Skip to Content
author's profile photo Former Member
Former Member

Can't get SSL Authentication to work

Our SAP server is supposed to call an external web service, which requires authentication via an SSL certificate. So in STRUST I have created a new client certificate, which has been imported on the external server. Also we have received the servers' certificate, which has been added to this new entry in STRUST.

In SOAMANAGER I have set this new STRUST entry to be used for authentication at the web service provider.

Now when our SAP machine calls the remote web service, authentication fails.

In the ICM logs the following error messages are given:

[Thr 140543812142848] SecuSSL_SessionStart: SSL_connnect() failed (536875072/0x20001040)

[Thr 140543812142848] => "SSL API error"

[Thr 140543812142848] >> Begin of Secu-SSL Errorstack >>

[Thr 140543812142848] 0x20001040 SAPCRYPTOLIB SSL_connect

[Thr 140543812142848] SSL API error

[Thr 140543812142848] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140543812142848] 0xa0600266 SSL ssl3_read_bytes

[Thr 140543812142848] received a fatal SSLv3 handshake failure alert message from the peer

[Thr 140543812142848] << End of Secu-SSL Errorstack

[Thr 140543812142848] SSL_get_state()==0x21d0 "SSLv3 read finished A"

[Thr 140543812142848] No certificate request received from Server

[Thr 140543812142848] SSL NI-hdl 401: local=10.156.32.11:62224 peer=10.206.58.12:16101

[Thr 140543812142848] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x7fd2d0099410)==SSSLERR_SSL_CONNECT

Any ideas what we might be missing here?

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

6 Answers

  • Best Answer
    Posted on May 13, 2015 at 09:04 PM

    There are two issues that are not visible from the artificially truncated(!!) error details that you quoted initially.

    (1) you originally had configured your client to use "SSL client Anonymous" (SAPSSLA.pse)

    (2) you're talking to a defective TLS Server which is sending a malformed TLS Certificate Request handshake message with an empty certificate_authorities element, in violation of the TLS protocol specification, and you had not enabled the workaround to blindly send a client certificate in response to a malformed CertificateRequest handshake message. See SAP Note 510007 section 7.(ssl/client_ciphersuites=208:HIGH:MEDIUM:+e3DES).

    -Martin

    PS: The amount and intensity of random guessing around here is disappointing.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hey Matthias,

      Glad it all got resolved in the end.

      I don't know whether you missed it but this parameter change from note 510007 was already suggested to you back on May 06.

      A great weekend to all who chipped in.

      Cheers,

      Amerjit

  • Posted on May 05, 2015 at 10:41 AM

    Hello Matthias,

    As per the scenario you described, you are doing the following:

    - Setting up a Service Consumer Proxy to consume an external web service

    As per the blog : Create an SAP Web Service Consumer (calling External Web Service from ABAP)

    Check Step 6,7,8

    - When you create a logical port in SOAMANAGER you potentially selected the options to authenticate with external server to use client X.509 certificates

    if the above is applicable to you, then your SAP server is acting as a client in the communication workflow and hence your SSL Standard Client PSE will be used and not Server PSE as per help documentation below.

    SSL Client PSEs - Network and Transport Layer Security - SAP Library

    You will need to ask the external server provider to generate a client x.509 certificate for you and upload it to your SSL Standard Client PSE.

    Regards,

    Siddhesh

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Apr 29, 2015 at 02:01 PM

    Check if external site supports SSLv3 protocol. Try the same with TLSv1 or higher. Read SAP note 2086818 - Fixing POODLE SSLv3.0 (CVE-2014-3566) Vulnerability.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Apr 30, 2015 at 07:12 AM

    Hi Matthias,

    Two silly questions:

    1. Did you restart your ICM after importing cert?

    2. Run the command to vie if the certificate is on PSE cryptolib as required.

    sapgenpse maintain_pk -l -p <file name of the PSE>


    Kind Regards,


    Johan

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Apr 30, 2015 at 09:26 AM

    Hello Matthias,

    Can you please confirm what version of the CRYPTOLIB you are using ?

    KR,

    Amerjit

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hello Matthias,

      Thank you for that. You have gone on to the next step of validation yourself so that's great. So we see the provider server is able to and willing to talk as long as you provide the certificate path explicitly.

      That does indeed bring us back to SAP as you have said.

      So if I recap as I'm slightly losing track.

      1. You sent your client cert to the provider.

      2. Your provider imported your client cert into their trusted store.

      3. Both you and the provider have the full CA chain for each others certificates.

      4. Your basis people evaluated/implemented the ssl/client_ciphersuite change that was suggested to you.

      Have I missed/misunderstood something ?

      Amerjit

  • Posted on May 07, 2015 at 01:21 PM

    Hello,

    I suggest you check if the own certificate of the selected PSE in STRUST is trusted by the external server.

    The problem is that the external server does not accept your client certificate.

    Thanks.

    Jim

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.