Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using X.509 Client Certificates -> SAP ABAP Webgui (SSL)

Former Member

‎07-15-2008 2:09 PM

0 Kudos

Hello,

current runs the integrated ITS (Webgui). We now want the smart card and have adapted to the configuration:

RZ10:

icm/server_port_0=PROT=HTTPS,PORT=1443,TIMEOUT=180

icm/HTTPS/verify_client=2

...

table USREXTID: C=DE,ST=xxx,L=xxx,O=xxx,OU=xxx,CN=xxx,emailAddress=xxx

smart card certification -> firefox 2.x and IE 7.x install.

SICF: Webgui Service -> Login with Client Certificate

The test (with IE or Firefox) was unsuccessful.

SMICM Trace:

[Thr 5708] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message

[Thr 5708] << -

End of Secude-SSL Errorstack -

[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT

[Thr 5708] ->> SapSSLErrorName(rc=-56)

[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT

[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]

[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)

What should I do now?

Thanks, Silke

Full Trace:

sysno 02

sid RD1

systemid 560 (PC with Windows NT)

relno 7000

patchlevel 0

patchno 148

intno 20050900

make: multithreaded, ASCII, optimized

pid 5468

[Thr 5416] started security log to file dev_icm_sec

[Thr 5416] ICM running on: sdatu100.pvw.tu-darmstadt.de

[Thr 5416] MtxInit: 30001 0 2

[Thr 5416] IcmInit: listening to admin port: 65000

[Thr 5416] DpSysAdmExtCreate: ABAP is active

[Thr 5416] DpSysAdmExtCreate: VMC (JAVA VM in WP) is not active

[Thr 5416] DpShMCreate: sizeof(wp_adm) 13576 (1044)

[Thr 5416] DpShMCreate: sizeof(tm_adm) 36258120 (18120)

[Thr 5416] DpShMCreate: sizeof(wp_ca_adm) 18000 (60)

[Thr 5416] DpShMCreate: sizeof(appc_ca_adm) 6000 (60)

[Thr 5416] DpCommTableSize: max/headSize/ftSize/tableSize=2000/8/2112040/2112048

[Thr 5416] DpShMCreate: sizeof(comm_adm) 2112048 (1048)

[Thr 5416] DpSlockTableSize: max/headSize/ftSize/fiSize/tableSize=0/0/0/0/0

[Thr 5416] DpShMCreate: sizeof(slock_adm) 0 (96)

[Thr 5416] DpFileTableSize: max/headSize/ftSize/tableSize=0/0/0/0

[Thr 5416] DpShMCreate: sizeof(file_adm) 0 (72)

[Thr 5416] DpShMCreate: sizeof(vmc_adm) 0 (1296)

[Thr 5416] DpShMCreate: sizeof(wall_adm) (224040/329544/56/100)

[Thr 5416] DpShMCreate: sizeof(gw_adm) 48

[Thr 5416] DpShMCreate: SHM_DP_ADM_KEY (addr: 028C0040, size: 38968448)

[Thr 5416] DpShMCreate: allocated sys_adm at 028C0040

[Thr 5416] DpShMCreate: allocated wp_adm at 028C1B30

[Thr 5416] DpShMCreate: allocated tm_adm_list at 028C5038

[Thr 5416] DpShMCreate: allocated tm_adm at 028C5068

[Thr 5416] DpShMCreate: allocated wp_ca_adm at 04B591B0

[Thr 5416] DpShMCreate: allocated appc_ca_adm at 04B5D800

[Thr 5416] DpShMCreate: allocated comm_adm at 04B5EF70

[Thr 5416] DpShMCreate: system runs without slock table

[Thr 5416] DpShMCreate: system runs without file table

[Thr 5416] DpShMCreate: allocated vmc_adm_list at 04D629A0

[Thr 5416] DpShMCreate: allocated gw_adm at 04D629E0

[Thr 5416] DpShMCreate: system runs without vmc_adm

[Thr 5416] DpShMCreate: allocated ca_info at 04D62A10

[Thr 5096] IcmProxyWatchDog: proxy watchdog started

[Thr 5416] CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.

