cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

https with NWDI

Go to solution
Former Member

on ‎02-24-2011 12:01 PM

0 Kudos

Hi,

I am trying to setup https connection to NWDI. (Netweaver 7.0)

SSL is enabled on Portal, so I can see it in my browser through https (https://<host>:50001/irj/portal), SLD and NWDI are on the same system.

Now I am trying to connect from NWDS 7.0, Development Configuration Pool URL set to "https://<host>:50001", I've set path to keystore file and ve done some additional configuration according to [http://help.sap.com/saphelp_nw70/helpdata/en/4c/941f407b402402e10000000a1550b0/frameset.htm].

After those steps "Ping server" button under Development Configuration Pool URL gave no results (no error, no success). I've found logs of NWDS with exception occuring on ping server action: java.lang.NoClassDefFoundError: com/sap/security/api/certrevoc/CertRevocException.

After placing CertRevocException class in place, NWDS started to give error message on ping action: "Server certificate rejected by ChainVerifier", in log file I see different exception:

!MESSAGE Feb 24, 2011 2:50:31 PM com.sap.security.core.server.https.V3ChainVerifier.verify... [Thread[main,5,main]] Error: NamingException during CertRevoc access

[EXCEPTION]

javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:640)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)

at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:280)

at javax.naming.InitialContext.lookup(InitialContext.java:347)

at com.sap.security.core.server.https.V3ChainVerifier.verifyChain(V3ChainVerifier.java:281)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.x.b(Unknown Source)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.r.d(Unknown Source)

at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)

at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)

at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)

P.S. I also have NWDS 7.2 on my pc and it can successfully connect to that NWDI server, with same keystore file.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-28-2011 9:11 AM
0 Kudos

Hi

you have the wrong SAP crypto toolkit:

Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Threadmain,5,main] Warning: SAP Java Crypto Toolkit NOT installed !

iaik_jce_export.jar delivered with 7.0 does not include strong crypto algorithms for SSL due to legal limitations/export regulations. You can download the uncrippled version named iaik_jce.jar from the market place (search for CRYPTO TOOLKIT or that like). Since 7.1x NWDS is delivered with the full iaik_jce.jar, that is the reason why your 7.20 works.

By the way: Make sure to remove iaik_jce_export.jar when you install iaik_jce.jar, otherwise you might get funny classloading problems.

Regards

Michael

Show replies
Show replies
Former Member
‎02-28-2011 1:24 PM
0 Kudos

Hi,

You are right, it was my mistake to use iaik_jce_export.jar, actually I had proper version (iaik_jce.jar) but classes were loaded from "export".

Removing iaik_jce_export.jar helped with "SAP Java Crypto Toolkit NOT installed", and procces goes a little further, but now I have other exception.

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending v3 client_hello message, requesting version 3.1...

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received v3 server_hello handshake message.

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server selected SSL version 3.1.

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server created new session 01:CC:A4:BB:38:8B:32:38...

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): CompressionMethod selected by server: NULL

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received certificate handshake message with server certificate.

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 1 elements.

Feb 28, 2011 4:18:31 PM ....https.V3ChainVerifier.verifyChain () [Thread[main,5,main]] Path: Entering method with ([Ljava.security.cert.X509Certificate;@ad8659, iaik.security.ssl.SSLTransport@4f459c)

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Chain to verify:

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: cert [0]

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Subject: CN=<host>

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Issuer: CN=<host>

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Serial: c3f7e1d0

.......

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: cert revocation status check entered for cert: 0

Feb 28, 2011 4:18:31 PM ....https.V3ChainVerifier.verifyChain () [Thread[main,5,main]] Error: NamingException during CertRevoc access [EXCEPTION]

javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:640)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)

at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:280)

at javax.naming.InitialContext.lookup(InitialContext.java:347)

at com.sap.security.core.server.https.V3ChainVerifier.verifyChain(V3ChainVerifier.java:281)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.x.b(Unknown Source)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.r.d(Unknown Source)

at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)

Former Member
‎02-28-2011 1:37 PM
0 Kudos

So, now problem seems to be with V3ChainVerifier class which is trying to lookup certRevok service.

