Skip to Content
Former Member
Jan 13, 2009 at 11:49 AM

HTTPs connection from SAP WebAS



I have to establish a connection from SAP WebAS to an iSaSiLk server via HTTPS.

The iSaSiLk authentication is based on client certificates.

I've created a SSL client PSE, generated the Certificate Request, imported the certificate response and the chain of certificates associated with no errors. When testing the connection we're getting the following error message:

SAP icm log:

[Thr 1087400256] ->> SapSSLSessionInit(&sssl_hdl=0x2aaaba679980, role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT))

[Thr 1087400256] <<- SapSSLSessionInit()==SAP_O_K

[Thr 1087400256] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

[Thr 1087400256] out: sssl_hdl = 0x1a3310c0

[Thr 1087400256] ->> SapSSLSetNiHdl(sssl_hdl=0x1a3310c0, ni_hdl=22)

[Thr 1087400256] NiIBlockMode: set blockmode for hdl 22 TRUE

[Thr 1087400256] <<- SapSSLSetNiHdl(sssl_hdl=0x1a3310c0, ni_hdl=22)==SAP_O_K

[Thr 1087400256] ->> SapSSLSetSessionCredential(sssl_hdl=0x1a3310c0, &cred_name=0x1a49e4e0)

[Thr 1087400256] SapISSLComposeFilename(): Filename = "/usr/sap/XID/DVEBMGS00/sec/SAPSSLSPHTID.pse"

[Thr 1087400256] <<- SapSSLSetSessionCredential(sssl_hdl=0x1a3310c0)==SAP_O_K

[Thr 1087400256] in: cred_name = "/usr/sap/XID/DVEBMGS00/sec/SAPSSLSPHTID.pse"

[Thr 1087400256] ->> SapSSLSetTargetHostname(sssl_hdl=0x1a3310c0, &hostname=0x1a4a09e0)

[Thr 1087400256] <<- SapSSLSetTargetHostname(sssl_hdl=0x1a3310c0)==SAP_O_K

[Thr 1087400256] in: hostname = "<remoteServer_to_be_accessed>"

[Thr 1087400256] ->> SapSSLSessionStart(sssl_hdl=0x1a3310c0)

[Thr 1087400256] SapISSLUseSessionCache(): Creating NEW session (0 cached)

[Thr 1087400256] Tue Jan 13 10:10:22 2009

*[Thr 1087400256] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL*

[Thr 1087400256] session uses PSE file "/usr/sap/XID/DVEBMGS00/sec/SAPSSLSPHTID.pse"

[Thr 1087400256] SecudeSSL_SessionStart: SSL_connect() failed

secude_error 536871693 (0x2000030d) = "none of the PSEs registered with hSsl can suffice the negotiated SSL cipher suite"

[Thr 1087400256] >> Begin of Secude-SSL Errorstack >>

[Thr 1087400256] ERROR in ssl3_get_certificate_request: (536871693/0x2000030d) none of the PSEs registered with hSsl can suffice

[Thr 1087400256] << End of Secude-SSL Errorstack

[Thr 1087400256] SSL_get_state() returned 0x00002150 "SSLv3 read server certificate request A"

[Thr 1087400256] No certificate request received from Server

[Thr 1087400256] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1a3310c0)==SSSLERR_SSL_CONNECT

[Thr 1087400256] ->> SapSSLErrorName(rc=-57)

[Thr 1087400256] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

[Thr 1087400256] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt

On the iSaSiLk server we're getting:

ssl_debug(2): Starting handshake (iSaSiLk 3.06)...

ssl_debug(2): Received v3 client_hello handshake message.

ssl_debug(2): Client requested SSL version 3.0, selecting version 3.0.

ssl_debug(2): Creating new session 11:5F:04:C9:0D:32:15:B9...

ssl_debug(2): CipherSuites supported by the client:

ssl_debug(2): SSL_RSA_WITH_RC4_128_SHA

ssl_debug(2): SSL_RSA_WITH_RC4_128_MD5


ssl_debug(2): SSL_RSA_WITH_DES_CBC_SHA


ssl_debug(2): SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

ssl_debug(2): SSL_RSA_EXPORT_WITH_RC4_40_MD5

ssl_debug(2): CompressionMethods supported by the client:

ssl_debug(2): NULL

ssl_debug(2): Sending server_hello handshake message.

ssl_debug(2): Selecting CipherSuite: SSL_RSA_WITH_RC4_128_SHA

ssl_debug(2): Selecting CompressionMethod: NULL

ssl_debug(2): Sending certificate handshake message with server certificate...

ssl_debug(2): Sending certificate_request handshake message...

ssl_debug(2): Sending server_hello_done handshake message...

ssl_debug(2): IOException while handshaking: Connection closed by remote host.

ssl_debug(2): Sending alert: Alert Fatal: handshake failure

ssl_debug(2): Shutting down SSL layer...

ssl_debug(2): Closing transport...

From the iSaSiLk everything seems to be OK, but on the SAP WebAS the error "none of the PSEs registered with hSsl can suffice the negotiated SSL cipher suite" is really unclear, since the cipher chosen by the iSaSiLk is one of the ciphers sent by SAP WebAS...

Can anyone give me any suggestion?