Skip to Content

Saprouter Error (GSS-API(maj): Miscellaneous failure)

Dear Gurus,

We decided to upgrade our SAPROUTER related to note 2131531 - New Root Certification Authority for saprouter certificates


Everything seems ok, i follow up fresh installation snc saprouter ; Installing the sapcrypto library and starting the SAProuter | SAP Support Portal

----------------------------------------------------------------------------------------------

Here is SAPROUTER as a Service COMMAND ; (It works and run well)


d:\usr\sap\saprouter\saprouter.exe service -r -D -W 20000 -G d:\usr\sap\saprouter\saprouter.log -S 3299 -R d:\usr\sap\saprouter\saprouttab -K "p:CN=........., OU=......., OU=SAProuter, O=SAP, C=DE"

---------------------------------------


Env Variables ;

SNC_LIB

D:\usr\sap\saprouter\sapcrypto.dll


SECUDIR

D:\usr\sap\saprouter


---------------------------------------------------------------------------------------------

Here also check commands for SAPROUTER working correctly ;


D:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer

Opening PSE "D:\usr\sap\saprouter\local.pse"...

PSE (v2) open ok.

Retrieving my certificate... ok.

Getting requested information... ok.

SSO for USER "Administrator"

with PSE file "D:\usr\sap\saprouter\local.pse"

Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE

D:\usr\sap\saprouter>sapgenpse.exe get_my_name -n validity

SSO for USER "Administrator"

with PSE file "D:\usr\sap\saprouter\local.pse"

Validity - NotBefore: Tue May 5 16:23:09 2015 (150505142309Z)

NotAfter: Wed May 4 16:23:09 2016 (160504142309Z)




WHEN CHECK SAPOSS Connection is failed (it was working before upgrade SAPROUTER)

--------------------------------------------------------------------------

DEV_ROUT ;

Tue May 05 18:51:01 2015

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [D:/depot/b 3386]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [D:/depot/bas/74 3352]

GSS-API(maj): Miscellaneous failure

GSS-API(min): A2200223:Peer certificate path not trusted

Unable to establish the security context

target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;000000000282E8A0;1941) [nisnc.c 1003]

Tue May 05 18:51:11 2015

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [D:/depot/b 3386]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [D:/depot/bas/74 3352]

GSS-API(maj): Miscellaneous failure

GSS-API(min): A2200223:Peer certificate path not trusted

Unable to establish the security context

target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;000000000282E8A0;1941) [nisnc.c 1003]

------------------------------------------------------------------------------------------------------------------

WHAT COULD BE THE WRONG ???

Also Here is SAPROUTER Version ;

--------------------

SAProuter information

--------------------

kernel release 742

kernel make variant 742_REL

DBMS client library

compiled on NT 6.1 7601 x86 MS VC++ 16.00 for NTAMD64

compiled for 64 BIT

compilation mode Non-Unicode

compile time Mar 31 2015 19:17:37

update level 0

patch number 111

source id 0.111

RKS compatibility level 0

---------------------

supported environment

---------------------

database (SAP, table SVERS) 740

operating system

Windows NT 6.0

Windows NT 6.1

Windows NT 6.2

Windows NT 6.3

Regards

Add a comment
10|10000 characters needed characters exceeded

Related questions

4 Answers

  • Best Answer
    Posted on May 05, 2015 at 04:23 PM

    Hi,

    GSS-API(min): A2200223:Peer certificate path not trusted

    Suggest you to follow SAP Note 1867829 - List of SNC Error Codes

    as per note this message indicates

    A2200223 Peer certificate path not trusted.

    The certificate verification failed because the certificate path is not complete (CA certificate is missing), or the root certificate is not trusted.

    Thanks,

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 06, 2015 at 06:42 AM

    It is resolved now, i missed this step. Thank you guys

    1. From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:

    The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.

    Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.

    sapgenpse maintain_pk -a smprootca.der -p local.pse

    This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 05, 2015 at 04:17 PM

    Please follow the recommendations again.

    It seems you have missed something somewhere.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 05, 2015 at 04:25 PM

    You could also refer similar SCN thread at

    Thanks,

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.