Solved: I have renew my Sap Router Certificate but now I h...

former_member336298 · ‎07-15-2015

Hi Everyone,

I have renew my sap router certificate like what I use to do, but now I have this error. And now I can not connect to OSS.

Any idea what I have done wrong?

RTCONMGR::getFreeCon: mSourceConNo 1 mFreeConNo 799

NiICreateHandle: hdl 17 state NI_INITIAL_CON

NiIInitSocket: set default settings for new hdl 17/sock 492 (I4; ST)

NiIBlockMode: set blockmode for hdl 17 FALSE

NiIConnectSocket: connection of hdl 17 to 194.39.131.34:3299 in progress (timeout=0)

NiIConnect: hdl 17 took local address 0.0.0.0:50018

NiIConnect: state of hdl 17 NI_CONN_WAIT

NiSncIInitHdlSecurity for hdl 17

<<- SncSessionInit()==SAP_O_K

out: &snc_hdl = 0000000008316F60

<<- SncSetQOP()==SAP_O_K

in: qop values = "min=8 (default), max=8 (default), use=8 (default)"

resulting = "min=3 (old:3), max=3 (old:3), use=3 (old:3)"

<<- SncSessionInitiatorAK()==SAP_O_K

'target_acl_key' (addr=000000000732C924, len=105) full hexdump

0x00000 00030401 00080606 2b240301 25010000 ........ +$..%...

0x00010 00573055 310b3009 06035504 06130244 .W0U1.0. ..U....D

0x00020 45311f30 1d060355 040a1316 53415020 E1.0...U ....SAP

0x00030 54727573 7420436f 6d6d756e 69747920 Trust Co mmunity

0x00040 49493112 30100603 55040b13 09534150 II1.0... U....SAP

0x00050 726f7574 65723111 300f0603 55040313 router1. 0...U...

0x00060 08736170 73657276 32 .sapserv 2

parses to = "p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE"

->> SncProcessOutput(snc_hdl=0000000008316F60, ibuf=0000000000000000, ilen=0,

&idone=000000000732C820, &obuf=000000000732C7F0, &oused=000000000732C7E0)

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE' [sncxxall.c 3585]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3551]

GSS-API(maj): No credentials were supplied

Unable to establish the security context

target="p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE"

<<- SncProcessOutput()==SNCERR_GSSAPI

*** ERROR => NiSncIInitHdlSecurity: SncProcessOutput failed (sncrc=-4;0000000008316F60) [nisnc.c 1202]

<<- SncSessionDone()==SAP_O_K

NiICloseHandle: called for hdl 17 while waiting for connection

NiICloseHandle: shutdown and close hdl 17/sock 492

*** ERROR => NiSncHandleForAddr C9/-1, 194.39.131.34 (rc=-17) [nirout.cpp 3997]

*** ERROR => NiRClientHandle: NiRExRouteCon for C9/-1 'sapsolman.rebisco.com' failed (rc=-17) [nirout.cpp 3364]

NiBufISendErr: send ni-error rc -104 to hdl 9

NiIWrite: hdl 9 sent data (wrt=240,pac=1,MESG_IO)

NiRCloseConn: closing C9/-1

NiICloseHandle: shutdown and close hdl 9/sock 480

RTCONMGR::releaseCon: mSourceConNo 0 mFreeConNo 800

RTCONMGR::releaseCon: mSourceConNo 0 mFreeConNo 801

former_member336298 · ‎07-15-2015

Hi,

We already use SAPCRYPTOLIBP_8438-20011729.SAR and saprouter 7.21 but still same error.

>> SncProcessInput(snc_hdl=0000000008235EB0, ibuf=0000000008237328, ilen=1941, &obuf=000000000737F9A0,

&olen=000000000737F990, &backbuf=000000000737F8F8, &backlen=000000000737F8F0)

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE' [sncxxall.c 3585]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3551]

GSS-API(maj): Miscellaneous failure

GSS-API(min): A2200202:Actual server name differs from requested one.

Unable to establish the security context

target="p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0000000008235EB0;1941) [nisnc.c 1010]

NiSelISelectInt: 1 handles selected (1 buffered)

former_member336298 · ‎07-16-2015

already resolve the issue. resolution was to create the certificate with the correct CN = "name" (case sensitive).

CN=sapxxxx, OU=00007XXXXX, OU=SAProuter, O=SAP, C=D is different from CN=SAPXXXX, OU=00007XXXXX, OU=SAProuter, O=SAP, C=D

I think the main issue here was mismanagement of registered saprouter certificate.

To validate the correct Distinguished Name go to service > SAProuter > Properties > General tab > see the path to execute and validate what Distinguished Name is being executed.

Thank you every one,

Former Member · ‎07-15-2015

Hi Michael,

As per SAP has new CA for SNC after 15 April 2015. So you have to configure new router and certificate.

Below are steps by which you can configure.

