on 09-06-2018 9:43 AM
Hello,
We are performing an upgrade on stand alone java system, and in the downtime phase ( Restart Java Phase ). SUM is trying to restart the sap java, and the system is up and running fine. But SUM is not detecting that java is up, since it is trying the following sapcontrol command, and it doesnt work,
/usr/sap/<SID>/J00/exe/sapcontrol -prot NI_HTTPS -nr 00 -function GetProcessList
06.09.2018 01:24:56 GetProcessList FAIL: SSSLERR_SSL_CONNECT, SapSSLSessionStart failed in plugin_fopen()
Where as the sapcontrol command with HTTP works,
/usr/sap/<SID>/J00/exe/sapcontrol -prot NI_HTTP -nr 00 -function GetProcessList 06.09.2018 01:28:11 GetProcessList OK name, description, dispstatus, textstatus, starttime, elapsedtime, pid jstart, J2EE Server, GREEN, All processes running, 2018 09 04 20:55:26, 28:32:45, 48037 igswd_mt, IGS Watchdog, GREEN, Running, 2018 09 04 20:55:26, 28:32:45, 48038
Please find below log with the debug option,
/usr/sap/<sid>/J00/exe/sapcontrol -prot NI_HTTPS -nr 00 -function GetProcessList -debug Thu Sep 6 01:34:54 2018 NiIInit: allocated nitab (2048 at 7f50d7443010) NiIHSBufInit: initialize hostname buffer (IPv4) NiHLInit: alloc host buf (100 entries) NiSrvLInit: alloc serv bufs (100 entries) ***LOG Q0I=> NiPGetServByName: 'sapctrls00' not found: getaddrinfo [niuxi.c 1814] NiSrvLGetServNo: service name 'sapctrls00' not found by operating system <<- SapSSLSetTraceFile()==SAP_O_K ->> SapSSLInit(read_profile=0, ∈it_params=7fff7965fe10, &return_reserved=(nil)) ================================================= = SSL Initialization platform tag=(linuxx86_64_gcc43) = (721_STACK,Jun 16 2018,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64) SapISSLComposeFilename(ssl_lib): using default "libsapcrypto.so" DlLoadLib() success: dlopen("libsapcrypto.so"), hdl 0 DlLoadFunc (SSL_API_startup) from libsapcrypto.so DlLoadFunc (SSL_API_cleanup) from libsapcrypto.so DlLoadFunc (SSL_API_get_last_error) from libsapcrypto.so DlLoadFunc (SSL_check_last_io) from libsapcrypto.so DlLoadFunc (SSL_new) from libsapcrypto.so DlLoadFunc (SSL_duplicate) from libsapcrypto.so DlLoadFunc (SSL_set_session_by_ssl) from libsapcrypto.so DlLoadFunc (SSL_clear) from libsapcrypto.so DlLoadFunc (SSL_set_fd) from libsapcrypto.so DlLoadFunc (SSL_accept) from libsapcrypto.so DlLoadFunc (SSL_connect) from libsapcrypto.so DlLoadFunc (SSL_set_verify_mode) from libsapcrypto.so DlLoadFunc (SSL_get_state) from libsapcrypto.so DlLoadFunc (SSL_read) from libsapcrypto.so DlLoadFunc (SSL_write) from libsapcrypto.so DlLoadFunc (SSL_pending) from libsapcrypto.so DlLoadFunc (SSL_set_shutdown_mode) from libsapcrypto.so DlLoadFunc (SSL_shutdown) from libsapcrypto.so DlLoadFunc (SSL_free) from libsapcrypto.so DlLoadFunc (SSL_renegotiate) from libsapcrypto.so DlLoadFunc (SSL_ctrl) from libsapcrypto.so DlLoadFunc (SSL_do_handshake) from libsapcrypto.so DlLoadFunc (SSL_is_session_resumed) from libsapcrypto.so DlLoadFunc (SSL_get_session) from libsapcrypto.so DlLoadFunc (SSL_get_state_description_long) from libsapcrypto.so DlLoadFunc (SSL_get_certificate_request_ca_dnames) from