[Thr 5416] IcmCreateWorkerThreads: created worker thread 0

[Thr 5416] IcmCreateWorkerThreads: created worker thread 1

[Thr 5416] IcmCreateWorkerThreads: created worker thread 2

[Thr 5416] IcmCreateWorkerThreads: created worker thread 3

[Thr 5416] IcmCreateWorkerThreads: created worker thread 4

[Thr 5416] IcmCreateWorkerThreads: created worker thread 5

[Thr 5416] IcmCreateWorkerThreads: created worker thread 6

[Thr 5416] IcmCreateWorkerThreads: created worker thread 7

[Thr 5416] IcmCreateWorkerThreads: created worker thread 8

[Thr 5416] IcmCreateWorkerThreads: created worker thread 9

[Thr 4352] IcmWatchDogThread: watchdog started

[Thr 5672] =================================================

[Thr 5672] = SSL Initialization on PC with Windows NT

[Thr 5672] = (700_REL,Mar 25 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)

[Thr 5672] profile param "ssl/ssl_lib" = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"

resulting Filename = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"

[Thr 5672] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 18 2005) MT-safe

[Thr 5672] = current UserID: SDATU100\SAPServiceRD1

[Thr 5672] = found SECUDIR environment variable

[Thr 5672] = using SECUDIR=D:\usr\sap\RD1\DVEBMGS02\sec

[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLC.pse" not found,

[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback

[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLA.pse" not found,

[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback

[Thr 5672] ******** Warning ********

[Thr 5672] *** No SSL-client PSE "SAPSSLC.pse" available

[Thr 5672] *** -- this will probably limit SSL-client side connectivity

[Thr 5672] ********

[Thr 5672] = Success -- SapCryptoLib SSL ready!

[Thr 5672] =================================================

[Thr 5672] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject no

X.509 cert data will be removed from header [http_plg.c 720]

[Thr 5672] ISC: created 400 MB disk cache.

[Thr 5672] ISC: created 50 MB memory cache.

[Thr 5672] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0

[Thr 5672] HttpExtractArchive: files from archive D:\usr\sap\RD1\SYS\exe\run/icmadmin.SAR in directory D:/usr/sap/RD1/DVEBMGS02/

[Thr 5672] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0

[Thr 5672] CsiInit(): Initializing the Content Scan Interface

[Thr 5672] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/32/32)

[Thr 5672] CsiInit(): CSA_LIB = "D:\usr\sap\RD1\SYS\exe\run\sapcsa.dll"

[Thr 5672] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0

[Thr 5672] HttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=3, flags=1052677) for /:0

[Thr 5672] Started service 1443 for protocol HTTPS on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=9

[Thr 5672] Started service 25000 for protocol SMTP on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=8

[Thr 5672] Tue Jul 15 14:38:37 2008

[Thr 5672] *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds [icxxman.c 4578]

[Thr 5672] *** WARNING => IcmNetCheck: 1 possible network problems detected - please check the network/DNS settings [icxxman.c

[Thr 3932] Tue Jul 15 14:39:32 2008

[Thr 3932] *** WARNING => IcmCallAllSchedules: Schedule func 1 already running - avoid recursion [icxxsched.c 430]

[Thr 5416] Tue Jul 15 14:40:23 2008

[Thr 5416] IcmSetParam: Switched trace level to: 3

[Thr 5416] *

[Thr 5416] * SWITCH TRC-LEVEL to 3

[Thr 5416] *

[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes

[Thr 5416]

NiBufSend starting

[Thr 5416] NiIWrite: hdl 3 sent data (wrt=80,pac=1,MESG_IO)

[Thr 5416] SiSelNSelect: start select (timeout=-1)

[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)

[Thr 5416] NiBufISelProcess: hdl 9 process r-

[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes

[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)

[Thr 5416] NiBufIIn: NIBUF len=72

[Thr 5416] NiBufIIn: packet complete for hdl 9

[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0

[Thr 5416] SiSelNSet: set events of sock 8088 to: ---

[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0

[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0

[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)

[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1

[Thr 5416]

NiBufReceive starting

[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0

[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-

[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0

[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0

[Thr 5416] IcmRecMsg: received 72 bytes

[Thr 5416] ============================================

[Thr 5416] | COM_DATA:

