Hi Klaus,

Thanks for your quick response. I will check out the note and try its instructions and let you know.

Regards,

Raj

Hi Klaus,

I went through the note and looks like it is more appropriate for my case. Thank you for pointing that out.

As per the note, I have to create SAPSSLC.pse - client pse and create a certificate request, send that request to a CA and then import.

We use Verisign, I have the server certificate, intermediate and root certificates that were installed on the web server. Now do I send this request to our CA to get a client certificate as well. Also when I am creating the request, do I need to put in the url for the web server (CN) I am accessing or is it just for the server certificate. I still do not see how the client will validate the server.

Regards,

Raj

Hi Klaus,

Thank you for your response, I understand now. I just want to think out loud what I want to do

Create SAPSSLC.pse

Create a client certificate CSR with my SAP server name

Get client certificate

Import that client certificate into SAPSSLC.pse

Import the root certificate of the target web server into SAPSSLC.pse

(I have two intermediate and one server certificate, do I need to import those too?)

Should I also copy SAPSSLC.pse to SAPSSLS.pse as saphttp requires that as per the note?

On the web server

Import the SAP server's client certificate into the same secure store where all the server certificates are housed

Then it should work !!! - Correct ???

PS: I just noticed that I had 4.6D (our system) saphttp, I just copied over 6.20 saphttp

Regards,

Raj

Hi Klaus,

Thanks for the confirmation, I just put that out, one for clarity and two if somebody has a similar situation and stumble upon our dialog then it will be helpful.

I am waiting to get my client certificate, once I get it I will follow the instructions, test it out and let you know.

Thanks,

Raj

Hi Klaus,

My web certificate guy got me the client certificate from verisign along with a few certificates in the chain. I tried importing the client certificate using sapgenpse import_own_certificate and it failed with this message

just replaced my company name [COMP]

import_own_cert: Installation of certificate failed

ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=[COMP] Issuing CA Class STE, OU=Iss

uing CA for [COMP] non-personalized SSL/TLS-based End Entities, OU=Copyright (C) [COMP] 2004 All Rights Reserved, SN=ZZZZZSTE,

O=Siemens, C=DE"

ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=[COMP] Issuing CA Class STE, OU=

Issuing CA for [COMP] non-personalized SSL/TLS-based End Entities, OU=Copyright (C) [COMP] 2004 All Rights Reserved, SN=ZZZZZSTE, O=[COMP], C=DE"

Actually I also have ZZZZZSTE.cer

I tried with -r option for that cer and still get the same message. My certificate guy is not familiar with SAP and I am not sure how to direct him either. Is the type of certificate we obtained is incorrect. It imported fine on the tomcat web server. When this failed, I just put the root of my tomcat web server certificate into SAPSSLC.pse, it complained about SAPSSLS.pse then I copied SAPSSLC.pse to SAPSSLS.pse as per the note your sent. Then it complained about chain of certificates, so I installed all the intermediate and root certificates into SAPSSLC.pse and copied to SAPSSLS.pse. Then I got the following message

[Just masked urls and company names]

<<- SapSSLInit(, read_profile=0)==SAP_O_K

[1110030] Connected to abc.def.ghi.net Port 443 in 2 ms

<<- SapSSLSessionInit()==SAP_O_K

in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

out: sssl_hdl = 110b86030

<<- SapSSLSetNiHdl(sssl_hdl=110b86030, ni_hdl=1)==SAP_O_K

<<- SapSSLSetTargetHostname(sssl_hdl=110b86030)==SAP_O_K

in: hostname = "abc.def.ghi.net"

• ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

session uses PSE file "SAPSSLC.pse"

SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

>> -

Begin of Secude-SSL Errorstack -

>>

ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=abc.def.ghi.net, OU=MED USA, O=COMP, L=CITY, SP=STATE, C=US"

ERROR in get_path: (27/0x001b) Found root certificate of <CN=abc.def.ghi.net, OU=USA, O=COMP, L=CITY, SP=STATE, C=US> which does not fit the given PKRoot

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=abc.def.ghi.net, OU=USA, O=COMP, L=CITY, SP=STATE, C=US> which does not fit the given PKRoot

<< -

End of Secude-SSL Errorstack -

SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

No certificate request received from Server

<<- ERROR: SapSSLSessionStart(sssl_hdl=110b86030)==SSSLERR_SSL_CONNECT

<<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

Is this because I do not have the client certificate installed into my SAPSSLC.pse ? You have been pretty good in responding, will it be easier for you to do this via email ?

Thanks,

Raj

Hi Klaus,

Quick update, I was able to import the client certificate along with the chain of certificates. The certificates were in an incorrect format. I found that out and requested that I get it in proper format. I tried importing the root certificate but it said it already existed since the chain of certificates that were issued were the same. But when I run the saphttp https:// test I get the same error as before

[1028188] Connected to abc.def.ghi.net Port 443 in 2 ms

<<- SapSSLSessionInit()==SAP_O_K

in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

out: sssl_hdl = 110b9a010

<<- SapSSLSetNiHdl(sssl_hdl=110b9a010, ni_hdl=1)==SAP_O_K

<<- SapSSLSetTargetHostname(sssl_hdl=110b9a010)==SAP_O_K

in: hostname = "abc.def.ghi.net"

Thu Jul 17 08:43:34 2008

• ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

session uses PSE file "SAPSSLC.pse"

SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

>> -

Begin of Secude-SSL Errorstack -

>>

ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=abc.def.ghi.net, OU=USA, O=COMP, L=CITY, SP=STATE, C=US"

ERROR in get_path: (27/0x001b) Found root certificate of <CN=abc.def.ghi.net, OU=USA, O=COMP, L=CITY, SP=STATE, C=US> which does not fit the given PKRoot

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=abc.def.ghi.net, OU=USA, O=COMP, L=CITY, SP=STATE, C=US> which does not fit the given PKRoot

<< -

End of Secude-SSL Errorstack -

SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

No certificate request received from Server

<<- ERROR: SapSSLSessionStart(sssl_hdl=110b9a010)==SSSLERR_SSL_CONNECT

<<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

Thanks,

Raj

Hi Klaus,

I got https to work between sap and my web server, the problem was the destination server certificate not being imported with the right alias name. I am still having issues with the actual program trying to connect and get data using the saphttp RFC but when I do a saphttp test with tomcat url from the server prompt I get a 200 response so I guess from that standpoint I am fine. I have to go one more step of accessing the application and I should be good.

I thought I will let you know that. I was actually going to search for any instructions on how to use SAPHTTP RFC with https, does it just work out of the box or if there is some configuration that need to be done.

Raj

This issue is resolved, my https works between sap and web server. I did outline the steps in details so others can use them.

Thanks,

Raj

Edited by: Raj on Aug 1, 2008 11:48 AM

Hi Raj,

Where I can find your steps in details

Regards,

Fred

Hi Frederic,

I think its in the message itself, in one of my replies I outlined the whole procedure so that it could be of use for others.

Also, just a quick comment, I didn't need the client certificate for my SAP server. I installed the root server of my target server in the SAPSSLC.pse store of the SAP server (which is the client to the target server).

Raj