Skip to Content
0

FIM cannot connect to BPC web service via https

Nov 07, 2017 at 05:11 AM

221

avatar image

Hi,

We use SAP FIM and BPC many times.

We setup http web service connection from guide -

SAP BusinessObjects Financial Information Management Supplement for SAP BusinessObjects Planning and Consolidation, version for SAP Netweaver,

our connection url -

http://BPCsrv:8000/sap/bc/srt/rfc/sap/ujo_ws_fim/120/ujo_ws_fim/ujo_ws_fim?sap-client=120

it works fine, but now our basis team want to disable http protocol for security reasons, and all must use only httpS protocol (44300).

I tried to modify web service url to https -

httpS://BPCsrv:44300/sap/bc/srt/rfc/sap/ujo_ws_fim/120/ujo_ws_fim/ujo_ws_fim?sap-client=120

but we getting error:

com.ctc.wstx.exc.WstxIOException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate).

Also I tried to modify FC, Intercompany web service, but when I add "S" to http url, I get error above.

Looks like FIM/Tomcat cannot use httpS. How can I resolve it?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Marc Kuipers
Nov 09, 2017 at 12:17 PM
0

Hi Daulet

This is not really a FIM/Tomcat issue.

The source/target (EPM) systems can all be configured with HTTPS. and the error you see is simply the fact that the URL FIM calls is not accepting the SSL.

No appropriate protocol (protocol is disabled or cipher suites are inappropriate).

See for example: https://stackoverflow.com/questions/38205947/sslhandshakeexception-no-appropriate-protocol

Marc

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Marc,

Thanks for your reply.

Now our basis team decided to use SAP Web Dispatcher between FIM and BPC network (like saprouter/firewall).

WebDispatcher HTTPS ---> redirect to BPC http (SSL_ENCRYPTION=0).

I began to setup connection through WebDispatcher, I had some problems at beginning. At first BPC datastore connection test (url through webdispatcher) I found that FIM uses SSL3 protocol, WebDispatcher uses TLS1.2, also I added lines in Tomcat --> Java configurations options

-Djdk.tls.client.protocols=TLSv1.2
-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1

At second connection test I got new error -

PKIX path building failed: unable to find valid certification path to requested target

I also googled, and found that need to add webdispatcher ssl certificate to tomcat keystore, SO via keytool utility I added webdispatcher certificate to default keystore (cacerts). Then I added options to Tomcat --> Java:

-Djavax.net.ssl.trustStore=C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\jre\lib\security\cacerts
-Djavax.net.ssl.trustStorePassword=changeit

But now I got new error:

com.ctc.wstx.exc.WstxIOException: java.security.cert.CertificateException: No X509TrustManager implementation available

But then I can't find any information about that error, can you help me please?

fim-err.jpg (74.4 kB)
0
Marc Kuipers
Nov 13, 2017 at 05:17 PM
0

Hi

Have you checked these:

https://wiki.scn.sap.com/wiki/display/CPM/Configuration+of+SAP+BW+system+for+BPC+10+NW+integration+with+FIM+10

SAP notes:

2337042 - SSL certificate upgrade - impact on SAP EPM applications

2012668 - SSL error while creating a BPC NW datastore - FIM10.0

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Hi Marc,

I see your url links. I did all before.

I tried to switch Web Dispatcher to HTTP and it works fine,

but when I switch back to HTTPS I got error:

No X509TrustManager implementation available

I check ICM log on BPC side - it's clear.

Looks like Tomcat (FIM) cannot understand WebDispatcher TLS protocol.

Web Dispatcher logs:

[Thr 139671703856896] Tue Nov 14 00:15:17:289 2017
[Thr 139671703856896] SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 139671703856896] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 139671703856896] srv SSL session PSE "/usr/sap/WBC/W00/sec/bpc.pse"
[Thr 139671703856896] session ciphersuites=896:HIGH
[Thr 139671703856896] Server SSL_CTX 7f07d4204560 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
[Thr 139671703856896] secussl_read: SSL_read() failed (536875078/0x20001046)
[Thr 139671703856896] => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 139671703856896] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 139671703856896] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 139671703856896] SSL API error
[Thr 139671703856896] received a fatal TLS certificate unknown alert message from the peer
[Thr 139671703856896] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139671703856896] received a fatal TLS certificate unknown alert message from the peer
[Thr 139671703856896] 0xa0600263 | SSL | ssl3_accept
[Thr 139671703856896] received a fatal TLS certificate unknown alert message from the peer
[Thr 139671703856896] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139671703856896] received a fatal TLS certificate unknown alert message from the peer
[Thr 139671703856896] << ---------- End of Secu-SSL Errorstack ----------
[Thr 139671703856896] SSL NI-hdl 81: local=192.168.88.31:7777 peer=192.168.88.124:63911
[Thr 139671703856896] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f07d00008f0)==SSSLERR_SSL_READ
[Thr 139671703856896] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c 1894]

0
0