[Thr 5416] | Offset: 0 | Version: 7000

[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)

[Thr 5416] ============================================

[Thr 5416] IcmHandleAdmMsg: op: 66

[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes

[Thr 5416] NiBufDup: ref 1 for buf 0252CE50

[Thr 5416] IcmQueueAppend: queuelen: 1

[Thr 5416] IcmCreateRequest: Appended request 13

[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes

[Thr 5416]

NiBufSend starting

[Thr 4392] IcmWorkerThread: worker 3 got the semaphore

[Thr 4392] REQUEST:

Type: ADMMSG Index = 12

[Thr 4392] NiBufFree: ref 1 for buf 0252CE50

[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)

[Thr 4392] MPI<a>0#5 GetInbuf -1 138968 440 (1) -> 6

[Thr 4392] IcmHandleMonitorMessage: called with opcode: 100

[Thr 5416] SiSelNSelect: start select (timeout=-1)

[Thr 4392] MPI<9>1#4 GetOutbuf -1 1489a0 65536 (0) -> 05348A00 0

[Thr 4392] MPI<a>0#6 FreeInbuf#2 0 138968 0 -> 0

[Thr 4392] MPI<9>1#5 FlushOutbuf l-1 1 1 1489a0 1104 6 -> 053489E0 0

[Thr 4392] IcmWorkerThread: Thread 3: Waiting for event

[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)

[Thr 5416] NiBufISelProcess: hdl 9 process r-

[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes

[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)

[Thr 5416] NiBufIIn: NIBUF len=72

[Thr 5416] NiBufIIn: packet complete for hdl 9

[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0

[Thr 5416] SiSelNSet: set events of sock 8088 to: ---

[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0

[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0

[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)

[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1

[Thr 5416]

NiBufReceive starting

[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0

[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-

[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0

[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0

[Thr 5416] IcmRecMsg: received 72 bytes

[Thr 5416] ============================================

[Thr 5416] | COM_DATA:

[Thr 5416] | Offset: 0 | Version: 7000

[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)

[Thr 5416] ============================================

[Thr 5416] IcmHandleAdmMsg: op: 66

[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes

[Thr 5416] NiBufDup: ref 1 for buf 0252CE50

[Thr 5416] IcmQueueAppend: queuelen: 1

[Thr 5416] IcmCreateRequest: Appended request 14

[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes

[Thr 5416]

NiBufSend starting

[Thr 5784] IcmWorkerThread: worker 4 got the semaphore

[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)

[Thr 5416] NiBufFree: ref 1 for buf 0252CE50

[Thr 5416] SiSelNSelect: start select (timeout=-1)

[Thr 5784] REQUEST:

Type: ADMMSG Index = 13

[Thr 5784] MPI<c>0#5 GetInbuf -1 1489a0 440 (1) -> 6

[Thr 5784] IcmHandleMonitorMessage: called with opcode: 100

[Thr 5784] MPI<b>1#4 GetOutbuf -1 138968 65536 (0) -> 053389C8 0

[Thr 5784] MPI<c>0#6 FreeInbuf#2 0 1489a0 0 -> 0

[Thr 5784] MPI<b>1#5 FlushOutbuf l-1 1 1 138968 1104 6 -> 053389A8 0

[Thr 5784] IcmWorkerThread: Thread 4: Waiting for event

[Thr 4352] Tue Jul 15 14:40:26 2008

[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)

[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)

[Thr 4352] SiSelNFCSelect: start select (timeout=10000)

[Thr 5416] Tue Jul 15 14:40:29 2008

[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)

[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0

[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)

[Thr 5416] IcmExternalLogin: Connection request from Client received

[Thr 5416] NiIAccept: hdl 6 accepted connection

[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL

[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8076 (I4; ST)

[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE

[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED

[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1305

[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443

[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 3 sec

[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2

[Thr 5416] IcmQueueAppend: queuelen: 1

[Thr 5416] IcmCreateRequest: Appended request 15

[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443

[Thr 3932] IcmWorkerThread: worker 5 got the semaphore

[Thr 3932] REQUEST:

