Skip to Content

GSS-API(min): A2210235:Name component missing in my certificate

I set up a connection between an ABAP application server (release 701 SP 0020) and a unix server (CommonCryptoLib 8.5.22, JCo 3.0.13) according to note 2642538.

The public certificate files have been exchanged and imported into STRUST of the abap server and into the PSE of the unix machine.
On abap server side the canonical names in STRUST, SU01 and SM30 (VSNCSYSACL) look fine and parameter snc/identity/as shows the correct SNC-Name according to STRUST->SNC SAPCryptoLib.
On the UNIC machine I can see a valid certificate in the PKList of the PSE. cred_v2 file is there and the user seems to have access to the PSE. Environment variables SNC_LIB and SECUDIR are set and recognized by sapgenpse.

When trying to execute the StepByStepClient from the SAP JCo examples I get the following error:
GSS-API(min): A2210235:Name component missing in my certificate
target="p:CN=XX, OU=Xxxxxx, O=Xxxxxx, L=Xxxxxx, C=XX" (names masked)
MODULE sncxxall_mt.c
LINE 3551
DETAIL SncPEstablishContext
SYSTEM_CALL gss_init_sec_context

List of SNC error codes from sap help just says:
A2210235 Name component missing in my certificate.
The use of a special certificate component as SNC name has been configured, but the certificate does not contain this component nor any of the configured fallbacks.

This looks weird, as I can see the certificate in the PKList of the PSE (sapgenpse maintain_pk -l) and the Subject-Name of the certificate matches the SNC-Name I provided as jco.client.snc_partnername.

As soon as I set the parameter jco.client.snc_mode to 0 and provide properties for jco.client username and password I am able to connect the systems without the use of SNC.

I'm thinking of the "L=..." in SNC-name being the root cause of the problem?!?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Nov 11, 2018 at 09:30 AM

    Hi Ronald,

    indeed that sounds like a weird issue potentially related to the naming of the certificate. As it says "Name component missing in my certificate" i would assume it is about the certificate within the PSE on the unix host, or? So your certificate and not the SNC partner.

    I would first try to enable CCL level 4 traces and analyze the root cause on both sides. For Unix enable tracing as described in note 1848999. For ABAP you can use profile parameters as well, the configuration is described in note 2338952.

    Also make sure on the other side (ABAP) you are not using a SAPCryptoLib 5.x but a CCL with at least 8.5.20+. In addition, check for any "special" settings such as ccl/* profile parameters eventually influencing SNC name conversion, encoding, upper/lower case transformations and the likes...

    Cheers, Carsten

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 12, 2018 at 05:12 PM

    Can't find any ccl parameters on the AS ABAP. The CCL version installed on AS ABAP is 8.5.19. I'm not sure if this version is compatible to the SAP-Release 701, as according to note 1848999 the CommonCryptoLib is only fully compatible to at least Kernel-Release 7.2 patch level 88.

    I tried to generate a new PSE on unix client side with a short SNC that only contains the CN, but I'm still getting the same error message.

    Thanks for the hint reg. the sec-trace.
    What I can see from the trace is the following after sending the AuthResponse to the server AS ABAP:
    Received alert code A2210235
    <-- Msg 2010-1.1-sr-ecdhe Alert process failed : errval=D0000, minor_status=A2210235

    Add comment
    10|10000 characters needed characters exceeded