You're using an obsolete version of sapcryptolib file (5.5.5c) and

1) Remove the following folder

-ntia64

-ntintel

-nt-x86_64

2) Go to https://support.sap.com/software.html

>Support Packages & Patches

> A-Z Alphabetical List of Products

> S

> SAPCRYPTOLIB

> COMMONCRYPTOLIB 8

> your preferred O.S. version

> SAPCRYPTOLIBP_XXXX-XXXXXXXX.SAR

decompress the file to get the new sapcrypto.dll.

3) Go to https://support.sap.com/software.html

> Support Packages & Patches

> A-Z Alphabetical List of Products

> S

> SAPROUTER

> SAPROUTER (latest version)

> your preferred O.S. version

> saprouter_XXX-XXXXXXXX.sar

decompress the file to get the new saprouter.exe. Replace the old

saprouter.exe with the new saprouter.exe

4) Point your SNC_LIB to the new sapcrypto.dll and reboot your

saprouter server for the new environment variable to take effect.

5) Do the following :

- Follow the steps in SAP Note 2131531 - New Root Certification

Authority for saprouter certificates

- On your SAProuter, delete your existing PSE file and old certificate

file (local.pse, cred_v2)

- Go to the

https://support.sap.com/remote-support/saprouter/saprouter-certificates.html

- Click on "Apply Now!"

- Follow the steps detailed in the documentation closely

https://support.sap.com/remote-support/help/installing-saprouter.html

-> Creating the certificate request

IMPORTANT : Please do step 11, import of old SAProuter SMP Root CA

Certificate

Regards,

Himanshu

former_member336298 · ‎07-15-2015

Before anything else, Thank you all for your reply. I have follow all the step here;

http://scn.sap.com/community/it-management/alm/solution-manager/blog/2015/04/21/clock-is-ticking

But still I cannot connect with the following error from dev_rout;

->> SncProcessInput(snc_hdl=0000000008555EB0, ibuf=0000000008557328, ilen=1941, &obuf=000000000730F9A0,

&olen=000000000730F990, &backbuf=000000000730F8F8, &backlen=000000000730F8F0)

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE' [sncxxall.c 3585]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3551]

GSS-API(maj): Miscellaneous failure

GSS-API(min): A2200202:Actual server name differs from requested one.

Unable to establish the security context

target="p:CN=sapserv2, OU=SAProuter, O=SAP Trust Community II, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI

*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0000000008555EB0;1941) [nisnc.c 1010]

NiSelISelectInt: 1 handles selected (1 buffered)

divyanshu_srivastava3 · ‎07-15-2015

Ho Mondelo,

You wrote

I have renew my sap router certificate like what I use to do, but now I have this error. And now I can not connect to OSS.

There are some changes on how we have to deal with renewal of saprouter certificates as SAP is now signing the certificates using new root CA.

As per the KBA - 2131531 - New Root Certification Authority for SAProuter certificates - which is floating everywhere, you need to take care of below following section.


From 04/15/2015 11:00 AM CET until 07/16/2015 11:00 AM CET
All certificates signed by SAP during this period will be created using the new SAProuter CA. This requires changes on the customer site so please plan accordingly.
If you apply for an SAProuter certificate after 04/15/2015 11:00 AM CET the following steps are mandatory:

Use latest Common Crypto Library
Use a PSE with a key size of 2048
Import old SAProuter Root CA (this step is important and necessary to establish the trust with the sapservX SAProuter at SAP until 07/18/2015)

In addition, using the latest SAProuter version is strongly recommended.

Also,


From 04/15/2015 11:00 AM CET until 07/18/2015 you need to import the old SAProuter Root CA manually:
The old SAProuter SMP Root CA certificate is attached to SAP note 2131531.
Import the old SAProuter SMP CA Root CA certificate as trusted into your PSE.
sapgenpse maintain_pk -a smprootca.der -p local.pse
This is necessary, since SAP has to keep using saprouter certificates signed by the old SAProuter SMP Root CA for interoperability reasons. If you omit this step, SNC connections to SAP cannot be established.

Now, as Gaurav Rana has mentioned the steps in his blog, you can follow the instruction and get this fixed.

There is one more blog, which you should also refer

Regards,

Former Member · ‎07-15-2015

Hello Michael,

Please check SAP note :-

1525059 - Analysis of Problems Accessing a PSE via Credentials

2131531 - New Root Certification Authority for SAProuter certificates

Regards

Anand

former_member182657 · ‎07-15-2015

Hi Michael,

Have you followed SCN doc at

Regards,

I have renew my Sap Router Certificate but now I have this error.

Accepted Solutions (1)

Accepted Solutions (1)

Answers (6)

Answers (6)

Re: Re Generate Co files and data files

Re: error during install SAP S/4HANA Server 2022

Re: BODS Job Stored Procedure

Re: Query does not work in Procurement Price Speci...

Re: Integrate an external task system to Cloud ALM...