cancel
Showing results for 
Search instead for 
Did you mean: 

HANA XS (on-prem) HttpClient.request:IPcon: connection to host :443 failed!; $REASON$=ssl

0 Kudos

Hi,

When I make a GET or POST http request from an .xsjs service in aN on-premise HANA server to a SAP internal web domain I get the error (hiding information from hosts) :

HttpClient.request: request failed: unable to establish connection to <hostdomain>:443 - IPcon: connection to host <hostdomain>:443 failed!; $REASON$=ssl: internal error

description = "host description";

host = "hostdomain";

port = 443;

pathPrefix = "/";

proxyType = none;

proxyHost = "proxy";

proxyPort = 8080;

authType = none;

useSSL = true;

timeout = -1;

sslHostCheck = false;

sslAuth = client;

I created a trust store for this host in XS admin tool and added all certificates available in the domain and even downloaded SAP Cloud Root CA from http://www.pki.co.sap.com/

This is how my trust store looks like

This is my configuration of destination

when I select certificate actions PUT CA Response on the trust store of each certificate I get:

I cannot access the server from command line. I can only use web ide and sap/hana/xs/admin.

I can successfully call the destination from node.js using the following lines of code :

 var Request = require("request");
  var XML2js = require("xml2js");

  var sslRootCAs = require("ssl-root-cas");
  sslRootCAs
    .inject()
    .addFile("/SAP Cloud Root CA.crt")
    .addFile("/SAP Global Root CA (1).crt")
    .addFile("/SAPNetCA_G2 (5).crt");
  fs = require("fs");
   Request.post(
    {
      headers: {
        "Content-Type": "application/json",
      },
      url: "https://<HOSTDOMAIN>",
    },
    (error, response, body) => {
      if (error) {
        return console.dir(error);
      }
      console.log(response.body);
    }
  );
<br>

When I run the openssl command on my windows computer to check the chain of certificates I only get the certificate 0.

openssl s_client -connect <hostdomain>:443 -servername <hostdomain>

And as far as I understand, it means that my destination server doesn't send the intermediate certificates. That is why I add them to the files in node.js. But I'm not able to access from my hana server and I need to access from it

I would really appreciate if someone can help me

¿Does anyone know how to correctly configure the trust store from hana xs admin tool?

quovadis
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Daniela,

Following up on your comment to my other blog

if I run the same SSL check command line against the FQDN of my internal HANA system I get the following:

$ openssl s_client -connect <FQDN>:4390 -servername <FQDN>
CONNECTED(00000005)
depth=1 C = DE, L = Walldorf, O = SAP, CN = ***
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=DE/O=SAP/OU=Partner Product Management/CN=<FQDN>
i:/C=DE/L=Walldorf/O=SAP/CN=***
1 s:/C=DE/L=Walldorf/O=SAP/CN=***
i:/C=DE/L=Walldorf/O=SAP AG/CN=***
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKTCCBBGgAwIBAgIQf4c3NTDnUDdT2JhR98m/TDANBgkqhkiG9w0BAQsFADBE .............(truncated)..........................
pS8vFSFUa0TgEIQ8a6kbkVelaR6nLDBkUa6tP5bRQnZ3aP4BRaZjht2YwT90
-----END CERTIFICATE-----
subject=/C=DE/O=SAP/OU=Partner Product Management/CN=<FQDN>
issuer=/C=DE/L=Walldorf/O=SAP/CN=***

Thx; Piotr

Accepted Solutions (0)

Answers (0)