on 05-05-2015 5:07 PM
Dear Gurus,
We decided to upgrade our SAPROUTER related to note 2131531 - New Root Certification Authority for saprouter certificates
Everything seems ok, i follow up fresh installation snc saprouter ; Installing the sapcrypto library and starting the SAProuter | SAP Support Portal
----------------------------------------------------------------------------------------------
Here is SAPROUTER as a Service COMMAND ; (It works and run well)
d:\usr\sap\saprouter\saprouter.exe service -r -D -W 20000 -G d:\usr\sap\saprouter\saprouter.log -S 3299 -R d:\usr\sap\saprouter\saprouttab -K "p:CN=........., OU=......., OU=SAProuter, O=SAP, C=DE"
---------------------------------------
Env Variables ;
SNC_LIB
D:\usr\sap\saprouter\sapcrypto.dll
SECUDIR
D:\usr\sap\saprouter
---------------------------------------------------------------------------------------------
Here also check commands for SAPROUTER working correctly ;
D:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer
Opening PSE "D:\usr\sap\saprouter\local.pse"...
PSE (v2) open ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "Administrator"
with PSE file "D:\usr\sap\saprouter\local.pse"
Issuer : CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
D:\usr\sap\saprouter>sapgenpse.exe get_my_name -n validity
SSO for USER "Administrator"
with PSE file "D:\usr\sap\saprouter\local.pse"
Validity - NotBefore: Tue May 5 16:23:09 2015 (150505142309Z)
NotAfter: Wed May 4 16:23:09 2016 (160504142309Z)
WHEN CHECK SAPOSS Connection is failed (it was working before upgrade SAPROUTER)
--------------------------------------------------------------------------
DEV_ROUT ;
Tue May 05 18:51:01 2015
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [D:/depot/b 3386]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [D:/depot/bas/74 3352]
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2200223:Peer certificate path not trusted
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;000000000282E8A0;1941) [nisnc.c 1003]
Tue May 05 18:51:11 2015
*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [D:/depot/b 3386]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [D:/depot/bas/74 3352]
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2200223:Peer certificate path not trusted
Unable to establish the security context
target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"
<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;000000000282E8A0;1941) [nisnc.c 1003]
------------------------------------------------------------------------------------------------------------------
WHAT COULD BE THE WRONG ???
Also Here is SAPROUTER Version ;
--------------------
SAProuter information
--------------------
kernel release 742
kernel make variant 742_REL
DBMS client library
compiled on NT 6.1 7601 x86 MS VC++ 16.00 for NTAMD64
compiled for 64 BIT
compilation mode Non-Unicode
compile time Mar 31 2015 19:17:37
update level 0
patch number 111
source id 0.111
RKS compatibility level 0
---------------------
supported environment
---------------------
database (SAP, table SVERS) 740
operating system
Windows NT 6.0
Windows NT 6.1
Windows NT 6.2
Windows NT 6.3
Regards
Hi,
GSS-API(min): A2200223:Peer certificate path not trusted
Suggest you to follow SAP Note 1867829 - List of SNC Error Codes
as per note this message indicates
A2200223 Peer certificate path not trusted.
The certificate verification failed because the certificate path is not complete (CA certificate is missing), or the root certificate is not trusted.
Thanks,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, root cause is:
GSS-API(min): A2200223:Peer certificate path not trusted
You need to import the CA root certificate into the PSE file used by your saprouter.
Check the steps under "Creating the certificate request" at this Marketplace page.
Regards,
Isaías
It is resolved now, i missed this step. Thank you guys
The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.
Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.
sapgenpse maintain_pk -a smprootca.der -p local.pse
This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Please follow the recommendations again.
It seems you have missed something somewhere.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.