Skip to Content
avatar image
Former Member

Error in SM59 ICM_HTTP_SSL_ERROR

Hello,

I am trying to connect to a web server from SAP WebAS using HTTPS.

Accordingly i created RFC Destination of type G, activated SSL and selected ANONYM SSL Client. Also i imported the both the certificates (public and private) under SSL Client Anonymous. After importing i re-started the ICM as well (infact the server was also restarted afterwards).

Still when tried to do the test connection it gave following error "ICM_HTTP_SSL_ERROR". When looked at the trace i found following error

[Thr 2314] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 2314]    session uses PSE file "/usr/sap/D06/DVEBMGS06/sec/SAPSSLA.pse"
[Thr 2314] SecudeSSL_SessionStart: SSL_connect() failed
  secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 2314] >>            Begin of Secude-SSL Errorstack            >>
[Thr 2314] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "EMAIL=email OU=TSG,
ERROR in get_path: (27/0x001b) Found root certificate of <EMAIL=email, OU=TSG, O=TEST, SP=Goergia, L=Atlant
ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <EMAIL=email, OU=TSG, O=TEST, SP=Goergia, L
[Thr 2314] <<            End of Secude-SSL Errorstack
[Thr 2314]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 2314]   SSL NI-sock: local=localIP:10845  peer=targetIP:6413
[Thr 2314] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1810a56f0)==SSSLERR_SSL_CONNECT
[Thr 2314] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00010740} [icxxconn_mt.c 201

I had checked few notes and also one blog which describes about this error but all it says is about importing the certificates to the certificates stores which already i did. Is there something i am missing in configuration?

One thing i noticed when i imported the certificates. The OU value is different in STRUST than 'TSG' which is displayed in the error. Is it by chance looking at wrong certificate file?

Thanks in advance.

Regards

Rajeev

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Best Answer
    avatar image
    Former Member
    Sep 08, 2009 at 09:04 AM

    Hello,

    For this error, i believe you need to import the CA Server Root Certificate. Errors say Chain of certificates is incomplete - means you ABAP stack don't know CA Server identification.

    Regards,

    Abhay

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Abhay,

      Thanks for the reply. Actualyl i received 2 certificate files which out of which I guess (not sure though) one is server root certificate. I had imported both of them under SSL Client Anonymous store. Do I need to import at some other place?

      Regards

      Rajeev

  • avatar image
    Former Member
    Sep 08, 2009 at 07:34 AM

    Hi Rajeev,

    It seems like you have got some problem with the Secure Sockets Layer.

    Have you checked in Trn Code - SICF whether your ICM services are activated or not. If not, Activate them immediately.

    There are a couple of ICM services in SICF, Activate them all, Hope this helps,

    Let us know.

    regards,

    Sree.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi,

      >Try Enabling all the services that start with ICM.

      That is indeed a bad idea : this would be a security hazard in the system.

      The rule is : only activate the necessary services in SICF.

      The problem of the original poster is about the chain of certificate.

      He shoud check if the ssl server certificate includes not only the root CA but also an intermediate CA.

      If yes, he shoud import this sub CA certificate in STRUST client certificate. AND restart the ICM.

      Regards,

      Olivier

  • avatar image
    Former Member
    Sep 08, 2009 at 09:37 AM

    Hi Rajeev,

    It seems that the certificate verification is not happening properly.

    Import the public key certificate of the web server you are trying to connect in the SSL Client Standard.

    In SM59 select SSL Client standard.

    Try connecting again.

    Best Regards

    Raghu.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Raghu,

      Tried that as well. I have received 2 files. One public key certificate file and other root cert file for the same.

      I tried importing both under SSL Client Default and SSL Client Anonymous and changing RFC destination accordingly. Do I need to activate any other nodes in STRUST?

      I had activated SSL Server Standard and System PSE nodes apart from SSL Client Default and Anonymous. Rest of all are inactive i.e. with red cross mark.

      Thanks in advance.

      Regards

      Rajeev

  • avatar image
    Former Member
    Sep 08, 2009 at 11:02 AM

    Hi Rajeev,

    Try accessing that web server through https URL. Check the certificate availability.

    If the certificate is available, then check the certificate details whether the details match with the one you have imported in SSL Client Standard.

    If both do not match, then you will not be able to do a handshake with the server and you will get the above pasted error.

    Please revert with the observations.

    Best Regards

    Raghu

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 25, 2010 at 12:32 PM

    There was the problem with the certificate. Once I received the correct certificate, teh connection was successful

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 17, 2015 at 03:05 PM

    Hi Rajeev,

    I am stuck at a similar situation, though the main task for me is to enable SSL option for type G RFC and make a successful connection. SAP suggested to follow Note 210020 and 51007, to activate TSLv.1.2 and disable SSLv3.0. Downloaded latest -1 SAPCYRPTO library files, now known as CCL (Common crypto lib).

    Enabled the following profile changes on ABAP:

    ssf/name = SAPSECULIB

    ssf/ssfapi_lib = <sapcrypto file path>

    sec/libsapsecu = <sapcrypto file path>

    ssl/ssl_lib = <sapcrypto file path>

    icm/server_port_00 =

    icm/HTTPS/verify_client = 2

    Installed digitally signed entrust certificated and imported to SSL standard node. Created SSL client,

    activated SSL option for type G RFC and still get unsuccessful connection test.

    Sharing ICM trace log :

    Add comment
    10|10000 characters needed characters exceeded