Skip to Content

SAP Router Issue - GSS-API(maj): A token had an invalid signature...

Hello Friends,

We renewed a saprouter certificate, It was successfull and we dint face any error during the process. But when we start the router it throws the below error in dev_rout file..

"Sat Jul 11 14:01:22 2015

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'

[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3340]

GSS-API(maj): A token had an invalid signature

GSS-API(min): Certification path incomplete

Unable to establish the security context

target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (rc=-4;0022FB98;1803) [nisnc.c 998]

*** WARNING => NiBufISetHS: ready could not be freed (hdl 2) [nibuf.cpp 4356]

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE'

[sncxxall3374]*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3340]

GSS-API(maj): A token had an invalid signature

GSS-API(min): Certification path incomplete

Unable to establish the security context

target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (rc=-4;0022FB98;1803) [nisnc.c 998]"

I found the note 95810 - Problem analysis when using SNC with Secude with the fallowing solution.

"2.1 Errors in the Security Network Layer

------------------------------------

2.1.1 Signature of a certificate cannot be checked

----------------------------------------------------------

The PSE (Personal Security Environment) of the user and application server are issued by different CAs (Certification Authorities). The PSE of the user does not contain a public key of a CA with which the certificate of the application server can be verified.

Use PSEs of the same CA. If this is impossible, check out the option of cross certification with Secude support."



But we do not understand solution. Where and in which file i have to change the public key of CA.


Please help me to to resolve this issue.



Thanks&Regards


Farkath C




Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Best Answer
    Jul 11, 2015 at 06:54 PM

    Hi Farkath,

    Have you followed the 2131531 - New Root Certification Authority for SAProuter certificates ?

    Also, to understand, take a look at New SAProuter CA: Clock is ticking time to act now

    Regards,

    Add comment
    10|10000 characters needed characters exceeded

    • Check this

      From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:

      The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.

      Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.

      In same note download the attachment.

      Use below command

      sapgenpse maintain_pk -a smprootca.der -p local.pse

      This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established

      Regards,

  • avatar image
    Former Member
    Jul 11, 2015 at 07:14 PM
    Add comment
    10|10000 characters needed characters exceeded

  • Jul 11, 2015 at 07:56 PM

    Hello Friends,

    Sorry I missed this step, Once i add the below file my issue has resolved.

    • Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015)

    Thanks

    Farkath C

    Add comment
    10|10000 characters needed characters exceeded