Skip to Content
author's profile photo Former Member
Former Member

ERROR during SecudeSSL - Rapid Content Delivery in SSM

Hi Gurus,

we try to configure Rapid Content Delivery in SSM.

We have imported all needed certificates for the SSL in STRUST.

Symantec_Class_1_Individual_Subscriber_CA_-_G4

VeriSign_Class_1_Public_Primary_Certification_Authority_-_G3

VeriSign_Class_2_Public_Primary_Certification_Authority_-_G3

VeriSign_Class_3_Public_Primary_Certification_Authority_-_G3

VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4

VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5

VeriSign_Class_3_Secure_Server_CA

VeriSign_Class_4_Public_Primary_Certification_Authority_-_G3

VeriSign_Inc.

GTE CyberTrust Global Root
But we alway get the following error.

[Thr 1800] Fri Jan 16 15:50:21 2015

[Thr 1800] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 1800] session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"

[Thr 1800] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 1800] secude_error 536872221 (0x2000051d) = "SSL API error"

[Thr 1800] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 1800] 0x2000051d | SAPCRYPTOLIB | SSL_connect

[Thr 1800] SSL API error

[Thr 1800] Failed to verify peer certificate. Peer not trusted.

[Thr 1800] 0xa0600203 | SSL | ssl_verify_peer_certificates

[Thr 1800] Peer not trusted

[Thr 1800] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates

[Thr 1800] peer certificate (chain) is not trusted

[Thr 1800] PropertyBlock:

[Thr 1800] Status :Not successful

[Thr 1800] Profile :1.3.6.1.4.1.694.2.2.2.2

[Thr 1800] SignerStatus:Not successful

[Thr 1800] SignerVerificationResult:

[Thr 1800] element#no="1":

[Thr 1800] Status :Not successful

[Thr 1800] Validity :Successful

[Thr 1800] BasicConstraints:Successful

[Thr 1800] KeyUsage :Successful

[Thr 1800] ObjectStatus:Not successful

[Thr 1800] SignerCert:

[Thr 1800] Certificate:

[Thr 1800] Subject :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US

[Thr 1800] Verification result:

[Thr 1800] Status :Not successful

[Thr 1800] Profile :1.3.6.1.4.1.694.2.2.2.2

[Thr 1800] SignerStatus:Not successful

[Thr 1800] BasicConstraintsPathLen:1

[Thr 1800] SignerVerificationResult:

[Thr 1800] element#no="1":

[Thr 1800] Status :Not successful

[Thr 1800] Validity :Successful

[Thr 1800] BasicConstraints:Successful

[Thr 1800] KeyUsage :Successful

[Thr 1800] ObjectStatus:Not successful

[Thr 1800] SignerCert:

[Thr 1800] Certificate:

[Thr 1800] Subject :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

[Thr 1800] Verification result:

[Thr 1800] Status :Not successful

[Thr 1800] Profile :1.3.6.1.4.1.694.2.2.2.2

[Thr 1800] SignerStatus:Not successful

[Thr 1800] SignerVerificationResult: None

[Thr 1800]

[Thr 1800] << ---------- End of Secude-SSL Errorstack ----------

[Thr 1800] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 1800] SSL NI-sock: local=172.16.130.221:47564 peer=172.16.143.101:80

[Thr 1800] <<- ERROR: SapSSLSessionStart(sssl_hdl=1115818b0)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 1800] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0009b898} [icxxconn_mt.c 1957]

Has someone a suggestion?

regards

Chris

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

8 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Apr 02, 2015 at 06:58 AM

    Okay, i found my issue.

    I imported the certificates to "System-PSE" instead to "SSL Client SSL Client (Standard)"

    blunder 😠

    regards

    Chris

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jan 16, 2015 at 03:19 PM

    Hi ,

    Can you paste the SMICM log

    Goto transaction SMICM - > Goto ->Trace File -> Display all

    Thanks ,

    Manu

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jan 16, 2015 at 04:09 PM

    Hello Christian,

    Have you restarted ICM after imported the certificates?