InitialContext ctx = new InitialContext();
CertRevocStatusService crService = (CertRevocStatusService)ctx.lookup("tc~sec~certrevoc~service");  <----- naming exception here

I've found that they'v changed V3ChainVerifier in 7.2 vesion, now it has different code:

InitialContext ctx = new InitialContext();
Class cl = Class.forName("com.sap.security.api.certrevoc.CertRevocStatusService"); <--- class not found
Object crService = ctx.lookup((String)cl.getField("JNDI_NAME").get(null));

After "Class not found" they just skip revoc status check, but no error occuring.

Feb 28, 2011 4:33:08 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Unknown error during CertRevoc access. Revocation check failed and will be skipped. com.sap.security.api.certrevoc.CertRevocStatusService

Feb 28, 2011 4:33:08 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Path: Exiting method

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received server_hello_done handshake message.

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending client_key_exchange handshake message (1024 bit)...

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending change_cipher_spec message...

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending finished message...

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received change_cipher_spec message.

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received finished message.

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Session added to session cache.

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Handshake completed, statistics:

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Read 603 bytes in 3 records, wrote 310 bytes in 4 records.

Feb 28, 2011 4:33:08 PM ...b.protocol.Connection.prepareSocket() [Thread[main,5,main]] Debug: SSL handshake [succeeded]

Former Member
‎02-28-2011 3:44 PM
0 Kudos

Hi

I have seen that exception on some older 7.0 SPs. It filled the NWDS log but SSL worked nevertheless.

Regards

Michael

Former Member
‎03-01-2011 8:19 AM
0 Kudos

Well, for me, those exception coused problems with connecting to NWDI, so I've updated V3ChainVerifier class a little

Now my SSL connection works, so the problem is solved.

Answers (1)

Answers (1)

former_member214355
Contributor
‎02-24-2011 6:27 PM
0 Kudos

Hello Ilya

Please try the following;

1.Download the cryptographic library to your local PC from SAP Service

Marketplace (go to service.sap.com/download and choose Download ® SAP

Cryptographic Software) or ask your system administrator to provide you

with this library. Make sure that you download the library that matches

your Java version (1.3 or 1.4). Save the library in a temporary

directory.

2.If you use J2SE from Version 1.4, you must prepare the Java runtime

environment for using strong cryptography by installing special Security

Policies (Java Cryptography Extensions) from java.sun.com/jce. For more

information, see the documentation on your Java environment.

3.Start your IDE and choose File -> Import -> Java Cryptography Toolkit.

Choose Next. Enter the path to the downloaded cryptography library or

navigate to this location in your file system by choosing Browse#

4.Start the IDE again.

5.Choose Window ® Preferences ®Java Development Infrastructure. Under

Certificates, specify the path to a file with certificates in PKCS7 or

PKCS12 format, or the path to a Java key store. To confirm your entries,

choose OK.

You have now prepared your development environment for communication

with SSL.

Also;

Which version of NWDS are you running?

I know there was a fix in 7.10 SP7 Patch level 3.

Thanks

Kenny

Show replies
Show replies
Former Member
‎02-25-2011 12:07 PM
0 Kudos

Hello Kenny,

That was exactly what i've done with NWDS.

That brought me to "Server certificate rejected by ChainVerifier" error.

I changed jce.jar from my JDK with iaik_jce_export.jar, now I have other error: "Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure."

