (aux_get_tbs_DERcode_of_Certificate) from libsapcrypto.so
DlLoadFunc (e_Certificate) from libsapcrypto.so
DlLoadFunc (aux_get_serialnumber_of_Certificate) from libsapcrypto.so
DlLoadFunc (aux_get_subject_of_Certificate) from libsapcrypto.so
DlLoadFunc (aux_get_issuer_of_Certificate) from libsapcrypto.so
DlLoadFunc (aux_cmp_DName) from libsapcrypto.so
DlLoadFunc (aux_sprint_DName) from libsapcrypto.so
DlLoadFunc (aux_free_String) from libsapcrypto.so
DlLoadFunc (aux_free_OctetString) from libsapcrypto.so
DlLoadFunc (aux_putenv) from libsapcrypto.so
DlLoadFunc (sapcr_init) from libsapcrypto.so
DlLoadFunc (sapcr_done) from libsapcrypto.so
DlLoadFunc (sapcr_get_version) from libsapcrypto.so
DlLoadFunc (sapcr_get_secudir) from libsapcrypto.so
DlLoadFunc (sapcr_set_secudir) from libsapcrypto.so
DlLoadFunc (sapcr_config) from libsapcrypto.so
DlLoadFunc: dlsym(sapsecu_create_CertEntryList)= dlsym: Unknown symbol sapsecu_create_CertEntryList -> DLENOACCESS
DlLoadFunc: dlsym(sapsecu_free_CertEntryList)= dlsym: Unknown symbol sapsecu_free_CertEntryList -> DLENOACCESS
DlLoadFunc: dlsym(sapsecu_sprint_CertEntryList)= dlsym: Unknown symbol sapsecu_sprint_CertEntryList -> DLENOACCESS
DlLoadFunc (sap_create_memory_PSE) from libsapcrypto.so
DlLoadFunc (sap_delete_memory_PSE) from libsapcrypto.so
DlLoadFunc (sap_load_memory_PSE) from libsapcrypto.so
= found SAPCRYPTOLIB 5.5.5C pl21 (May 7 2007) MT-safe
= current UserID: "ppxadm", env-var USER="ppxadm"
= found SECUDIR environment variable
= using SECUDIR=/usr/sap/PPX/DVEBMGS01/sec
sapparam: sapargv(argc, argv) has not been called!
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
SapISSLComposeFilename(client_pse): using default "/usr/sap/PPX/DVEBMGS01/sec/SAPSSLC.pse"
= The Client SSL_CTX
= provides this ordered list of 7 ciphersuites:
= 1. SSL_RSA_WITH_RC4_128_SHA
= 2. SSL_RSA_WITH_RC4_128_MD5
= 3. SSL_RSA_WITH_3DES_EDE_CBC_SHA
= 4. SSL_RSA_WITH_DES_CBC_SHA
= 5. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
= 6. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
= 7. SSL_RSA_EXPORT_WITH_RC4_40_MD5
= Success -- SapCryptoLib SSL ready!
=================================================
<<- SapSSLInit(read_profile=0)==SAP_O_K
NiInit3: NI already initializes (init=1;cur=2048)
addrinfo of 'camgsdp1 ':
0: 10.199.128.8:0 'camgsdp1 .nike.com' RAW (0-2-3-0-16)
NiHLGetNodeAddr: got hostname 'camgsdp1 ' from operating system
NiIGetNodeAddr: hostname 'camgsdp1 ' = addr 10.199.128.8
NiIGetServNo: servicename '50114' = port 50114
NiICreateHandle: hdl 1 state NI_INITIAL_CON
NiIInitSocket: set default settings for new hdl 1/sock 4 (UD; ST)
NiIBlockMode: set blockmode for hdl 1 FALSE
NiITraceByteOrder: CPU byte order: big endian, network, high val..low val
NiIConnectSocket: hdl 1 is connecting to /tmp/.sapstream50114 (timeout=-1)
NiIConnectSocket: connection of hdl 1 established to /tmp/.sapstream50114
NiIConnect: state of hdl 1 NI_CONNECTED
NiIBlockMode: set blockmode for hdl 1 TRUE
->> SapSSLSessionInit(&sssl_hdl=87fffffffffed508, role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT))
<<- SapSSLSessionInit()==SAP_O_K
in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"
out: sssl_hdl = 60000000007a5e70
->> SapSSLSetNiHdl(sssl_hdl=60000000007a5e70, ni_hdl=1)
NiIBlockMode: leave blockmode for hdl 1 TRUE
SSL NI-sock: unix domain socket="/tmp/.sapstream50114"
<<- SapSSLSetNiHdl(sssl_hdl=60000000007a5e70, ni_hdl=1)==SAP_O_K
->> SapSSLSetTargetHostname(sssl_hdl=60000000007a5e70, &hostname=87fffffffffed530)
<<- SapSSLSetTargetHostname(sssl_hdl=60000000007a5e70)==SAP_O_K
in: hostname = "camgsdp1 "
->> SapSSLSessionStart(sssl_hdl=60000000007a5e70)
SapISSLUseSessionCache(): Creating NEW session (0 cached)
Tue Sep 15 14:39:04 2015
*** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
session uses PSE file "/usr/sap/PPX/DVEBMGS01/sec/SAPSSLC.pse"
SecudeSSL_SessionStart: SSL_connect() failed --
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
>> ---------- Begin of Secude-SSL Errorstack ---------- >>
ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (101/0x0065) Certificate expired (notbefore=050829203734Z, notafter=060829203734Z, now=150915213904Z)
ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (notbefore=050829203734Z, notafter=060829203734Z, now=150915213904Z)
<< ---------- End of Secude-SSL Errorstack ----------
SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
No certificate request received from Server
<<- ERROR: SapSSLSessionStart(sssl_hdl=60000000007a5e70)==SSSLERR_SSL_CONNECT
NiICloseHandle: shutdown and close hdl 1/sock 4
->> SapSSLSessionDone(&sssl_hdl=87fffffffffed508)
<<- SapSSLSessionDone()==SAP_O_K
in: sssl_hdl = 60000000007a5e70
... ni_hdl = 1
->> SapSSLErrorName(rc=-57)
<<- SapSSLErrorName()==SSSLERR_SSL_CONNECT
15.09.2015 14:39:04
GetProcessList
FAIL: SSSLERR_SSL_CONNECT (Bad file number), SapSSLSessionStart failed in plugin_fopen()
Debug shows some certificate expired while I checked at ABAP Level and Java Level and do not see any certificate which is expired on 29 Aug 2006.