Type: ACCEPT CONNECTION Index = 14

[Thr 3932] CONNECTION (id=1/8):

used: 1, type: 1, role: 1, stateful: 0

NI_HDL: 8, protocol: HTTPS(2)

local host: 130.83.89.22:1443 ()

remote host: 192.168.1.3:1305 ()

status: NOP

connect time: 15.07.2008 14:40:29

MPI request: <0> MPI response: <0>

request_buf_size: 0 response_buf_size: 0

request_buf_used: 0 response_buf_used: 0

request_buf_offset: 0 response_buf_offset: 0

[Thr 5416] SiSelNSelect: start select (timeout=-1)

[Thr 3932] MPI:1 create pipe 052002C0 1

[Thr 3932] MPI<d>1#1 Open( ANONYMOUS 1 1 ) -> 1

[Thr 3932] MPI<d>1#2 Open( ANONYMOUS 1 0 ) -> 1

[Thr 3932] MPI:0 create pipe 05200180 1

[Thr 3932] MPI<e>0#1 Open( ANONYMOUS 0 0 ) -> 0

[Thr 3932] MPI<e>0#2 Open( ANONYMOUS 0 1 ) -> 0

[Thr 3932] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))

[Thr 3932] <<- SapSSLSessionInit()==SAP_O_K

[Thr 3932] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"

[Thr 3932] out: sssl_hdl = 003FFBC0

[Thr 3932] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)

[Thr 3932] NiIBlockMode: set blockmode for hdl 8 TRUE

[Thr 3932] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1305

[Thr 3932] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K

[Thr 3932] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)

[Thr 3932] SapISSLServerCacheExpiration(): Calling ServerCacheCleanup() (lifetime=900)

[Thr 3932] SapISSLServerCacheExpiration(srv,"D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse"): Cache max/before/now = 5000/1/1

[Thr 5096] Tue Jul 15 14:40:32 2008

[Thr 5096] SiSelNSelect: of 1 sockets 0 selected

[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)

[Thr 5096] SiSelNSelect: start select (timeout=10000)

[Thr 4352] Tue Jul 15 14:40:36 2008

[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)

[Thr 4352] IcmCheckForBlockedThreads: check for blocked SSL-threads

[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)

[Thr 4352] SiSelNFCSelect: start select (timeout=10000)

[Thr 5096] Tue Jul 15 14:40:42 2008

[Thr 5096] SiSelNSelect: of 1 sockets 0 selected

[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)

[Thr 5096] SiSelNSelect: start select (timeout=10000)

[Thr 3932] Tue Jul 15 14:40:45 2008

[Thr 3932] peer has closed connection

[Thr 3932] <<- SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_CONN_CLOSED

[Thr 3932] ->> SapSSLSessionDone(&sssl_hdl=023BC640)

[Thr 3932] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K

[Thr 3932] NiICloseHandle: shutdown and close hdl 8 / sock 8076

[Thr 3932] MPI<d>1#3 Close( 1 ) del=0 -> 0

[Thr 3932] MPI<d>1#5 Delete( 1 ) -> 0

[Thr 3932] MPI<d>1#4 Close( 1 ) del=1 -> 0

[Thr 3932] MPI<e>0#3 Close( 0 ) del=0 -> 0

[Thr 3932] MPI<e>0#5 Delete( 0 ) -> 0

[Thr 3932] MPI<e>0#4 Close( 0 ) del=1 -> 0

[Thr 3932] IcmConnFreeContext: context 1 released

[Thr 3932] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1

[Thr 3932] IcmWorkerThread: Thread 5: Waiting for event

[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)

[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0

[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)

[Thr 5416] IcmExternalLogin: Connection request from Client received

[Thr 5416] NiIAccept: hdl 6 accepted connection

[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL

[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8092 (I4; ST)

[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE

[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED

[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1309

[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443

[Thr 5416] IcmConnCheckStoredClientConn: check for client conn timeout

[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 60 sec

[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2

[Thr 5416] IcmQueueAppend: queuelen: 1

[Thr 5416] IcmCreateRequest: Appended request 16

[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443

[Thr 5708] IcmWorkerThread: worker 6 got the semaphore

[Thr 5708] REQUEST:

