Skip to Content
avatar image
Former Member

Verify Chain for SSL Client

Hello,

I'm trying to configure a Type G RFC connection. Now that I have CryptoLib correctly installed, the SSL PSEs are now available. In order to get a functioning RFC, I've navigated to the destination with my browser and saved the 3 certificates in the chain (Root, Intermediate, and actual site). Once saved to my computer, I selected the Anonymous SSL Client's PSE and imported the certificates. After the PSE was saved, I restarted the ICM via SMICM. After those steps, The following error is still reported in the ICM trace file:

[Thr 1116555584] Mon Nov 15 11:13:18 2010
[Thr 1116555584] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==
SSL_ERROR_SSL
[Thr 1116555584]    session uses PSE file "/usr/sap/XS1/DVEBMGS00/sec/SAPSSLA.pse"
[Thr 1116555584] SecudeSSL_SessionStart: SSL_connect() failed
  secude_error 9 (0x00000009) = "the verification of the server's certificate chain 
failed"
[Thr 1116555584] >>            Begin of Secude-SSL Errorstack            >>
[Thr 1116555584] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification 
of the server's certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : 
"OU=Class 3 Public Primary Certification Auth
ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates 
is incomplete
[Thr 1116555584] <<            End of Secude-SSL Errorstack
[Thr 1116555584]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 1116555584]   SSL NI-sock: local=10.1.10.33:58418  peer=20.137.54.91:443
[Thr 1116555584] <<- ERROR: SapSSLSessionStart(sssl_hdl=0xdf47dc0)==
SSSLERR_SSL_CONNECT
[Thr 1116555584] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): 
SSSLERR_SSL_CONNECT {00042ae6} [icxxconn_mt

The RFC is using the FQDN for the target, and not the ip address. As far as I can tell, all the appropriate certificates has been added to the correct PSE. A SSL Connection for a client not requiring certificate login only needs to be trusted on the Client end, correct? Anything immediately obvious that I may have missed?

Thank you,

Zach

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Nov 15, 2010 at 05:48 PM

    I had a window of opportunity to restart the WebAS. This fixed the error. I read in the manual that restarting the ICM was the only requirement; however, the mechanism in SMICM must not be sufficient.

    Issue resolved.

    Thank you,

    Zach

    Add comment
    10|10000 characters needed characters exceeded