Skip to Content

Hana Replication Issue after upgrade Tier-2 System to 2.0 SPS02 (23)


Hi,

We have 3-Tier system replication for SAP HANA SPS12, we have done the Upgrade of Tier-3 system to Hana 2.0 SPS02 and it was ok.

Then we upgraded Tier-2 system and it was ok.

However when started the Tier-3 system for replication after the upgrade ,we get an error stating as below and replication is stopped from Tier-2 to Tier-3, however Replication is fine from Tier-1 (still 1.0 SPS12 ) to Tier-2 ( 2.0 SPS02 )

**********************
"Error occurred during connect to primary: exception 300015: SSL certificate validation failed: SSL error [536872221]: Unknown err
or, General error: 0x2000051d | SAPCRYPTOLIB | SSL_connect"

SSL API error
Failed to verify peer certificate. Peer not trusted.
0xa0600203 | SSL | ssl3_connect
Peer not trusted
0xa0600203 | SSL | ssl3_get_server_certificate
Peer not trusted
0xa0600203 | SSL | ssl3_decode_server_certificate
Peer not trusted
0xa0600203 | SSL | ssl_verify_peer_certificates
Peer not trusted
0xa0600203 | SSL | ssl_cert_checker_verify_certificates
Peer not trusted
0xa0600203 | SSL | ssl_cert_checker_verify_certificates
Peer not trusted

*******************

I have raised a message to SAP, however , has anyone faced similar issue,


Regards
Ahmed Mohammed

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Feb 11 at 10:29 PM

    Are you sure you've correctly set up the trust certs here? The errors suggest you haven't? The primary is saying it cannot find the trust to allow the connection, or the tier 3 hasn't been SSL enabled.

    Add comment
    10|10000 characters needed characters exceeded

    • Ok, so from the above info it seems like you may be experiencing the same issues as explained in SAP Note 2494079.

      Starting with HANA 2 SPS02, cross-datacenter connections in system replication (data, log and nameserver-metadata) are secured with SSL by system PKI without the need to switching on SSL for internal communication, as in previous versions.

      Did you use NZDU to update your HANA systems? please check if you have the following parameter set:

      global.ini/[communication]/ssl = on or systempki. If yes, the internal communication ssl is used. You may fail in startup after the secondary is upgraded. Nameserver of the upgraded secondary is unable to replicate from the old-versioned primary due to communication error.

  • Feb 12 at 12:32 PM

    Hi Michael,

    You have correctly pointed that i have encountered the same error as in sapnote 2494079.

    i somehow missed this sapnote before the upgrade :(

    I did not use the nZDU, i just stopped Tier-3 and upgraded ,once it is done i stopped Tier-2 and upgraded.

    In my setup, the below parameter is not set on any of the 3 servers

    global.ini/[communication]/ssl = on or systempki

    and as i have already mentioned, the parameter enable_ssl = off .


    Replication is fine from Primary(1.0 SPS12) to Tier-2 (2.0 sps02), however it is not to Tier-3.


    Also i see the below files were already copied during the setup of system replication in all the 3 servers.

    /usr/sap/<SID>/SYS/global/security/rsecssfs/data/SSFS_<SID>.DAT
    /usr/sap/<SID>/SYS/global/security/rsecssfs/key/SSFS_<SID>.KEY


    Now could you suggest how to i proceed ?

    do i need to change the below parameters on all the 3 systems and register Tier-2 and Tier-3 again ?
    ssl=systempki
    enable_ssl=on

    or any further suggestions.


    Thank you.

    Regards

    Ahmed Mohammed

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 15 at 06:32 AM

    Hi,

    I followed the sapnote 2369981 - Required configuration steps for authentication with HANA System Replication

    and copied the required SSFS files, and then when I try re-register the Tier-3 system, we get the below error

    *************************************
    DRClient.cpp(01103) : number of hosts per hostrole differs;Master host roles differ: '' (primary) != 'worker' (secondary)'

    [51003]{-1}[-1/-1] 2018-02-14 14:50:33.498560 e sr_nameserver TopologyUtil.cpp(01944) : number of hosts per hostrole differs;Master host roles differ: '' (primary) != 'worker' (secondary)';

    *************************************

    Any suggestions.

    Regards

    Ahmed Mohammed

    Add comment
    10|10000 characters needed characters exceeded