cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL configuration for ADS_SSL

Go to solution
sujit_sharma
Active Participant

on ‎02-19-2016 2:46 PM

0 Kudos

Dear Friends,

I need some help for setting up SSL between ECC and EP for ADS_SSL.

The environment is ECC6 EHP7 and Enterprise Portal (NW 7.4)

I've performed below activities so far :

On ECC:

1. For ADS_SSL RFC

     a. Created G type RFC for ADS_SSL.

     b. Provided "FQDN" in Target host with Service No- 50001

     c. Path prefix : /AdobeDocumentServicesSec/Config?style=rpc

     d. In Logon & Security, provided "ADSUSER" and SSL Active "Default SSL Client (Standard).

2. FOR SSL

     a. Configured the required parameters in ECC from RZ10 (ICM parameters).

     b. Created environment variable for SECUDIR.

     c. Created Server & Client PSE in STRUST.

     d. Exported those to EP in Trusted CA

     e. Imported Public certificate from EP to ECC

On Enterprise Portal (EP):

     a. Created an access point for HTTPS.

     b. Removed default ssl-credentials (Private and Public) certificate and recreated those with the FQDN details.

     c. Added ssl-credentials (Private and Public) certificate in ICM_SSL_XXXXX and also in Trusted CA.

     d. Assigned the certificate of ECC to ADSUSER

I'm able to open the url with https and port 50001, however when I'm checking the RFC connection test for ADS_SSL it gives the error as "

SSL handshake with epaxxxx.xxxxx.com:50001 failed"

Please let me know if I've need any things else also to do other than above or in case any mistakes in the above procedure.

Thanks in advance,

SUJIT

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

isaias_freitas
Advisor
Advisor
‎02-19-2016 3:50 PM
0 Kudos

Hello Sujit,

At the ECC system, access the transaction SMICM and increase the ICM trace level to 2 (menu goto -> trace level).

Then, perform a "connection test" at the SM59 destination, go back to SMICM and reduce the trace level to 1.

Attach the de_icm trace to this thread, so we can analyze why the SSL handshake is failing.

Regards,

Isaías

Show replies
Show replies
sujit_sharma
Active Participant
‎02-19-2016 4:53 PM
0 Kudos

Hi Isaias,

Thank you for your response, Below I've pasted the relevant content from Trace file.

These are development systems and so far we haven't purchased certificates from any issuing authority. 

----------------------------------------------------------

[Thr 3836] * SWITCH TRC-LEVEL to 1

[Thr 3836] *

[Thr 3836] eppSetTraceLevel: changing trace level to 1

[Thr 3388] Fri Feb 19 22:04:17 2016

[Thr 3388] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_SSL

[Thr 3388]    session uses PSE file "D:\usr\sap\EDV\DVEBMGS00\sec\SAPSSLC.pse"

[Thr 3388] SecuSSL_SessionStart: SSL_connnect() failed  (536872221/0x2000051d)

[Thr 3388]    => "SSL API error"

[Thr 3388] >> ---------- Begin of Secu-SSL Errorstack ---------- >>

[Thr 3388] 0x2000051d | SAPCRYPTOLIB | SSL_connect

[Thr 3388] SSL API error

[Thr 3388] Failed to verify peer certificate. Peer not trusted.

[Thr 3388] 0xa0600203 | SSL | ssl_verify_peer_certificates

[Thr 3388] Peer not trusted

[Thr 3388] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates

[Thr 3388] peer certificate (chain) is not trusted

[Thr 3388] Certificate:

[Thr 3388]   Certificate:

[Thr 3388]       Subject     :CN=epalikaep.uded.com, OU=ePalika, L=BPL, O=ePalika, SP=MP, C=IN

[Thr 3388]       Issuer      :CN=epalikaep.uded.com, OU=ePalika, L=BPL, O=ePalika, SP=MP, C=IN

[Thr 3388]       Serial number:0xd6792703

[Thr 3388]       Validity:

