cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP HANA Cloud Connector - no connection due to SSL issue

Go to solution
timo_renner
Advisor
Advisor

on ‎10-13-2014 4:14 PM

0 Kudos

Hi @all,

I have a strange issue after initially setting up a Cloud Connector when trying to initially establish the connection to the HCP account.

The CC is installed on a SLES 11. As it is a Sandbox environment with an SAP Java system on it, the JAVA_HOME path points to the SAP JVM delivered with this system.

After I started the CC daemon (with root user), the CC runs and I can connect to the admin UI. After entering the data to my account at hanatrial.ondemand.com and my logon data, the CC tries to connect - and fails.

The Connector State shows that the required URLs can be reached from the SLES host.

The logs show an issue with the SSL communication between the CC and the HANA-Trial instance.

The log shows that the CC is not able to connect to HCP with issues verifying the SSL connection:

2014-10-13 17:02:01,698#ERROR#com.sap.scc.rt#http-bio-8443-exec-8#          #Tunnel Connect Failed

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:485)

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:753)

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:721)

    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)

    at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1282)

    at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:917)

    at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)

    at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:310)

    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)

    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)

    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318)

    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

    at org.jboss.netty.handler.execution.MemoryAwareThreadPoolExecutor$MemoryAwareRunnable.run(MemoryAwareThreadPoolExecutor.java:622)

    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

    at java.lang.Thread.run(Thread.java:722)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1528)

    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:243)

    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)

    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)

    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)

    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)

    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)

    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:533)

    at java.security.AccessController.doPrivileged(Native Method)

    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:952)

    at org.jboss.netty.handler.ssl.ImmediateExecutor.execute(ImmediateExecutor.java:31)

    at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1450)

    at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1323)

    ... 14 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)

    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)

    at sun.security.validator.Validator.validate(Validator.java:218)

    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)

    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)

    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)

    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)

    ... 22 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)

    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)

    ... 28 more|

The certificate of hanatrial.ondemand.com was imported into the (initially) not existing keystore of both user "root" and "sccadmin"; OS permissions on the files should also not be an issue.

Any idea what I should look for to further analyze and solve the issue?

Thnx and best regards,

Timo

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
‎10-13-2014 4:34 PM
0 Kudos

Hi Timo,

could you please give a hint, what JVM in which version is used on your system?  At the moment it looks to me like a trust store issue, even though you imported the certificate to the keystores  ...

Best regards,

Markus

Show replies
Show replies
timo_renner
Advisor
Advisor
‎10-13-2014 4:41 PM
0 Kudos

Hi Markus,

it's a SAP JVM from a CE.

Exact version:

SAP Java Server VM (build 6.1.037 19.1-b02, Jan  3 2012 23:55:54 - 61_REL - optU - linux amd64 - 6 - bas2:164951 (mixed mode))

Is it preferred to use a default JRE, or is SAP JVM fine?

As mentioned, initially there was no .keystore file available on any of the users on the system (neither root, nor the <SID>adm user of the CE system. So I imported the certificate for both root and the home directory of sccadmin (which is /opt/sap/scc).

BR Timo

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
‎10-13-2014 5:07 PM
0 Kudos

Hi Timo,

Oooh, this is really an old one. The latest available version is

SAP Java Server VM (build 6.1.071 24.55-b08, Sep 28 2014 00:29:59 - 61_REL - optU - windows amd64 - 6 - bas2:226310 (mixed mode))

I know that these old versions did not contain the CA that issued the certificates of HANA Cloud Platform. Moreover, it also lacks fixes in the JCE and this might cause the trouble you experience now. Hence, I propose that you upgrade your JVM to the latest SAP JVM. This will be useful for your AS Java as well .

Best regards,

Markus

timo_renner
Advisor
Advisor
‎10-14-2014 10:34 AM
0 Kudos

Hi Markus,

thnx, that was the solution.

After providing the new JVM and re-installation of the CC it works.

I've also tried to run the Oracle server JRE, but that showed the same issue as before. No clue why that JRE is not working, but then I'll stick to the SAP one.

Thnx Timo

former_member585626
Participant
‎10-10-2019 7:08 AM
0 Kudos
Hi Markus Tolksdorf,I have a similar problem, could you please help me, the prolmeb is described in below link.

https://answers.sap.com/questions/12885308/not-able-to-connect-on-premise-from-neo-cloud-thru.html

Answers (0)

Ask a Question