cancel
Showing results for 
Search instead for 
Did you mean: 

Error ICM in HTTPS connection in CRM

Former Member
0 Kudos

Hello,

I'm facing an problem when the user login on the CRM WEBUI using HTTPS protocol. The user use BCM to receive the calls from a 0800 number and the BCM software communicates with the CRM filling the customer's informations. When the user use HTTP protocol, the informations fills, but when the user use the HTTPS protocol, she can login (using a certificate or/and login manually), but the customer's informations don't fills.

I already update the certificate from BCM to CRM (in the STRUST).

My parâmeters for HTTPS in RZ10 is:

icm/HTTPS/verify_client                     2

icm/server_port_2                           PROT=HTTPS,PORT=443$$

ssl/ssl_lib                                 C:\usr\sap\CRP\DVEBMGS00\exe\sapcrypto.dll

sec/libsapsecu                              C:\usr\sap\CRP\DVEBMGS00\exe\sapcrypto.dll

ssf/ssfapi_lib                              C:\usr\sap\CRP\DVEBMGS00\exe\sapcrypto.dll

SMICM it's ok.

In the ICM logs i see a error (Atached on file erro_ICM_CHELEB_CERTIFICADOS).

CANOPUS, in the ICM logs error, is a virtual host that have two apps, in server CHELEB and CHERTAN, but the ICM errors appears only in CHELEB server. This is the CRM landscape.

Can you tell me if i need to do any configuration in CRM side? Or its like a infrastructure problem?

Thanks in advanced!!!!

Cleiton Folster Eli

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
0 Kudos

Hello guys,

Thanks for reply.

The logs is to big (6 mb)!

One of the error is WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the pe, the note 1318906 - Trace analysis of SSL problems says

that the client rejects the certificate that is sent by ICM. Its mean the CRM is rejecting the BCM server certificate, its alrigth to say?

@Guilherme,

I try to set the parameter icm/HTTPS/verify_client from 2 to 1 in rz11 (this parameter is dynamic), but the problem still happens.

Looking the error in ICM logs I think there is an problem with any certificate, but i already update the certificate from BCM to CRM in STRUST, i think i have forgetting some configuration! Have any place to check about this certificate problem?

Thanks all for the help!

Former Member
0 Kudos

Hello Cleiton,

The fatal SSLv3 alert leads me to believe the problem is with your ssl/client_ciphersuites.

Can you please post the value of this parameter as well us telling us the version of the commoncryptolib you are using ?

As per OSS #510007 you should have (Allow blind sending of a client certificate).

eg: ssl/client_ciphersuites=914:HIGH:MEDIUM:+e3DES will allow TLS and blind certificate sending for a defective TLS server.

KR,

Amerjit

Former Member
0 Kudos

Hello Amerjit,


This parameter doesn't exist in my CRM.

The version of my SAPCRYPTOLIB is:

SSFLIB Version 1.555.26 ; SECUDE(tm) SAPCRYPTOLIB - SNC for SAP Server components and SSL - Version 5.5.5C (c) SECUDE GmbH 1990-2004##compiled for Windows  XP-64bit/2K3-64bit  (6

My CRM is a 7.0 version with KERNEL 701 patch 196.

Thanks for the help!

Cleiton Folster Eli.

Former Member
0 Kudos

Amerjit,


I see in the sapnote 510007 to ignore the warning that this parameter doesn't exist (my netweaver is a 7.01 version).


I'm little confuse about this parameter, i need to configure him according with the certificates i'm using?


Eg.: my certificates have SHA1 RSA 1024 bits.


Thanks for the help!


Cleiton Folster Eli.

Former Member
0 Kudos

Hello Cleiton,

Looking at you trace file are both your CRM and BCM running on the same server (local and per IP are the same)  and is your BCM setup with TLS 1.0 ?

If I may suggest the following.

1. Please update your sapcrypto to use the most recent version of commoncryptolib

2. Please set the parameter as I suggested above.

3. Restart your system after steps 1+2.

KR,

Amerjit

Former Member
0 Kudos

Hi Cleiton,

Any progress after updating the cryptolib and setting the parameter ?

Cheers,

A.

Former Member
0 Kudos

Hello Amerjit,

Sorry for the late.

We upgrade the kernel from 701 to 721 to use the new commoncryptolib.

But i'm a little confused about how to set this paramter. Could you help me with this?

Very thanks for the help.

Cleiton Folster Eli.

Former Member
0 Kudos

Hi Cleiton,

As per OSS #510007 you should have (Allow blind sending of a client certificate).

eg: ssl/client_ciphersuites=914:HIGH:MEDIUM:+e3DES will allow TLS (1.0, 1.1, 1.2) and blind certificate sending for a defective TLS server.

How is 914 derived ? 512 +256 + 128 + 16 + 2 (note it's the 16 that allows blind sending of certificates). you'll see that in the note I mentioned above.

Hope that clears things up a little bit. Let us know how you get on and update/close the thread.

KR,

Amerjit

Former Member
0 Kudos

Amerjit,

One only doubt. I see in this note that the parameter to Kernel 72X is ssl/ciphersuites, i need to set the paramter ssl/ciphersuites or ssl/client_ciphersuites?

Thanks for the help!!!

Former Member
0 Kudos

Hi,

CHELEB is your CRM system which is the client Y/N ? It is CHELEB that makes to call to another system ?

That being the case then ssl/client_ciphersuites is correct parameter.

KR,

Amerjit

Former Member
0 Kudos

Hi,

Our CRM System have two nodes, CHELEB (principal) and CHERTAN (Secondary), CANOPUS is a virtual host that controls CHELEB and CHERTAN. The link to access the CRM_UI is https://canopus.funcef.com.br:44300/start.

Thanks!

Cleiton Folster Eli

Former Member
0 Kudos

Hi Cleiton,

So CANOPUS is a Web Dispatcher or another type of load balancer.

CHELEB and CHERTAB are your ABAP instances where you have a ICM running (a CI and application server by the sound of it)

So you need to set the parameter in the instance profile of each ABAP (CHELEB+CHERTAB) and then restart the ICM. To be honest I'm not sure if just a ICM restart is enough and you may have to perform a system restart.

I don't know what your servers are but you could easily test the issue with BCM using openssl and try connecting to the BCM with openssl. That's another thing maybe for another day though.

Please set the parameter as mention on both your ABAP instances and restart the system or icm to activate the parameter.

Kind Regards,

Amerjit

Former Member
0 Kudos

Hi Amerjit,

I will set this parameter as mentioned (ssl/client_ciphersuites=914:HIGH:MEDIUM:+e3DES). I need to talk with the customer to restart the system and i return soon as possible.

Thanks for the help!

Cleiton Folster Eli.

guilherme_deoliveira
Participant
0 Kudos

Hello Cleiton,

The issue is that your client is not sending a certificate to your server... as you have set icm/HTTPS/verify_client = 2, the server will only proceed if a client certificate is sent.

Therefore, set icm/HTTPS/verify_client = 1 and see if the issue persists. If it does, please look at your client side (BCM) and ensure that a valid certificate is being sent to CRM.

Best Regards,
Guilherme de Oliveira
SAP Active Global Support

Sriram2009
Active Contributor
0 Kudos

Hi Cleiton

Kindly refer the SAP Note to enable the ICM trace check the error log.

1318906 - Trace analysis of SSL problems

Regards

SS

feng_shi
Active Participant
0 Kudos

Hi,

Does the issue can be reproduced every time ?

please reproduce this issue and attach the complete level 2 ICM trace .

Best regards,

Shi Feng