Skip to Content
avatar image
Former Member

NWDS unable to connect to NWDI via https

Hello SAP,

We are in the process of making HTTP to secure.

Ie HTTP Protocol will be disabled and HTTPS will be enabled.

Currently we are applying this change to NWDI system.

We have 2 NWDI systems connected each other for our Project IERP.

Systems SIDs – HPI, HPW

HPW – is the SLD Server from which Developers access there Tracks from NWDS
While Trying to achieve HTTPS we observed that Developers are unable to download the track details from NWDS due to the below said problems.
NWDS Screen shot as below …

Steps for Reproducing issue:

Step 1: SLD is configured with https as highlighted and server certificate from HPW

and ping was successfull


Step 2:Domain Data and Track Data has been configured to use https in HPI CMS

****Note: Also Please observer that track CBS is pointed to HPI as highlighted.

****Note: some track uses CBS from HPW itself , but the  below one is pointed to HPI and working fine before with http.
Step 3: Accessing Tracks by developers from NWDS

connect to SLD HPW


Select the required track and logon and finish the required configuration

While logging it allows logon to HPW where as it fails to logon in HPI 


Error Screen as below.Unable to login to HPI . No further error is returned from NWDS

***Note: Same track will work if we use http and port 51500 (http port )

***Note: other tracks where CBS is HPW itself and https port also works.


The logs returned at HPI level when we hit logon are as below in dev_icm logs
Note Peer:  peer=9.124.175.17 (my local laptop) where NWDS is installed and trying to access track.
Looks like NWDS is looking for a cert.

Our Netweaver is 740. Please look into the below error and help us in trouble shooting the issue ASAP. Please let me know if any additional details required.

Thr 2057] Wed Oct 11 16:51:40:727 2017
[Thr 2057]   SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 2057] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 2057]   srv SSL session PSE "/usr/sap/HPI/J15/sec/SAPSSLS.pse"
[Thr 2057]   session ciphersuites=135:HIGH:MEDIUM:+e3DES:!eRC4:!mMD5
[Thr 2057]   Server SSL_CTX 1183ec190 pvflags = 897 (TLSv1.2,TLSv1.1,TLSv1.0,BC)
[Thr 2057] secussl_read: SSL_read() failed  (536875074/0x20001042)
[Thr 2057]    => "received a fatal TLS bad certificate alert message from the peer"
[Thr 2057] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 2057] 0x20001042 | SAPCRYPTOLIB | SSL_read
[Thr 2057] SSL API error
[Thr 2057] received a fatal TLS bad certificate alert message from the peer
[Thr 2057] 0xa0600259 | SSL | ssl3_read_bytes
[Thr 2057] received a fatal TLS bad certificate alert message from the peer
[Thr 2057] 0xa0600259 | SSL | ssl3_accept
[Thr 2057] received a fatal TLS bad certificate alert message from the peer
[Thr 2057] 0xa0600259 | SSL | ssl3_read_bytes
[Thr 2057] received a fatal TLS bad certificate alert message from the peer
[Thr 2057] << ---------- End of Secu-SSL Errorstack ----------
[Thr 2057]   SSL NI-hdl 181: local=9.63.240.126:51501  peer=9.124.175.17:47616
[Thr 2057] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=1140a70f0)==SSSLERR_SSL_READ
[Thr 2057] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c   1643]
Refered Note: https://launchpad.support.sap.com/#/notes/1445197
Also seen a note to install SAP Java Crypto Toolkit , but looks to be too old and no option found in NWDS>> windows>> Preferences
Looks old version and not helping to for our NW 740
***********************************************************************************
tj3ww.jpeg (34.8 kB)
iaroz.jpeg (93.0 kB)
kome7.jpeg (58.4 kB)
sq6tq.jpeg (61.6 kB)
eojxj.jpeg (59.0 kB)
yd3sq.jpeg (71.6 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Best Answer
    Nov 04, 2017 at 07:46 PM

    What is necessary is to make a bundle of the related certificates (in .p7b format) and import this "combining-certificates" p7b file in NWDS.

    This is explained in this SAP KBA:

    2557483 - How-To import many SSL certificates in secure store of the NWDS

    which I post here to serve as a further reference (and future guidance when somebody bumps into such a problem).

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 06, 2017 at 01:14 PM

    Hello

    Milen Dontcheff

    I have worked with SAP in Parallel and get it rectified after combining in P7b format. Any ways Thanks a lot ..

    Regards

    Alen

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 18, 2017 at 01:05 PM

    Hi Sabu,

    As I see you try to connect multiple servers. The connection is working for the first one but doesn't work in case of the 2. server.

    I think it is possible that certification was configured just for the SLD in NWDS. There should be a list of certificates matching to all NWDI servers and not just to SLD. (You can export a file with multiple certificates from browser and use it in NWDS.)

    Best regards,
    Szabolcs

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 23, 2017 at 06:05 AM

    Hello Szabolcs

    thanks for your reply. cert is not just for SLD. Here the problem is we have two NWDI system configured to use the track and need certs of both simultaneously from NWDS. systems are different and cert are also different . Don't know a way to use it together so that NWDS can check for both at the same time. Also find the attachment for more details.

