Former Member

ERROR during SecudeSSL - Rapid Content Delivery in SSM

Posted on Jan 16, 2015 at 03:01 PM 769 Views

Hi Gurus,

we try to configure Rapid Content Delivery in SSM.

We have imported all needed certificates for the SSL in STRUST.

Symantec_Class_1_Individual_Subscriber_CA_-_G4

VeriSign_Class_1_Public_Primary_Certification_Authority_-_G3

VeriSign_Class_2_Public_Primary_Certification_Authority_-_G3

VeriSign_Class_3_Public_Primary_Certification_Authority_-_G3

VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4

VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5

VeriSign_Class_3_Secure_Server_CA

VeriSign_Class_4_Public_Primary_Certification_Authority_-_G3

VeriSign_Inc.

GTE CyberTrust Global Root
But we alway get the following error.

[Thr 1800] Fri Jan 16 15:50:21 2015

[Thr 1800] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 1800] session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"

[Thr 1800] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 1800] secude_error 536872221 (0x2000051d) = "SSL API error"

[Thr 1800] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 1800] 0x2000051d | SAPCRYPTOLIB | SSL_connect

[Thr 1800] SSL API error

[Thr 1800] Failed to verify peer certificate. Peer not trusted.

[Thr 1800] 0xa0600203 | SSL | ssl_verify_peer_certificates

[Thr 1800] Peer not trusted

[Thr 1800] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates

[Thr 1800] peer certificate (chain) is not trusted

[Thr 1800] PropertyBlock:

[Thr 1800] Status :Not successful

[Thr 1800] Profile :1.3.6.1.4.1.694.2.2.2.2

[Thr 1800] SignerStatus:Not successful

[Thr 1800] SignerVerificationResult:

[Thr 1800] element#no="1":

[Thr 1800] Status :Not successful

[Thr 1800] Validity :Successful

[Thr 1800] BasicConstraints:Successful

[Thr 1800] KeyUsage :Successful

[Thr 1800] ObjectStatus:Not successful

[Thr 1800] SignerCert:

[Thr 1800] Certificate:

[Thr 1800] Subject :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US

[Thr 1800] Verification result:

[Thr 1800] Status :Not successful

[Thr 1800] Profile :1.3.6.1.4.1.694.2.2.2.2

[Thr 1800] SignerStatus:Not successful

[Thr 1800] BasicConstraintsPathLen:1

[Thr 1800] SignerVerificationResult:

[Thr 1800] element#no="1":

[Thr 1800] Status :Not successful

[Thr 1800] Validity :Successful

[Thr 1800] BasicConstraints:Successful

[Thr 1800] KeyUsage :Successful

[Thr 1800] ObjectStatus:Not successful

[Thr 1800] SignerCert:

[Thr 1800] Certificate:

[Thr 1800] Subject :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

[Thr 1800] Verification result:

[Thr 1800] Status :Not successful

[Thr 1800] Profile :1.3.6.1.4.1.694.2.2.2.2

[Thr 1800] SignerStatus:Not successful

[Thr 1800] SignerVerificationResult: None

[Thr 1800]

[Thr 1800] << ---------- End of Secude-SSL Errorstack ----------

[Thr 1800] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 1800] SSL NI-sock: local=172.16.130.221:47564 peer=172.16.143.101:80

[Thr 1800] <<- ERROR: SapSSLSessionStart(sssl_hdl=1115818b0)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 1800] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0009b898} [icxxconn_mt.c 1957]

Has someone a suggestion?

regards

Chris

Add a comment

8 Answers

Sort by:

Votes

Newest

Oldest

Best Answer

This answer has been deleted.

This answer has been undeleted.

Former Member

Posted on Apr 02, 2015 at 06:58 AM

3
Okay, i found my issue.

I imported the certificates to "System-PSE" instead to "SSL Client SSL Client (Standard)"

blunder 😠

regards

Chris
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
0 Comments
Comment on This Answer

Comment
This answer has been deleted.

This answer has been undeleted.

Manu Mohandas

Posted on Jan 16, 2015 at 03:19 PM

0
Hi ,
Can you paste the SMICM log
Goto transaction SMICM - > Goto ->Trace File -> Display all
Thanks ,
Manu
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
1 Comment
- Former Member
  
  Jan 16, 2015 at 04:05 PM
  
  This is the SMICM log in this quote.
  
  regards
  
  Chris
  - Like 0
  - Share
  - Alert Moderator
Comment on This Answer

Comment
This answer has been deleted.

This answer has been undeleted.

Juan Pablo Guerrero

Posted on Jan 16, 2015 at 04:09 PM

0
Hello Christian,

Have you restarted ICM after imported the certificates?
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
1 Comment
- Former Member
  
  Jan 19, 2015 at 06:58 AM
  
  yes
  - Like 0
  - Share
  - Alert Moderator
Comment on This Answer

Comment
This answer has been deleted.

This answer has been undeleted.

Manu Mohandas

Posted on Jan 16, 2015 at 04:33 PM

0
Hi

The certificates to be downloaded and imported are
- GTE CyberTrust Global Root
- VeriSign Class 3 Secure Server CA
- VeriSign Class 3 Public Primary Certification Authority
Can you please remove all other certificates from STRUST . All the errors are referring to the wrong certificates .

restar ICM , Reset the trace file and post the log
Untitled.png (41.7 kB)
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
1 Comment
- Former Member
  
  Jan 19, 2015 at 07:07 AM
  Okay, the Wiki article is updated. Rapid Content Delivery - Technical Operations - SCN Wiki
  
  Needed Certificates are.
  
