cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error using HTTPS

Former Member

on ‎07-08-2008 8:31 PM

0 Kudos

I am trying to send data from an SAP system to a non-SAP system using the HTTP adapter. The url is using port 9082 and am using a certificate for authentication. I have opened a hole in our firewall for the transmission.

I set up SM59 with the url/port/path, and specified the certificate installed in STRUST.

When I run a test, I get the following error in XI.

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>

- <!-- Call Adapter

-->

- <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="">

<SAP:Category>XIAdapter</SAP:Category>

<SAP:Code area="PLAINHTTP_ADAPTER">ATTRIBUTE_CLIENT</SAP:Code>

<SAP:P1>407</SAP:P1>

<SAP:P2>ICM_HTTP_SSL_ERROR</SAP:P2>

<SAP:P3 />

<SAP:P4 />

<SAP:AdditionalText />

<SAP:ApplicationFaultMessage namespace="" />

<SAP:Stack>HTTP client. Code 407 reason ICM_HTTP_SSL_ERROR</SAP:Stack>

<SAP:Retry>A</SAP:Retry>

</SAP:Error>

I'm not real sure what this means and can't find anything in the forums about this. Can anyone offer any assistance?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (8)

Answers (8)

Former Member
‎07-10-2008 5:30 PM
0 Kudos

Fixed.

Problem was with the vendor's certificate. The common name needed to be the same as the target we are sending to.

Show replies
Show replies
Former Member
‎07-09-2008 3:31 PM
0 Kudos

Hi Larry,

since you are using HTTP adapter which lies on the ABAP stack no need to add this certificate in the VA. we need to add the certificates in VA for adapters on the java stack.

1. Please check whether the Test connection for the HTTP destination of type 'G' you have created is successful. You should get the response code 200 ok.

2. In this G type connection make sure you have activated the SSL option and selected proper authentication and check the connection first.

3. Use this HTTP destination in the receiver HTTP adapter.

Thanks,

Srini

Show replies
Show replies
Former Member
‎07-09-2008 2:46 PM
0 Kudos

From what I can tell, the STRUST and SM59 is set up correctly. I looked at the cred_v2, and it has been updated.

I was able to find a log in the ICM that contained some information. Anyone know what this means? I assume something is wrong with their certificate, but not 100% sure.

[Thr 5] Wed Jul 9 13:41:21 2008

[Thr 5] MatchTargetName("65.201.31.106", "CN=Jacobson Warehouse Co, OU=HTTPS, O=Unknown, L=Des Moines, SP=IA, C=USA") FAILS

[Thr 5] SSL socket: local=10.198.198.42:58969 peer=65.201.31.106:9082

[Thr 5] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x6000000000719040)==SSSLERR_SERVER_CERT_MISMATCH

[Thr 5] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxconn_m

Show replies
Show replies
Former Member
‎07-09-2008 3:02 PM
0 Kudos

Larry,

STRUST and SM59 are the ABAP side of the certification, if you want to use HTTP/SSL you need to import the certificate in the keystore of Visual Administrator (if you haven't already). Since HTTP is on the J2EE layer for communications (Adapter) it is important to have that certificate be there. This could be the ssl mismatch error you are receiving.

All just possibilities, for the type of issue your having.

You also might want to go to transaction SMICM and bump up the ICM trace... /nSMICM -> goto -> trace level -> Increase (I believe 4 or 5 is the highest setting 1 is the default, just keep on increasing to get to the level you want, if you tail or watch the log dev_icm you'll see the trace level go up each time you bump up the trace level). You can check the log in the work directory dev_icm. This is a good place to look for HTTP traffic when having http/https/ssl issues.

The log is going to get really large for all the messaging, just be sure to set the icm trace back to default so you don't run up the directory size.

Good Luck

Rocco

Former Member
‎07-08-2008 11:51 PM
0 Kudos

Also see if your https service is active in the transaction smicm.

Thanks & Regards,

Rahul

Show replies
Show replies
Former Member
‎07-08-2008 10:55 PM
0 Kudos

Larry,

Ok so your using the HTTPS adapter, have you uploaded the certificate to the keystore in visual administrator?

Which version of XI/PI are you using? You may need to run the SSO2 Wizard (if PI/SP14 or above) otherwise kestore in VA should give you the necessary set up.

Make sure you set up HTTP and SSL correctly here is the link for the setup in NW04:

http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm

check the "Technically Enabling SSL" it describes the steps needed to run strust and J2EE Visual Adminstrators (utilitizing the keystore) here is a little snipet from the web page:

● Use the J2EE Visual Administrator to set up an SAP Web AS J2EE engine as HTTPS server. If not already done, you have to import a certificate generated by a CA identifying the SAP Web AS into the keystore named service_ssl in the Keystore service. In addition, you have to assign this certificate in the SSL Provider service.

● Use the J2EE Visual Administrator to set up an SAP Web AS J2EE engine as HTTPS client. If not already done, you have to import the certificate of the CA of the HTTPS serveru2019s certificate into the J2EE engineu2019s keystore view named TrustedCAs.

Good luck this should help you even a little.

Rocco

Show replies
Show replies
VijayKonam
Active Contributor
‎07-08-2008 9:15 PM
0 Kudos

If it is leaving ur network for sure.. check your other parties connecton parameters in the message.. did you misspelt or missed the proper IP number or port?

VJ

Show replies
Show replies
Former Member
‎07-08-2008 8:56 PM
0 Kudos

I have the certificate installed, and everything looks good with it. I did not use the visual administrator, I used STRUST. Again, everything seemed to work fine. And then I restarted the ICM (saw that somewhere).

What's wierd is our network people show the transmission leaving our firewalls, however the customer says it never hits their firewall.

Show replies
Show replies
ravi_raman2
Active Contributor
‎07-08-2008 9:23 PM
0 Kudos

Larry,

One suggestion here is to get the tcpmon tool, send it to it and see if you can see the packet data, that should help.

Regards

Ravi Raman

VijayKonam
Active Contributor
‎07-08-2008 8:41 PM
0 Kudos

Looks like the certificate did not get installed in STRUST.. I am not sure if it has to be done on Visual Admnistrator.. Just a thought..!!

VJ

Show replies
Show replies
Ask a Question