libsapcrypto.so DlLoadFunc (SSL_CTX_new) from libsapcrypto.so DlLoadFunc (SSL_CTX_set_default_pse_by_name) from libsapcrypto.so DlLoadFunc (SSL_CTX_get_default_pse_cert) from libsapcrypto.so DlLoadFunc (SSL_CTX_set_default_verify_mode) from libsapcrypto.so DlLoadFunc (SSL_CTX_set_options) from libsapcrypto.so DlLoadFunc (SSL_CTX_set_session_cache_mode) from libsapcrypto.so DlLoadFunc (SSL_CTX_set_session_cache_max_items) from libsapcrypto.so DlLoadFunc (SSL_CTX_get_session_cache_number) from libsapcrypto.so DlLoadFunc (SSL_CTX_get_default_cipher_suites) from libsapcrypto.so DlLoadFunc (SSL_CTX_set_default_cipher_suites) from libsapcrypto.so DlLoadFunc (SSL_CTX_flush_session_cache) from libsapcrypto.so DlLoadFunc (SSL_CTX_free) from libsapcrypto.so DlLoadFunc (SSL_CTX_set_protocol_version_flags) from libsapcrypto.so DlLoadFunc (SSL_CTX_get_protocol_version_flags) from libsapcrypto.so DlLoadFunc (SSL_get_protocol_version_numbers) from libsapcrypto.so DlLoadFunc (SSL_CTX_set_alpn_protocols) from libsapcrypto.so DlLoadFunc (SSL_set_alpn_protocols) from libsapcrypto.so DlLoadFunc (SSL_get_alpn_protocol) from libsapcrypto.so DlLoadFunc (SSL_get_peer_certificates) from libsapcrypto.so DlLoadFunc (SSL_CIPHER_SUITE_get_name_info) from libsapcrypto.so DlLoadFunc (SSL_CIPHER_SUITE_get_info) from libsapcrypto.so DlLoadFunc (SSL_CIPHER_SUITE_get_sym_key_size) from libsapcrypto.so DlLoadFunc (SSL_get_cipher_suite_used) from libsapcrypto.so DlLoadFunc (SSL_get_cipher_suite_used_id) from libsapcrypto.so DlLoadFunc (SSL_get_cipher_suites) from libsapcrypto.so DlLoadFunc (SSL_get_cipher_suites_peer) from libsapcrypto.so DlLoadFunc (SSL_SESSION_set_timeout) from libsapcrypto.so DlLoadFunc (SSL_SESSION_get_session_id) from libsapcrypto.so DlLoadFunc (SSL_set_type) from libsapcrypto.so DlLoadFunc (SSL_set_read_ahead_mode) from libsapcrypto.so DlLoadFunc (SSL_set_bio) from libsapcrypto.so DlLoadFunc (BIO_new) from libsapcrypto.so DlLoadFunc (BIO_free) from libsapcrypto.so DlLoadFunc (BIO_free_all) from libsapcrypto.so DlLoadFunc (BIO_read) from libsapcrypto.so DlLoadFunc (BIO_write) from libsapcrypto.so DlLoadFunc (BIO_mem_get_mem) from libsapcrypto.so DlLoadFunc (aux_sprint_error) from libsapcrypto.so DlLoadFunc (th_last_error) from libsapcrypto.so DlLoadFunc (th_get_last_error_text) from libsapcrypto.so DlLoadFunc (aux_free) from libsapcrypto.so DlLoadFunc (aux_free_error) from libsapcrypto.so DlLoadFunc (aux_get_Certificate_n_from_Certificates) from libsapcrypto.so DlLoadFunc (e_Certificate) from libsapcrypto.so DlLoadFunc (aux_get_serialnumber_of_Certificate) from libsapcrypto.so DlLoadFunc (aux_get_subject_of_Certificate) from libsapcrypto.so DlLoadFunc (aux_get_issuer_of_Certificate) from libsapcrypto.so DlLoadFunc (aux_cmp_DName) from libsapcrypto.so DlLoadFunc (aux_sprint_DName) from libsapcrypto.so DlLoadFunc (aux_free_String) from libsapcrypto.so DlLoadFunc (aux_free_OctetString) from libsapcrypto.so DlLoadFunc (sapcr_init) from libsapcrypto.so DlLoadFunc (sapcr_done) from libsapcrypto.so DlLoadFunc (sapcr_get_version) from libsapcrypto.so DlLoadFunc (sapcr_get_secudir) from libsapcrypto.so DlLoadFunc (sapcr_set_secudir) from libsapcrypto.so DlLoadFunc (sapcr_config) from libsapcrypto.so DlLoadFunc (sapsecu_create_CertEntryList) from libsapcrypto.so DlLoadFunc (sapsecu_free_CertEntryList) from libsapcrypto.so DlLoadFunc (sapsecu_sprint_CertEntryList) from libsapcrypto.so DlLoadFunc (sap_create_memory_PSE) from libsapcrypto.so DlLoadFunc (sap_delete_memory_PSE) from libsapcrypto.so DlLoadFunc (sap_load_memory_PSE) from libsapcrypto.so DlLoadFunc (sapcr_set_property_int) from libsapcrypto.so DlLoadFunc (sapcr_get_property_int) from libsapcrypto.so DlLoadFunc (Sapcryptolib_RegisterTraceCallback) from libsapcrypto.so DlLoadFunc (Sapcryptolib_SetTraceLevel) from libsapcrypto.so = disabled FIPS 140-2 crypto kernel = found CommonCryptoLib 8.5.21 (Apr 17 2018) [AES-NI,CLMUL,SSE3,SSSE3] = current UserID: "<sid>adm", env-var USER="<sid>adm" ************************* *** No $(DIR_INSTANCE), maybe you should define env-var SECUDIR ? ************************* = SECUDIR location determined through "HOME" -- = using SECUDIR=/home/<sid>adm/sec = using sssl_pse_dir="/home/<sid>adm/sec" SapISSLComposeFilename(server_pse): using default "/home/<sid>adm/sec/SAPSSLS.pse" SapISSLComposeFilename(client_pse): using default "/home/<sid>adm/sec/SAPSSLC.pse" SapISSLComposeFilename(anon_pse): Filename = "#_MemPSE_#040000991503123000000001" = AnonClient SSL_CTX e99ad0 pvflags=128 (TLSv1.0) = ciphersuites=HIGH:MEDIUM:+e3DES = The Anonymous Client SSL_CTX provides these 5 cipher suites: = 1. TLS_RSA_WITH_AES128_CBC_SHA = 2. TLS_RSA_WITH_AES256_CBC_SHA = 3. TLS_RSA_WITH_RC4_128_SHA = 4. TLS_RSA_WITH_RC4_128_MD5 = 5. TLS_RSA_WITH_3DES_EDE_CBC_SHA = Success -- SapCryptoLib SSL ready! ================================================= <<- SapSSLInit(read_profile=0)==SAP_O_K addrinfo of 'localhost': 0: 127.0.0.1:0 'localhost.localdomain' RAW (2-2-3-0-16) NiHLGetNodeAddr: got hostname 'localhost' from operating system NiIGetNodeAddr: hostname 'localhost' = addr 127.0.0.1 NiIGetServNo: servicename '50014' = port 50014 NiICreateHandle: hdl 1 state NI_INITIAL_CON NiILocalCheck: local loopback address: 127.0.0.1 NiIInitSocket: set default settings for new hdl 1/sock 3 (UD; ST) NiIBlockMode: set blockmode for hdl 1 FALSE NiITraceByteOrder: CPU byte order: little endian, reverse network, low val .. high val NiIConnectSocket: hdl 1 is connecting to /tmp/.sapstream50014 (timeout=-1) NiIConnectSocket: connection of hdl 1 established to /tmp/.sapstream50014 NiIConnect: state of hdl 1 NI_CONNECTED NiIBlockMode: set blockmode for hdl 1 TRUE ->> SapSSLSessionInit(&sssl_hdl=7fff7964f640, role=1 (CLIENT), auth_type=4 (ANON_SRVCERT_NO_VERIFY)) Warning: SSSL_AUTH_SERVER_CERT_NO_VERIFY requested for sssl_hdl=ea0d70 <<- SapSSLSessionInit()==SAP_O_K in: args = "role=3 (ANONYMOUS-CLIENT), auth_type=4 (ANON_SRVCERT_NO_VERIFY)" out: sssl_hdl = ea0d70 ->> SapSSLSetNiHdl(sssl_hdl=ea0d70, ni_hdl=1) SSL NI-hdl 1: unix domain socket="/tmp/.sapstream50014" <<- SapSSLSetNiHdl(sssl_hdl=ea0d70, ni_hdl=1)==SAP_O_K ->> SapSSLSetTargetHostname(sssl_hdl=ea0d70, &hostname=7fff7964f580) <<- SapSSLSetTargetHostname(sssl_hdl=ea0d70)==SAP_O_K