cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FIM cannot connect to BPC web service via https

Olj
Participant

on ‎11-07-2017 5:11 AM

0 Kudos

Hi,

We use SAP FIM and BPC many times.

We setup http web service connection from guide -

SAP BusinessObjects Financial Information Management Supplement for SAP BusinessObjects Planning and Consolidation, version for SAP Netweaver,

our connection url -

http://BPCsrv:8000/sap/bc/srt/rfc/sap/ujo_ws_fim/120/ujo_ws_fim/ujo_ws_fim?sap-client=120

it works fine, but now our basis team want to disable http protocol for security reasons, and all must use only httpS protocol (44300).

I tried to modify web service url to https -

httpS://BPCsrv:44300/sap/bc/srt/rfc/sap/ujo_ws_fim/120/ujo_ws_fim/ujo_ws_fim?sap-client=120

but we getting error:

com.ctc.wstx.exc.WstxIOException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate).

Also I tried to modify FC, Intercompany web service, but when I add "S" to http url, I get error above.

Looks like FIM/Tomcat cannot use httpS. How can I resolve it?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member484969
Member
‎12-21-2018 12:22 PM
0 Kudos

Hi

We were getting the below SSL error after implementation SSL on FIM 10 and DS 4.2

No appropriate protocol (protocol is disabled or cipher suites are inappropriate).

Our issue resolved after adding TWO line in Tomcat --> Java configurations options

-Djdk.tls.client.protocols=TLSv1.2
-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 in


Show replies
Show replies
Marc_Kuipers
Product and Topic Expert
Product and Topic Expert
‎11-13-2017 5:17 PM
0 Kudos

Hi

Have you checked these:

https://wiki.scn.sap.com/wiki/display/CPM/Configuration+of+SAP+BW+system+for+BPC+10+NW+integration+w...

SAP notes:

2337042 - SSL certificate upgrade - impact on SAP EPM applications

2012668 - SSL error while creating a BPC NW datastore - FIM10.0

Show replies
Show replies
Olj
Participant
‎11-13-2017 6:25 PM
0 Kudos

Hi Marc,

I see your url links. I did all before.

I tried to switch Web Dispatcher to HTTP and it works fine,

but when I switch back to HTTPS I got error:

No X509TrustManager implementation available

I check ICM log on BPC side - it's clear.

Looks like Tomcat (FIM) cannot understand WebDispatcher TLS protocol.

Web Dispatcher logs:

[Thr 139671703856896] Tue Nov 14 00:15:17:289 2017
[Thr 139671703856896] SSL_get_state()==0x1180 "TLS read client certificate A"
[Thr 139671703856896] *** ERROR during secussl_read() from SSL_read()==SSL_ERROR_SSL
[Thr 139671703856896] srv SSL session PSE "/usr/sap/WBC/W00/sec/bpc.pse"
[Thr 139671703856896] session ciphersuites=896:HIGH
[Thr 139671703856896] Server SSL_CTX 7f07d4204560 pvflags=896 (TLSv1.2,TLSv1.1,TLSv1.0)
[Thr 139671703856896] secussl_read: SSL_read() failed (536875078/0x20001046)
[Thr 139671703856896] => "received a fatal TLS certificate unknown alert message from the peer"
[Thr 139671703856896] >> ---------- Begin of Secu-SSL Errorstack ---------- >>
[Thr 139671703856896] 0x20001046 | SAPCRYPTOLIB | SSL_read
[Thr 139671703856896] SSL API error
[Thr 139671703856896] received a fatal TLS certificate unknown alert message from the peer
[Thr 139671703856896] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139671703856896] received a fatal TLS certificate unknown alert message from the peer
[Thr 139671703856896] 0xa0600263 | SSL | ssl3_accept
[Thr 139671703856896] received a fatal TLS certificate unknown alert message from the peer
[Thr 139671703856896] 0xa0600263 | SSL | ssl3_read_bytes
[Thr 139671703856896] received a fatal TLS certificate unknown alert message from the peer
[Thr 139671703856896] << ---------- End of Secu-SSL Errorstack ----------
[Thr 139671703856896] SSL NI-hdl 81: local=192.168.88.31:7777 peer=192.168.88.124:63911
[Thr 139671703856896] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f07d00008f0)==SSSLERR_SSL_READ
[Thr 139671703856896] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStartNB returned (-58): SSSLERR_SSL_READ [icxxconn.c 1894]

Marc_Kuipers
Product and Topic Expert
Product and Topic Expert
‎11-13-2017 6:44 PM
0 Kudos

Did you see this thread:

https://answers.sap.com/questions/213166/sap-web-dispatcher-showing-error-during-secussl-re.html

~Marc

Marc_Kuipers
Product and Topic Expert
Product and Topic Expert
‎11-09-2017 12:17 PM
0 Kudos

Hi Daulet

This is not really a FIM/Tomcat issue.

The source/target (EPM) systems can all be configured with HTTPS. and the error you see is simply the fact that the URL FIM calls is not accepting the SSL.

No appropriate protocol (protocol is disabled or cipher suites are inappropriate).

See for example: https://stackoverflow.com/questions/38205947/sslhandshakeexception-no-appropriate-protocol

Marc

Show replies
Show replies
Olj
Participant
‎11-13-2017 4:16 AM
0 Kudos

Hi Marc,

Thanks for your reply.

Now our basis team decided to use SAP Web Dispatcher between FIM and BPC network (like saprouter/firewall).

WebDispatcher HTTPS ---> redirect to BPC http (SSL_ENCRYPTION=0).

I began to setup connection through WebDispatcher, I had some problems at beginning. At first BPC datastore connection test (url through webdispatcher) I found that FIM uses SSL3 protocol, WebDispatcher uses TLS1.2, also I added lines in Tomcat --> Java configurations options

-Djdk.tls.client.protocols=TLSv1.2
-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1

At second connection test I got new error -

PKIX path building failed: unable to find valid certification path to requested target

I also googled, and found that need to add webdispatcher ssl certificate to tomcat keystore, SO via keytool utility I added webdispatcher certificate to default keystore (cacerts). Then I added options to Tomcat --> Java:

-Djavax.net.ssl.trustStore=C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\jre\lib\security\cacerts
-Djavax.net.ssl.trustStorePassword=changeit

But now I got new error:

com.ctc.wstx.exc.WstxIOException: java.security.cert.CertificateException: No X509TrustManager implementation available

But then I can't find any information about that error, can you help me please?

Ask a Question