[Thr 3388]         Not before  :Fri Feb 19 17:18:40 2016

[Thr 3388]         Not after   :Tue Feb 19 17:18:40 2036

[Thr 3388]       Key:

[Thr 3388]         Key type    :rsaEncryption (1.2.840.113549.1.1.1)

[Thr 3388]         Key size    :2048

[Thr 3388]       PK_Fingerprint_MD5:EF50 7D48 A110 9CAC 1D35 0A3D 2667 2E5D

[Thr 3388]       extensions:

[Thr 3388]         SubjectKeyIdentifier:

[Thr 3388]           Significance:Non critical

[Thr 3388]           Value        (size="20" ):D1E8D71538BC327E483100CC1F14988C7C683234

[Thr 3388]     Signature algorithm:sha1WithRsaEncryption (1.2.840.113549.1.1.5)

[Thr 3388]     Fingerprint_MD5:F1:BD:B6:9E:34:37:B5:A5:AF:6E:B6:28:46:6C:0D:73

[Thr 3388]     Fingerprint_SHA1:D45F 1545 FCC5 0508 2C37 AFAB 0E93 207C F1A8 8E45

[Thr 3388]   Verification result:

[Thr 3388]     Status      :Not successful

[Thr 3388]     Profile     :1.3.6.1.4.1.694.2.2.2.2

[Thr 3388]     DirectlyTrusted:Not successful

[Thr 3388] << ---------- End of Secu-SSL Errorstack ----------

Thanks again.

SUJIT

Matt_Fraser
Active Contributor
‎02-19-2016 5:14 PM
0 Kudos

Hi Sujit,

The error is pretty clear. Your system EPALIKAEP is using a self-signed certificate (as opposed to one signed by a CA), and your ECC system doesn't trust that certificate. Is EPALIKAEP your ADS server?

My recommendation is to use a CA (internal, if you have one) to sign EPALIKAEP's certificate, so that your internal browser clients will trust it. Failing that, you'll need to import the certificate into each client browser who will access ADS resources. Either way, you need to import that certificate, or the signing CA's certificate, into your ECC system (in STRUST, probably at a minimum to the Certificate List for your "SSL Client (Standard)" PSE).

Cheers,

Matt

sujit_sharma
Active Participant
‎02-19-2016 6:59 PM
0 Kudos

Hi Matt,

Yes EPALIKAEP is the ADS server. This is development portal.

I've imported the certificate from EP to ECC and included in the certificate list of "SSL Client (Standard)" in STRUST and the certificate from ECC into "Trusted CA" of EP.

Is it mandatory to buy the certificate from CAs? We have a plan for that but  during Production systems implementation. So just wondering if self-signed would help to check these things in development environment or not.

The traces above were generated when I checked the "Connection test" for "ADS_SSL" RFC Connection in ECC.

Thank you,

SUJIT

isaias_freitas
Advisor
Advisor
‎02-19-2016 7:17 PM
0 Kudos

Hello Sujit,

No, you don't necessarily need CA-signed certificates.

What is missing is the server certificate of "epalikaep.uded.com" to be imported into the client PSE file (SAPSSLC.pse) of the EDV system.

This should do the trick.

Otherwise, please post the updated error entries from the ICM trace.

Cheers!

Isaías

sujit_sharma
Active Participant
‎02-20-2016 4:23 AM
0 Kudos

Dear Isaias,

Thank you for all your help, I removed the existing certificate of EP from ECC. Exported again the public certificate "ssl-credentials-cert" of EP from view "ICM_SSL_XXXXX" and imported to ECC (in SSL Client standard), added it to certificates list.

Restarted ICM on ECC and checked back the RFC "ADS_SSL" and the response was a working RFC connection .

Best regards,

SUJIT

isaias_freitas
Advisor
Advisor
‎02-22-2016 6:07 PM
0 Kudos

Glad to hear the good news!

And you are welcome .

Answers (0)

Ask a Question