We have also recently refreshed also this system.
Even SSL is not configured in our system and not sure why SUM is forcing to use SSL.
SMICM also does not have any HTTPS port active.
Please suggest how can we solve this problem, Which expired certificate SUM is checking and what is the way to not use SSL during SUM instance check.
Regards,
Shivam
Dear Shivam,
Run the sapcontrol command in debug mode and then copy the text from begin to end and then import the certificate in SAPSSLC.pse
sapcontrol -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList -debug
Copy the text starting from Begin Certificate to End Certificate in a test.cer file.
----BEGIN CERTIFICATE-----
MIICJzCCAZCgAwIBAgIFAKd2cC0wDQYJKoZIhvcNAQEEBQAwRjETMBEGA1UEChMK
YXBwLXNlcnZlcjEbMBkGA1UECxMSc3NsLWVuYWJsZWQtc2VydmVyMRIwEAYDVQQD
Ewlsb2NhbGhvc3QwHhcNMDYwMzMwMDYzOTAwWhcNMjcwMzMwMDc1NDM2WjBGMRMw
EQYDVQQKEwphcHAtc2VydmVyMRswGQYDVQQLExJzc2wtZW5hYmxlZC1zZXJ2ZXIx
EjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wvRgyXzVIxChBsUkZN096pQPRisWgMNattEeSHhCXsdNia99NANBvKOL9pWcDcUM
m8s+59huOtHBZzSvkKB28ojS/G/C2d7wQ4NNtX2ON18a1e+yuwJ7ozzWmjWJ5tJ1
T00mOsu566EdXVOY5JOGdrihCHs2kzDpvSe/DDlMc4ECAwEAAaMhMB8wHQYDVR0O
BBYEFJIixbsxpNLUw2B5uL78uwaunhviMA0GCSqGSIb3DQEBBAUAA4GBAGDHK14f
9OAIQnaFSS13hLbsx7kcvF/YOdEw5oVrt1nxcRSGsm0tSh4QV1YNzqzMaINmiMMN
l5yeVN1ePud/Lx9dYzN1cpAA0PrWFJ4Y2nkgmmFSb6hXI/QJZnzYW8M8+Foe23qd
PaVCwWoy8Vc2in/fs2DXQ9YfGbMGZdgk9n+X
-----END CERTIFICATE-----
After that import the certificate in SAPSSLC.pse file with the help of the below command
sapgenpse maintain_pk -p SAPSSLC.pse -a < /path/to/test.cer>
Then again run the command
sapcontrol -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList .
With Regards
Ashutosh Chaturvedi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All,
Thank you so much for your replies.
Not sure what was the reason but I executed below activity -
1) I renamed existing sec directory to sec_old which caused my error description change to SSLInitial failed.
2) Then I changed back the sec_old to sec directory and it went fine.
Wondering if it was stuck or was not able to read sec directory and renaming sec directory helped SUM to read it.
Regards,
Shivam
Heres my similar issue
http://scn.sap.com/thread/3790372
OK I found a workaround for my case.
See I knew all along that the issue resided with my SSL key and a trust between SUM and my PSE on the server.
But I wanted the freedom of not using SSL for SUM regardless if my server is configured for it.
So here is what I did.
I was using SUM SP13 PL06.
I downgraded to SUM SP11 PL03.
So at this point,
Open the jump_config.txt file contained in the
\usr\sap\SUM\sdt\param directory
Edit the last parameter value (/sapstartsrv/httpsconnection)
from true to false and execute the step again.
It then prompts you for the SIDADM and password and moves.
The difference between the two SUM tools. SP 13 would not take this parameter change and also it prompts for the SIDADM/Password first then does the check, where in SUM SP 11 it checks first, takes the override parameter then asks for the password.
Also, you must have this setting in your profiles service/protectedwebmethods = DEFAULT
So now I can continue without SSL in SUM.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shivam,
Please check the guide below
Regards,
Piyawat
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
Please apply the latest SAP kernel patch.
There are some issues with the sapcontrol and SSL handling.
Regards,
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I performed Kernel Upgrade but it did not help.
But I tried to delete all SSL certificates and regenerate and now I am getting -
FAIL: NIECONN_REFUSED (Connection refused), NiRawConnect failed in plugin_fopen()
When I run sapcontrol with debug, it shows that it is not able to reach
NiIConnectSocket: hdl 1 is connecting to 10.199.128.8:50114 (timeout=-1)
***LOG Q0I=> NiPConnect: 10.199.128.8:50114: connect (239: Connection refused) [nixxi.cpp 2895]
*** ERROR => NiPConnect: SiConnect failed for hdl 1/sock 3
(SI_ECONN_REFUSE/239; I4; ST; 10.199.128.8:50114) [nixxi.cpp 2895]
NiICloseHandle: closing initial hdl 1
Is there a way we tell sapcontrol to use different https sapmmc port to fetch instance properties.
Regards,
Shivam
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.