  VeriSign Class 3 Public Primary Certification Authority - G5
  
  Baltimore CyberTrust Root
  
  GTE CyberTrust Global Root
  - Like 0
  - Share
  - Alert Moderator
Comment on This Answer

Comment
This answer has been deleted.

This answer has been undeleted.

Former Member

Posted on Feb 03, 2015 at 01:47 PM

0
Now we installed the new certificates, but still get the error. 😕

[Thr 2828] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 2828] session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"

[Thr 2828] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 2828] secude_error 536872221 (0x2000051d) = "SSL API error"

[Thr 2828] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 2828] 0x2000051d | SAPCRYPTOLIB | SSL_connect

[Thr 2828] SSL API error

[Thr 2828] Failed to verify peer certificate. Peer not trusted.

[Thr 2828] 0xa0600203 | SSL | ssl_verify_peer_certificates

[Thr 2828] Peer not trusted

[Thr 2828] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates

[Thr 2828] peer certificate (chain) is not trusted

[Thr 2828] PropertyBlock:

[Thr 2828] Status :Not successful

[Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2

[Thr 2828] SignerStatus:Not successful

[Thr 2828] SignerVerificationResult:

[Thr 2828] element#no="1":

[Thr 2828] Status :Not successful

[Thr 2828] Validity :Successful

[Thr 2828] BasicConstraints:Successful

[Thr 2828] KeyUsage :Successful

[Thr 2828] ObjectStatus:Not successful

[Thr 2828] SignerCert:

[Thr 2828] Certificate:

[Thr 2828] Subject :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US

[Thr 2828] Verification result:

[Thr 2828] Status :Not successful

[Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2

[Thr 2828] SignerStatus:Not successful

[Thr 2828] BasicConstraintsPathLen:1

[Thr 2828] SignerVerificationResult:

[Thr 2828] element#no="1":

[Thr 2828] Status :Not successful

[Thr 2828] Validity :Successful

[Thr 2828] BasicConstraints:Successful

[Thr 2828] KeyUsage :Successful

[Thr 2828] ObjectStatus:Not successful

[Thr 2828] SignerCert:

[Thr 2828] Certificate:

[Thr 2828] Subject :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

[Thr 2828] Verification result:

[Thr 2828] Status :Not successful

[Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2

[Thr 2828] SignerStatus:Not successful

[Thr 2828] SignerVerificationResult: None

[Thr 2828]

[Thr 2828] << ---------- End of Secude-SSL Errorstack ----------

[Thr 2828] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 2828] SSL NI-sock: local=172.16.130.221:52457 peer=172.16.143.101:80

[Thr 2828] <<- ERROR: SapSSLSessionStart(sssl_hdl=116f6f4d0)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 2828] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {000ef4ed} [icxxconn_mt.c 1957]
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
1 Comment
- Former Member
  
  Feb 04, 2015 at 07:14 AM
  
  These Notes are already implemented.
  
  Sl. No Note Number Short Text 1 2058016 http://service.sap.com/sap/support/notes/2058016 RCD: Errors during UNCAR of a downloaded SAPCAR ST-CONT file 2 2058571 RCD: The notified deliveries are not being read from SAP-OSS 3 2099283 RCD - HTTP Proxy settings for Auto download RFC issue 4 2119938 Solution Manager Rapid Content Delivery: Import of content fails due to dump in writing file
  - Like 0
  - Share
  - Alert Moderator
Comment on This Answer

Comment
This answer has been deleted.

This answer has been undeleted.

Former Member

Posted on Feb 09, 2015 at 09:50 AM

0
Zwischenablage02.jpg (63.4 kB)
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
5 Comments
- Robert Warde Former Member
  
  Mar 10, 2015 at 04:43 PM
  
  Hi Did you resolve this issue?
  I am seeing the same problem (using dual stack PI system) and it is because the client does not have a trusted cert. Now this worked BEFORE we upgraded the sap cyrptographic library.
  - Like 0
  - Share
  - Alert Moderator
Comment on This Answer

Comment
This answer has been deleted.

This answer has been undeleted.

Siddhesh Ghag

Posted on Mar 10, 2015 at 05:00 PM

0
Hello Christian,
Are you still facing an error ?
Regards,
Siddhesh
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
0 Comments
Comment on This Answer

Comment
This answer has been deleted.

This answer has been undeleted.

Former Member

Posted on Mar 10, 2015 at 05:18 PM

0
Yes, the error is still there. Not trusted Root Cert.

used the manual solution.
- Add a Comment
- Alert Moderator
- Share
Add a comment
10|10000 characters needed characters left characters exceeded
3 Comments
- Former Member Former Member
  
  Apr 01, 2015 at 04:02 AM
  
  Hello Christian,
  
  Sorry for a long delay in responding to your query.
  
  Good to know that you could manually download and implement the content to your system.
  
  Do you want to configure Automatic download for RCD? or you want to adhere to manual download way?
  
  If you still have issues with Automatic download configuration/ any issues related to RCD, please raise a ticket on SV-SMG-RCD component and my colleagues will assist you on that.
  
  Thanks and Best Regards,
  
  Ambika
  - Like 0
  - Share
  - Alert Moderator
Comment on This Answer

Comment

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.

Rules of Engagement

Know someone who can answer? Share a link to this question.

Attachments: Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.

ERROR during SecudeSSL - Rapid Content Delivery in SSM

Add a comment

Assigned Tags

Related questions

8 Answers

Add a comment

Add a comment

Add a comment

Add a comment

Add a comment

Add a comment

Add a comment

Add a comment

Before answering