cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ICM_HTTP_SSL error for RFC destinations

Go to solution
Former Member

on ‎10-11-2013 10:21 AM

0 Kudos

Hi All, I am trying the connection test for HMRC RFC destination and I am getting the ICM_HTTP_SSL error. The icm trace shows

Thr 2314] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

Thr 2314]    session uses PSE file "/usr/sap/PIP/DVEBMGS00/sec/SAPSSLA.pse"

Thr 2314] SecudeSSL_SessionStart: SSL_connect() failedThr 2314]   secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"Thr 2314] >>            Begin of Secude-SSL Errorstack            >>

Thr 2314] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

Thr 2314] ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "CN=VeriSign Class 3 Public Primary Ce

Thr 2314] ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete

Thr 2314] <<            End of Secude-SSL Errorstack

Thr 2314]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

Thr 2314]   SSL NI-sock: local=149.170.135.6:49916  peer=157.203.50.169:443

Thr 2314] <<- ERROR: SapSSLSessionStart(sssl_hdl=116d39bd0)==SSSLERR_SSL_CONNECT

Thr 2314] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00085b12} [icxxconn_mt.c 1957]

I understand the certificate chain is not valid, but I dont know how to get this fixed.

I followed this post and looks similar to issue I am facing. ICM_HTTP_SSL_ERROR when calling web service

Thanks,

Bharath

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-11-2013 11:57 AM
0 Kudos

Hi,

"the verification of the server's certificate chain failed"

This means that client or server's certificate or your client's public certificate for that server is not ok. This is a double and asimetric key system, Server has a key pair(public and private) and client has only the public key of each server.

You should:

1-Regenerate server's certificate or be sure of certificate is properly generated. May be that it's not lapsed but internally is bad generated

2-In tr strust of server export public key of this certificate

3-In tr strust of client, import exported public key

regards

Show replies
Show replies
Former Member
‎10-11-2013 1:35 PM
0 Kudos

Hello Jorge,

Thanks for your reply.

But my issue is similar to the one posted in http://scn.sap.com/thread/1808758 .

Now my question is..our http rfc destination is from PI server to the HMRC department and in this case which one is considered as the server ? the one at HMRC or our SAP PI server ?

Hoping for a quick reply.

Regards,

Bharath

Bhargavakrishna
Active Contributor
‎10-11-2013 1:45 PM
0 Kudos

Hi Bharath,

Did you refer the SAP note 1693957. it is related to certificate issue. install the certificates as per the note.

Refer the last reply in this thread http://scn.sap.com/thread/1808758

did you try it?

Regards

Bhargava krishna

Former Member
‎10-11-2013 3:26 PM
0 Kudos

Hi Bhargava Krishna,

Thanks for your reply.

But, this was working till yesterday and stoppped working only today.

I understand that there is a problem with the certificates in strust, but not what the problem is.

The certificates are not expired too.

Regards,

Bharath

Bhargavakrishna
Active Contributor
‎10-11-2013 3:31 PM
0 Kudos

Hi Bharath,

If possible re-deploy the certificates.. did restarted the server?

Regards

Bhargava krishna

Former Member
‎10-11-2013 7:03 PM
0 Kudos

Hi,

the server is always connection destiny, for example. If you have 2 hosts A and B. And there are connections between them:

1.Connection A to B -> B is server because it receives a petition.

B should have two pair key certificate and A should have the public key of that certificate

2.Connection  B to A-> A is server because it receives a petition.

A should have two pair key certificate and B should have the public key of that certificate

3. Connection in two ways-> Point 1 and 2 must be done because both are servers or clients depending of who starts the connection.

The most important is understand that the public key is what any host uses to connect to a server, so that a host can be server now and,client after depending of who starts connection,

regards

Former Member
‎10-15-2013 2:09 PM
0 Kudos

Hi All

just for cosmetic stuff

Note 1925708 - New Government Gateway Security Certificates for eFiling

Enjoy your HMRC

a

Answers (2)

Answers (2)

Former Member
‎10-14-2013 12:20 PM
0 Kudos

Hi all,

Thanks for your replies.

I dont know why but I had to re import the Veri sign certificates in strust transaction and now the RFC destination is working fine.

Thanks,

Bharath

Show replies
Show replies
gagandeep_batra
Active Contributor
‎10-11-2013 10:32 AM
0 Kudos

Hi Bharath,

Did you configure STRUST properly?

Regrads

Gagan

Show replies
Show replies
Former Member
‎10-11-2013 10:40 AM
0 Kudos

Hi Gagandeep,

This was working till yesterday. It started throwing error just today. I am sure nothing has been changed.

Regards,

Bharath

markangelo_dihiansan
Active Contributor
‎10-11-2013 10:43 AM
0 Kudos

Hello,

Can you check if the certificates are still valid?

Regards,

Mark

gagandeep_batra
Active Contributor
‎10-11-2013 10:43 AM
0 Kudos

Then might be your certificate expire

check the certificate team

Regards

gAgan

Former Member
‎10-11-2013 10:47 AM
0 Kudos

Hello,

Thanks for your reply.

Yes I checked the certificates. One certificate's going to expire in 2014 and the other on 25 october 2013. So, I believe this is not an issue too.

Regards,

Bharath

Former Member
‎10-11-2013 10:51 AM
0 Kudos

Hi,

Thanks for your reply.

Yes I checked the certificates. One certificate's going to expire in 2014 and the other on 25 october 2013.

Regards,

Bharath

Ask a Question