in: hostname = "localhost" ->> SapSSLSetSessionParam(sssl_hdl=ea0d70, sparam=TLSEXT_SNI_HOSTNAME, iarg=0, parg=7fff7964f580) <<- SapSSLSetSessionParam(sssl_hdl=ea0d70)==SAP_O_K in: sssl_hdl = ea0d70 in: sparam = "TLSEXT_SNI_HOSTNAME" in: iarg = 0 in: parg = "localhost" ->> SapSSLSessionStart(sssl_hdl=ea0d70) NiIBlockMode: leave blockmode for hdl 1 TRUE NiIBlockMode: set blockmode for hdl 1 FALSE NiIHdlGetStatus: hdl 1/sock 3 ok, no data pending NiIBlockMode: set blockmode for hdl 1 TRUE SapISSLUseSessionCache(): Creating NEW session (0 cached) SSL_get_state()==0x2120 "TLS read server hello A" *** ERROR during SecuSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL acli SSL session PSE "#_MemPSE_#040000991503123000000001" session ciphersuites=HIGH:MEDIUM:+e3DES AnonClient SSL_CTX e99ad0 pvflags=128 (TLSv1.0) TLSextSNI server_name="localhost" SecuSSL_SessionStart: SSL_connect() failed (536875120/0x20001070) => "received a fatal TLS protocol version alert message from the peer" >> ---------- Begin of Secu-SSL Errorstack ---------- >> 0x20001070 | SAPCRYPTOLIB | SSL_connect SSL API error received a fatal TLS protocol version alert message from the peer 0xa0600278 | SSL | ssl3_connect received a fatal TLS protocol version alert message from the peer 0xa0600278 | SSL | ssl3_read_bytes received a fatal TLS protocol version alert message from the peer << ---------- End of Secu-SSL Errorstack ---------- (No certificate request received from Server) Target Hostname="localhost" SSL NI-hdl 1: unix domain socket="/tmp/.sapstream50014" <<- ERROR: SapSSLSessionStart(sssl_hdl=ea0d70)==SSSLERR_SSL_CONNECT NiICloseHandle: shutdown and close hdl 1/sock 3 ->> SapSSLSessionDone(&sssl_hdl=7fff7964f640) <<- SapSSLSessionDone()==SAP_O_K in: sssl_hdl = ea0d70 in/out: ... ni_hdl = 1 ->> SapSSLErrorName(rc=-57) <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT 06.09.2018 01:34:54 GetProcessList FAIL: SSSLERR_SSL_CONNECT, SapSSLSessionStart failed in plugin_fopen()
Im not able to reset sum, as im in the execution phase.
Can you please let me know how to resolve this ?. or how would i set SUM to use HTTP for sapcontrol commands.
Many Thanks.!
Regards,
San
Check following SAP blog:
https://blogs.sap.com/2015/04/04/secure-server-communication-in-sap-netweaver-as-abap/
And related SAP Note:
1642340 - sapcontrol SSL usage
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Bartosz,
Thanks for the links.
The -function AccessCheck option looks fine,
/usr/sap/<SID>/J00/exe/sapcontrol -nr 00 -systempki /sapmnt/<SID>/profile/<SID>_J00_sap<sid> -function AccessCheck Stop 06.09.2018 19:35:12 AccessCheck OK
But the same with HTTPS , doesnt work,
/usr/sap/<SID>/J00/exe/sapcontrol -nr 00 -systempki /sapmnt/<SID>/profile/<SID>_J00_sap<sid> -prot NI_HTTPS -function AccessCheck Stop 06.09.2018 19:57:03 AccessCheck FAIL: SSSLERR_SSL_CONNECT, SapSSLSessionStart failed in plugin_fopen()
The debug option, gives the same error mentioned.
We are on kernel 721_ext patch 1100.
Thanks,
Sandeep
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.