cancel
Showing results for 
Search instead for 
Did you mean: 

Error in SM59 ICM_HTTP_SSL_ERROR

Former Member
0 Kudos

Hello,

I am trying to connect to a web server from SAP WebAS using HTTPS.

Accordingly i created RFC Destination of type G, activated SSL and selected ANONYM SSL Client. Also i imported the both the certificates (public and private) under SSL Client Anonymous. After importing i re-started the ICM as well (infact the server was also restarted afterwards).

Still when tried to do the test connection it gave following error "ICM_HTTP_SSL_ERROR". When looked at the trace i found following error

[Thr 2314] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 2314]    session uses PSE file "/usr/sap/D06/DVEBMGS06/sec/SAPSSLA.pse"
[Thr 2314] SecudeSSL_SessionStart: SSL_connect() failed
  secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 2314] >>            Begin of Secude-SSL Errorstack            >>
[Thr 2314] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "EMAIL=email OU=TSG,
ERROR in get_path: (27/0x001b) Found root certificate of <EMAIL=email, OU=TSG, O=TEST, SP=Goergia, L=Atlant
ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <EMAIL=email, OU=TSG, O=TEST, SP=Goergia, L
[Thr 2314] <<            End of Secude-SSL Errorstack
[Thr 2314]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 2314]   SSL NI-sock: local=localIP:10845  peer=targetIP:6413
[Thr 2314] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1810a56f0)==SSSLERR_SSL_CONNECT
[Thr 2314] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00010740} [icxxconn_mt.c 201

I had checked few notes and also one blog which describes about this error but all it says is about importing the certificates to the certificates stores which already i did. Is there something i am missing in configuration?

One thing i noticed when i imported the certificates. The OU value is different in STRUST than 'TSG' which is displayed in the error. Is it by chance looking at wrong certificate file?

Thanks in advance.

Regards

Rajeev

Former Member
0 Kudos

Hi Sree,

Thanks for your reply but can u let me know what are those services. I tried to find SSL services in SICF and only found 2 CACHE_SSL and CACHE_GUI_SSL. Both of them are for XI and I am not having XI at my place.

I am trying to connect from SAP ECC 6 server to external Web server.

Thanks and Regards

Rajeev

Former Member
0 Kudos

Hi,

Try Enabling all the services that start with ICM.

Do as follows,

Execute SICF, By default, you will see Hierarchy type SERVICE, clear that field, Now in the text that corresponds to Service Name, Type ICM and then Execute (F8), You get a couple of services here, Activate all of them.

Hope this helps,

regards,

Sree.

Former Member
0 Kudos

Hi,

>Try Enabling all the services that start with ICM.

That is indeed a bad idea : this would be a security hazard in the system.

The rule is : only activate the necessary services in SICF.

The problem of the original poster is about the chain of certificate.

He shoud check if the ssl server certificate includes not only the root CA but also an intermediate CA.

If yes, he shoud import this sub CA certificate in STRUST client certificate. AND restart the ICM.

Regards,

Olivier

Accepted Solutions (1)

Accepted Solutions (1)

former_member906139
Active Participant
0 Kudos

Hello,

For this error, i believe you need to import the CA Server Root Certificate. Errors say Chain of certificates is incomplete - means you ABAP stack don't know CA Server identification.

Regards,

Abhay

Former Member
0 Kudos

Hi Abhay,

Thanks for the reply. Actualyl i received 2 certificate files which out of which I guess (not sure though) one is server root certificate. I had imported both of them under SSL Client Anonymous store. Do I need to import at some other place?

Regards

Rajeev

Answers (4)

Answers (4)

Former Member
0 Kudos

Hi Rajeev,

I am stuck at a similar situation, though the main task for me is to enable SSL option for type G RFC and make a successful connection. SAP suggested to follow Note 210020 and 51007, to activate TSLv.1.2 and disable SSLv3.0. Downloaded latest -1 SAPCYRPTO library files, now known as CCL (Common crypto lib).

Enabled the following profile changes on ABAP:

ssf/name = SAPSECULIB

ssf/ssfapi_lib = <sapcrypto file path>

sec/libsapsecu = <sapcrypto file path>

ssl/ssl_lib = <sapcrypto file path>

icm/server_port_00 =

icm/HTTPS/verify_client = 2

Installed digitally signed entrust certificated and imported to SSL standard node. Created SSL client,

activated SSL option for type G RFC and still get unsuccessful connection test.

Sharing ICM trace log :

Former Member
0 Kudos

There was the problem with the certificate. Once I received the correct certificate, teh connection was successful

Former Member
0 Kudos

Hi Rajeev,

Try accessing that web server through https URL. Check the certificate availability.

If the certificate is available, then check the certificate details whether the details match with the one you have imported in SSL Client Standard.

If both do not match, then you will not be able to do a handshake with the server and you will get the above pasted error.

Please revert with the observations.

Best Regards

Raghu

Former Member
0 Kudos

Hi Rajeev,

It seems that the certificate verification is not happening properly.

Import the public key certificate of the web server you are trying to connect in the SSL Client Standard.

In SM59 select SSL Client standard.

Try connecting again.

Best Regards

Raghu.

Former Member
0 Kudos

Hi Raghu,

Tried that as well. I have received 2 files. One public key certificate file and other root cert file for the same.

I tried importing both under SSL Client Default and SSL Client Anonymous and changing RFC destination accordingly. Do I need to activate any other nodes in STRUST?

I had activated SSL Server Standard and System PSE nodes apart from SSL Client Default and Anonymous. Rest of all are inactive i.e. with red cross mark.

Thanks in advance.

Regards

Rajeev