    Regards

    Alen

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 23, 2017 at 06:06 AM

    pre.cjk { font-family: "Nimbus Mono L",monospace; }p { margin-bottom: 0.1in; line-height: 120%; }

    Hello SAP,
    in continuation with the first analysis as mentioned in the first attachment we found the below logs from the NWDS
    com.sap.dtr.client.lib.protocol.CommunicationException: Unable to open SSL connection to host saphpidb.bhprod.ibm.com:51,501 [A communication problem occured] [reason: Peer certificate rejected by ChainVerifier]
    iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
    	at iaik.security.ssl.y.a(SourceFile:932)
    	at iaik.security.ssl.n.b(SourceFile:1067)
    	at iaik.security.ssl.n.a(SourceFile:1501)
    	at iaik.security.ssl.y.d(SourceFile:784)
    	at iaik.security.ssl.SSLTransport.startHandshake(SourceFile:571)
    	at iaik.security.ssl.SSLTransport.getInputStream(SourceFile:658)
    	at iaik.security.ssl.SSLSocket.getInputStream(SourceFile:395)
    	at com.sap.dtr.client.lib.protocol.streams.ChunkedInputStream.<init>(ChunkedInputStream.java:110)
    	at com.sap.dtr.client.lib.protocol.streams.ChunkedInputStream.<init>(ChunkedInputStream.java:98)
    	at com.sap.dtr.client.lib.protocol.streams.ResponseStream.<init>(ResponseStream.java:63)
    	at com.sap.dtr.client.lib.protocol.Connection.prepareSocket(Connection.java:2265)
    	at com.sap.dtr.client.lib.protocol.Connection.openSocket(Connection.java:2089)
    	at com.sap.dtr.client.lib.protocol.Connection.open(Connection.java:1392)
    	at com.sap.dtr.client.lib.protocol.Connection.sendInternal(Connection.java:1555)
    	at com.sap.dtr.client.lib.protocol.Connection.send(Connection.java:1478)
    	at com.sap.dtr.client.lib.protocol.requests.RequestBase.perform(RequestBase.java:555)
    	at com.sap.tc.cbs.client.impl.HTTPClient.ping(HTTPClient.java:299)
    	at com.sap.tc.cbs.client.impl.BuildServer.ping(BuildServer.java:387)
    	at com.sap.ide.dii05.lib.internal.login.PingManager.pingCbsServer(PingManager.java:256)
    	at com.sap.ide.dii05.lib.internal.login.PingManager.executeCbsServerPing(PingManager.java:277)
    	at com.sap.ide.dii05.lib.internal.login.PingManager.pingCBSServer(PingManager.java:236)
    	at com.sap.ide.dii05.lib.internal.login.LegacyDevConfUtil.pingCBSServer(LegacyDevConfUtil.java:70)
    	at com.sap.ide.dii05.ui.internal.login.BuildServerData.runCheck(BuildServerData.java:51)
    	at com.sap.ide.dii08.internal.util.LoginUtil.runPingCheck(LoginUtil.java:43)
    	at com.sap.ide.dii05.lib.internal.commands.devconf.BasicWizardHelper.canGetOnline(BasicWizardHelper.java:537)
    	at com.sap.ide.dii05.ui.internal.devconf.wizard.WizardHelper.canGetOnline(WizardHelper.java:45)
    	at com.sap.ide.login.ui.LoginDialog$2.run(LoginDialog.java:389)
    	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
          [Error: com.sap.dtr.client.lib.protocol.requests.RequestBase Thread[Worker-6,5,mai
    The above logs tells that they need HPI certs to NWDS.
    Then I supplied HPI certificate directly to sec folder of NWDS as below
    *****Note – HPW cert was already supplied while configuring SLD  .
    
    
    Then Hit the enter screen from where HPI was failing .
    Now the result is strange and situation reversed ..
    
    Current situation is HPI success (was failing before ) and HPW fails as in screen shot .
    
    Conclusion I think is both certificates are needed simultaneously, but only one can be read by NWDS at a time . If we can get through this we will pass
    ..
    As a next step we tried to merge two certs to one ,just copy both and name as .cer to make one and supplied to NWDS, but only the first one is getting read.. so that won't help us
    Another alternative we tried was as follows.....
    
    once HPW hit with error , I will go to sec directory of NWDS and just delete all the certs from there as below
    Before deleting certs, 
    After deleting certs from NWDS sec directory
    
    
    
    Then Proceed with login from the point where HPI was failing 
    
    
    Able to download track and login was successful..
    I think this is not the correct approach, either certs are picked from cache or some where .. don't know..
    
    also we cannot recommend this to developers to delete each time and try.
    Thinking is there a proper method to merge 2 certificated from sap servers into one and both can can be read simultaneously ,may fix this issue .
    Also there is only one time or one place we can give this certificate from NWDS via SLD..
    
    Pleas look in and suggest ASAP.
    
    Regards
    Alen
    
    
    Add comment
    10|10000 characters needed characters exceeded