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jan 16, 2015 at 04:33 PM

    Hi

    The certificates to be downloaded and imported are

    • GTE CyberTrust Global Root
    • VeriSign Class 3 Secure Server CA
    • VeriSign Class 3 Public Primary Certification Authority

    Can you please remove all other certificates from STRUST . All the errors are referring to the wrong certificates .

    restar ICM , Reset the trace file and post the log


    Untitled.png (41.7 kB)
    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Feb 03, 2015 at 01:47 PM

    Now we installed the new certificates, but still get the error. 😕

    [Thr 2828] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

    [Thr 2828] session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"

    [Thr 2828] SecudeSSL_SessionStart: SSL_connect() failed --

    [Thr 2828] secude_error 536872221 (0x2000051d) = "SSL API error"

    [Thr 2828] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

    [Thr 2828] 0x2000051d | SAPCRYPTOLIB | SSL_connect

    [Thr 2828] SSL API error

    [Thr 2828] Failed to verify peer certificate. Peer not trusted.

    [Thr 2828] 0xa0600203 | SSL | ssl_verify_peer_certificates

    [Thr 2828] Peer not trusted

    [Thr 2828] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates

    [Thr 2828] peer certificate (chain) is not trusted

    [Thr 2828] PropertyBlock:

    [Thr 2828] Status :Not successful

    [Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2

    [Thr 2828] SignerStatus:Not successful

    [Thr 2828] SignerVerificationResult:

    [Thr 2828] element#no="1":

    [Thr 2828] Status :Not successful

    [Thr 2828] Validity :Successful

    [Thr 2828] BasicConstraints:Successful

    [Thr 2828] KeyUsage :Successful

    [Thr 2828] ObjectStatus:Not successful

    [Thr 2828] SignerCert:

    [Thr 2828] Certificate:

    [Thr 2828] Subject :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US

    [Thr 2828] Verification result:

    [Thr 2828] Status :Not successful

    [Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2

    [Thr 2828] SignerStatus:Not successful

    [Thr 2828] BasicConstraintsPathLen:1

    [Thr 2828] SignerVerificationResult:

    [Thr 2828] element#no="1":

    [Thr 2828] Status :Not successful

    [Thr 2828] Validity :Successful

    [Thr 2828] BasicConstraints:Successful

    [Thr 2828] KeyUsage :Successful

    [Thr 2828] ObjectStatus:Not successful

    [Thr 2828] SignerCert:

    [Thr 2828] Certificate:

    [Thr 2828] Subject :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    [Thr 2828] Verification result:

    [Thr 2828] Status :Not successful

    [Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2

    [Thr 2828] SignerStatus:Not successful

    [Thr 2828] SignerVerificationResult: None

    [Thr 2828]

    [Thr 2828] << ---------- End of Secude-SSL Errorstack ----------

    [Thr 2828] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

    [Thr 2828] SSL NI-sock: local=172.16.130.221:52457 peer=172.16.143.101:80

    [Thr 2828] <<- ERROR: SapSSLSessionStart(sssl_hdl=116f6f4d0)==SSSLERR_PEER_CERT_UNTRUSTED

    [Thr 2828] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {000ef4ed} [icxxconn_mt.c 1957]

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Feb 09, 2015 at 09:50 AM


    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Mar 10, 2015 at 05:00 PM

    Hello Christian,

    Are you still facing an error ?

    Regards,

    Siddhesh

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Mar 10, 2015 at 05:18 PM

    Yes, the error is still there. Not trusted Root Cert.

    used the manual solution.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hello Christian,

      Sorry for a long delay in responding to your query.

      Good to know that you could manually download and implement the content to your system.

      Do you want to configure Automatic download for RCD? or you want to adhere to manual download way?

      If you still have issues with Automatic download configuration/ any issues related to RCD, please raise a ticket on SV-SMG-RCD component and my colleagues will assist you on that.

      Thanks and Best Regards,

      Ambika


Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.