Type: ACCEPT CONNECTION Index = 15

[Thr 5708] CONNECTION (id=1/9):

used: 1, type: 1, role: 1, stateful: 0

NI_HDL: 8, protocol: HTTPS(2)

local host: 130.83.89.22:1443 ()

remote host: 192.168.1.3:1309 ()

status: NOP

connect time: 15.07.2008 14:40:45

MPI request: <0> MPI response: <0>

request_buf_size: 0 response_buf_size: 0

request_buf_used: 0 response_buf_used: 0

request_buf_offset: 0 response_buf_offset: 0

[Thr 5416] SiSelNSelect: start select (timeout=-1)

[Thr 5708] MPI:0 create pipe 05200180 1

[Thr 5708] MPI<f>0#1 Open( ANONYMOUS 0 1 ) -> 0

[Thr 5708] MPI<f>0#2 Open( ANONYMOUS 0 0 ) -> 0

[Thr 5708] MPI:1 create pipe 052002C0 1

[Thr 5708] MPI<10>1#1 Open( ANONYMOUS 1 0 ) -> 1

[Thr 5708] MPI<10>1#2 Open( ANONYMOUS 1 1 ) -> 1

[Thr 5708] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))

[Thr 5708] <<- SapSSLSessionInit()==SAP_O_K

[Thr 5708] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"

[Thr 5708] out: sssl_hdl = 003FFBC0

[Thr 5708] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)

[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE

[Thr 5708] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1309

[Thr 5708] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K

[Thr 5708] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)

[Thr 5708] NiIBlockMode: set blockmode for hdl 8 FALSE

[Thr 5708] NiIHdlGetStatus: hdl 8 / sock 8092 ok, data pending (len=1)

[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE

[Thr 5708] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"

[Thr 5708] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 5708] SecudeSSL_SessionStart: SSL_accept() failed --

secude_error 536871698 (0x20000312) = "the client did not send a certificate handshake message for its authentication and we c

[Thr 5708] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message

[Thr 5708] << -

End of Secude-SSL Errorstack -

[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT

[Thr 5708] ->> SapSSLErrorName(rc=-56)

[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT

[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]

[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)

[Thr 5708] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K

[Thr 5708] NiICloseHandle: shutdown and close hdl 8 / sock 8092

[Thr 5708] MPI<f>0#3 Close( 0 ) del=0 -> 0

[Thr 5708] MPI<f>0#5 Delete( 0 ) -> 0

[Thr 5708] MPI<f>0#4 Close( 0 ) del=1 -> 0

[Thr 5708] MPI<10>1#3 Close( 1 ) del=0 -> 0

[Thr 5708] MPI<10>1#5 Delete( 1 ) -> 0

[Thr 5708] MPI<10>1#4 Close( 1 ) del=1 -> 0

[Thr 5708] IcmConnFreeContext: context 1 released

[Thr 5708] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1

[Thr 5708] IcmWorkerThread: Thread 6: Waiting for event

[Thr 4352] Tue Jul 15 14:40:46 2008

[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)

[Thr 4352] IcmQueueAppend: queuelen: 1

[Thr 4352] IcmCreateRequest: Appended request 17

[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)

[Thr 4352] SiSelNFCSelect: start select (timeout=10000)

[Thr 4196] IcmWorkerThread: worker 7 got the semaphore

[Thr 4196] REQUEST:

Type: SCHEDULER Index = 16

[Thr 4196] IcmGetSchedule: found slot 0

[Thr 4196] IcmAlReportData: Reporting data to CCMS Alerting Infrastructure

[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443

[Thr 4196] IcmConnCheckStoredClientConn: next client timeout check in 59 sec

[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443

[Thr 4196] IcmGetServicePtr: new serv_ref_count: 2

[Thr 4196] PlugInHandleAdmMessage: request received:

[Thr 4196] PlugInHandleAdmMessage: opcode: 136, len: 272, dest_type: 2, subhdlkey: 262145

[Thr 4196] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=4, header_len=0

[Thr 4196] HttpCacheHandler: 4 0 006BBBC4 00000000

[Thr 4196] SCACHE: adm request received:

[Thr 4196] SCACHE: opcode: 136, len: 272, dest_type: 2, dest:

