Skip to Content
avatar image
Former Member

ASE Cockpit no login to ASE Server via SSL

Hi there,

having problems to get ASE Cockpit working on windows.
Whenever SSl is enabled on the server i get 'login failed'.
If I disable SSL on ASE Server login from Cockpit works.
ASE Cockpit agent.log says:

2018-04-03 16:17:28,713 [INFO ] [adapter.UAFLoginCommand ] [scc-ui::119] - Authenticating web login sapsa
2018-04-03 16:17:29,444 [ERROR] [ASEMAP ] [RMI TCP Connection(8)-127.0.0.1] com.sybase.ua.plugins.asemap.security.ASELoginModule.login(145) - com.sybase.aseaccess.exception.AALSQLException: java.sql.SQLException: JZ00L: Login failed. Examine the SQLWarnings chained to this exception for the reason(s).
2018-04-03 16:17:29,454 [WARN ] [security.SecurityService ] [RMI TCP Connection(8)-127.0.0.1] - Login failed from ludsapdcte01.sapenv.org. Username: sapsa
2018-04-03 16:17:29,454 [ERROR] [security.AuthenticationHook ] [RMI TCP Connection(8)-127.0.0.1] - Authentication failed. Please check username and password.

Same password will work in isql and from ASE Cockpit when switching off SSL on the server.

In ASE Server log I get:

018/04/03 16:45:39.47 kernel SSL or Crypto Error Info: psn 388, vsn 23, sockp 000000002B628000 error id 302, severity -2, provider id 0.
00:0006:00000:00029:2018/04/03 16:45:39.47 kernel SSL or Crypto Error Message: 'The SSL handshake failed. Root error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number'.

OS: Windows 2012 R2
ASE:

Adaptive Server Enterprise/16.0 SP02 PL07/EBF 27572 SMP/P/X64/Windows Server/ase160sp02plx/0/64-bit/FBO/Tue Dec 19 22:17:07 2017

Any ideas ?

Regards,
Rainer

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Apr 04 at 03:19 PM

    Hi,

    Have you set the public ssl certificate in ASE cockpit?
    Should have to add this certificate to $SYBASE/COCKPIT-4/services/EmbeddedWebContainer/cacerts
    Password is changeit by default.

    Regards,
    Ryan

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 10 at 08:01 AM

    Hi Ryan,

    thanks for the hint.
    Since I'm new to ASE I did not know exactly how to add the certificate.
    I looked around and found the keytool utilitiy, located in %SYBASE%\jre64\bin.
    I used this to add the certificate to the cacerts keystore.

    G:\sybase\VTE\jre64\bin\keytool.exe -importcert -file G:\sybase\VTE\ASE-16_0\certificates\VTE.crt -keystore cacerts -storepass changeit

    Got back some info about certificate and finally:

    Trust this certificate? [no]: yes
    Certificate was added to keystore

    After that restarted ASE and Cockpit Service.
    Same error as above (including log file content).

    Best,

    Rainer

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 13 at 12:22 PM

    Hi Ryan,

    I have the suspicion, that ths has been misunderstood in serveral ways. First my action described in the previous post were wrong and could not have led to a solution(importing server Certificate in Cockpit keystore).

    Reading note 2441404 I guess you meant getting SSL to work between client browser and ASE Cockpit.
    My problem however is the failing login whenever SSL connection on ASE Server is enabled (enable_ssl = 1).
    Unless SSL connection from browser is necessary to make SSL connect from Cockpit to server work(which I do not see necessary).
    Ok, I admit I do not understand a lot about the SSL feature of ASE.

    Maybe you can give me some further advice.

    Regards,
    Rainer

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 24 at 08:45 PM

    Hi,

    Took a little bit but this functionality doesn't exist yet.
    You setup ASE connections through the COCKPIT-4/plugins/<asename>/agent-plugin.xml

    https://help.sap.com/doc/37077326d12d4c9fbf6d865f9826b655/16.0.3.3/en-US/SAP_ASE_Cockpit_en.pdf

    There isn't a section to tell it to use ssl port / protocol.

    You can securely connect into ASE cockpit, but you cannot use ssl port from cockpit to ASE.

    Current SAP/Sybase CR# 801770

    Also, based on your username you are most likely using ASE on Business Suite.
    This ASE uses DBA cockpit instead of ASE cockpit.
    DBA cockpit is specifically for Business Suite ASE.

    Based on the CR this functionality doesn't work for either cockpit at this time.

    What you can do is setup a ssl and non-ssl port on ASE.
    Have cockpit use the non-ssl port and make clients use the ssl port.

    Example:
    asename
    master tcp ether host port ssl
    query tcp ether host port ssl
    master tcp ether host port
    query tcp ether host port

    Regards,
    Ryan

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 26 at 12:34 PM

    Hi Ryan,

    thanks for the answer. The fact that the newest sapinst (SP22) offers the encryption to be switched on is kinda misleading then ...
    at least if you then later try to get Cockpit working.

    In order to get both ssl connect of AppServer and non-ssl connect working I set enable_ssl to 1 on the server and then added 2 entries for the <SID> db in sql.ini (2 with ssl 2 without).

    [SID]
    master=NLWNSCK,host,4901,ssl
    query=NLWNSCK,host,4901,ssl
    master=NLWNSCK,host,4905
    query=NLWNSCK,host,4905

    Then in agent_plugin.xml I used non-ssl port of master entry(set with Cockpit stopped).

    <set-property value="4905" property="ase.port"/>

    This did not work.

    In agent.log I still see:

    2018-04-26 13:57:39,760 [ERROR] [ASEMAP ] [RMI TCP Connection(6)-127.0.0.1] com.sybase.ua.plugins.asemap.security.ASELoginModule.login(145) - com.sybase.aseaccess.exception.AALSQLException: java.sql.SQLException: JZ00L: Login failed. Examine the SQLWarnings chained to this exception for the reason(s).
    2018-04-26 13:57:39,766 [WARN ] [security.SecurityService ] [RMI TCP Connection(6)-127.0.0.1] - Login failed from ludsapdcte01.sapenv.org. Username: sapsa
    2018-04-26 13:57:39,766 [ERROR] [security.AuthenticationHook ] [RMI TCP Connection(6)-127.0.0.1] - Authentication failed. Please check username and password.

    ........

    Finally it I got it to work.

    In ini.sql I have now:

    [VTE]
    master=NLWNSCK,ludsapdcte01,4901
    query=NLWNSCK,ludsapdcte01,4901
    master=NLWNSCK,ludsapdcte01,4905,ssl
    query=NLWNSCK,ludsapdcte01,4905,ssl

    A peculiar thing I noticed: the entry for ase.port in agent_plugin.xml does not seem to make a difference.

    To me it seems like COCKPIT is using sql.ini and reading the first master entry in SID section.
    With a setting of ase.port = 8888 in agent_plugin.xml it still works.
    As soon as I change sql.ini though (having the ssl entry first in SID section), it stops working.

    As a reminder to others: I you want to keep using ssl-connect for SAP AS and utilities set
    dbs_syb_port(ENV) and dbs/syb_port (DEFAULT.PFL) to the ssl port (here: 4905).

    Regards,

    Rainer

    Add comment
    10|10000 characters needed characters exceeded