[Thr 4196] MTX_LOCK 3038 00ADEE88

[Thr 4196] MTX_UNLOCK 3051 00ADEE88

[Thr 4196] IctCmGetCacheInfo#5 -> 0

[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48, blocks used: 1

[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48

[Thr 4196] IcmNetBufFree: free netbuf: 00AD2B48 out of 1 used

[Thr 4196] IcmConnFreeContext: context 1 released

[Thr 4196] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1

[Thr 4196] IcmGetSchedule: next schedule in 30 secs

[Thr 4196] IcmWorkerThread: Thread 7: Waiting for event

[Thr 5096] Tue Jul 15 14:40:52 2008

[Thr 5096] SiSelNSelect: of 1 sockets 0 selected

[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)

[Thr 5096] SiSelNSelect: start select (timeout=10000)

8 REPLIES 8

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎07-24-2008 5:02 PM

0 Kudos

Did you import the root certificate (and potentially all intermediate certificates) of the CA (Certification Authority) which has issued the X.509 Client Certificate to the "certificate list" of your SSL Server PSE (and did you restart your ICM afterwards to make the PSE change effective) ...?

Notice: if the list of "trusted CAs" is empty, the SSL client will not send his certificate to the server ...

Former Member
In response to WolfgangJanzen

‎07-30-2008 6:17 AM

0 Kudos

Hello,

yes, the root certificate is import in STRUST. The client cert. is from this root ca.

ICM ist restartet.

SMICM-Log:

      • No SSL-client PSE "SAPSSLC.pse" available

      • this will probably limit SSL-client side connectivity

is this a problem?

STRUST: I have "System PSE" and "SSL server Standard"

Thank you, Silke

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to WolfgangJanzen

‎07-30-2008 10:06 AM

0 Kudos

> 

> SMICM-Log:
>
 *** No SSL-client PSE "SAPSSLC.pse" available
                
>
 *** this will probably limit SSL-client side connectivity
 
> 
> is this a problem?

Well, since you want to enable the certificate-based user authentication (where your ABAP server is in the role of the SSL server) this does not matter. But if you intend to use your NWAS ABAP as SSL client (for outbound https communication) then it will matter. To resolve this problem you simply create an SSL Client PSE using transaction STRUST.

Once you've managed to [configure your NWAS ABAP for SSL,|https://service.sap.com/sap/support/notes/510007] you should see (in the ICM trace) that a X.509 client certificate was received. If the certificate-based logon does not succeed, then it's most likely due to some mapping problems - those can be analysed by using the tracing approach described in [note 495911|https://service.sap.com/sap/support/notes/495911].

If you need assistance in enabling the X.509 client certificate authentication you should submit an inquiry to SAP (message component BC-SEC-LGN).

Best regards,

Wolfgang

Former Member

‎08-04-2008 12:03 PM

0 Kudos

AFAICS, the client does not send its certificate to the server (did you messages from the client?) . The easiest way to accomplish this is to make sure that client and server share their root CA.

Former Member
In response to Former Member

‎08-08-2008 6:11 AM

0 Kudos

Thank you for your help.

Now it is!

Former Member
In response to Former Member

‎08-08-2008 12:43 PM

0 Kudos

Please mark your question as answered and award points!

Former Member
In response to Former Member

‎10-07-2010 11:06 AM

0 Kudos

I am also trying to implement the same scenario in my environment, I have done the following

1- I have configured my SAP ECC AS ABAP Server for SSO / HTTPS.

2- My server is signed with SAP AG test root Server certificate.

3- I am using x.509 free generator to generate Client certificate

4- I have mapped this client certificate in table USREXTID

5- I have also installed the above client certificate in my browser.

Now, when I am accessing the Server thru HTTPS web link, I am getting this Windows:

See the screenshot from the link.

http://www.zshare.net/image/812282264b4e0cc2/

On clicking Continue, the System asks for the User ID and Password:

See the screenshot from the link.

http://www.zshare.net/image/81228268eda10f1c/

I believe it shouldnu2019t ask for the user ID and password I as have installed the digital certificate and have maintained it under VUSREXTID

My SMICM log can be access thru

http://www.zshare.net/download/81220708a199f079/

Pls. advice

Former Member
In response to Former Member

‎11-04-2010 4:13 AM

0 Kudos

Just a quick question: are you implementing x.509 certificates for SSO?