Unfortunatly NWDS doesn't give much information about what's happening, so write some code to invoke "Ping server" action and see what's the problem, here is a trace what I've got:

Feb 25, 2011 2:56:53 PM ...ttps.Utils.addIAIKasJDK14Provider () [Thread[main,5,main]] Path: Entering method

Feb 25, 2011 2:56:53 PM ....sap.security.core.server.https.Utils [Thread[main,5,main]] Path: Exiting method

Feb 25, 2011 2:56:53 PM ...re (InputStream is, char[] password) [Thread[main,5,main]] Path: Entering method

Feb 25, 2011 2:56:53 PM ...onContext.setupCredentials(IResponse) [Thread[main,5,main]] Info: authentication scheme changed [new scheme=SSO2]

Feb 25, 2011 2:56:53 PM ...b.protocol.Connection.Connection(URL) [Thread[main,5,main]] Info: connection created [url=https://sz22.adm.gazprom.ru:50001]

Feb 25, 2011 2:56:53 PM ...onContext.setupCredentials(IResponse) [Thread[main,5,main]] Info: authentication scheme changed [new scheme=SSO2]

Feb 25, 2011 2:56:53 PM ...ssionContext(ISessionContext context) [Thread[main,5,main]] Info: session context defined [user=user<XXXXX>, auth<SSO2>, cookies<allowed><privacy:from original host only>,auth=]

Feb 25, 2011 2:56:53 PM ...Store keystore, Object keystoreCreds) [Thread[main,5,main]] Path: Entering method with (java.security.KeyStore@765a16, <null>, <null>, <null>)

Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Thread[main,5,main]] Path: Exiting method

Feb 25, 2011 2:56:53 PM ...ps.Utils.isNonProxyHost(String host) [Thread[main,5,main]] Path: Entering method with (sz22.adm.gazprom.ru)

Feb 25, 2011 2:56:53 PM ...SLClientContext(String [] keyaliases) [Thread[main,5,main]] Path: Entering method with (<null>)

Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Thread[main,5,main]] Warning: SAP Java Crypto Toolkit NOT installed !

Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Thread[main,5,main]] Info: add trusted: Version: 3

Serial number: 3287802320

Signature algorithm: md5WithRSAEncryption (1.2.840.113549.1.1.4)

Issuer: CN=<host name>

Valid not before: Fri Apr 18 10:27:00 MSD 2008

not after: Wed Apr 18 10:27:00 MSD 2018

Subject: CN=<host name>

SunJSSE RSA public key:

public exponent:

010001

modulus:

b9c77b3b b3bcff5a c6276087 7c83477b 2c0df45f ff916342 fdaf37e9 ca9caf09

48d26fad e44c5957 fc5fd940 0dd5b418 a4ff0b92 e3bd3976 2e55bef0 72d64ace

aadc4c2b d921ae84 daadd6a2 dd575496 537c0cd7 b82a9a10 6b03beb4 b3f86ced

0be0b120 d6c12bd6 37e5e524 4b982e99 4dcfc85f 22a54232 216fb818 eb478133

Certificate Fingerprint (MD5) : 0F:8D:78:8C:15:B1:E0:80:A2:46:EE:B9:FF:87:8A:A6

Certificate Fingerprint (SHA-1): A3:79:68:00:A1:B8:7E:49:E1:0D:36:C5:EE:EF:F1:90:D4:8D:EC:BA

Extensions: 1

Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Thread[main,5,main]] Path: Exiting method

Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Starting handshake (iSaSiLk 3.06)...

Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending v3 client_hello message, requesting version 3.1...

Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received alert message: Alert Fatal: handshake failure

Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure

Feb 25, 2011 2:56:53 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Shutting down SSL layer...

Edited by: Ilya Karnaukhov on Feb 25, 2011 1:07 PM

Former Member
‎02-25-2011 12:12 PM
0 Kudos

Feb 25, 2011 2:56:53 PM ....lib.protocol.Connection.openSocket() [Thread[main,5,main]] Path: Caught iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure

at iaik.security.ssl.r.f(Unknown Source)

at iaik.security.ssl.x.b(Unknown Source)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.r.d(Unknown Source)

at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)

at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)

at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)

at com.tssap.dtr.client.lib.protocol.streams.ChunkedInputStream.<init>(ChunkedInputStream.java:109)

at com.tssap.dtr.client.lib.protocol.streams.ChunkedInputStream.<init>(ChunkedInputStream.java:97)

at com.tssap.dtr.client.lib.protocol.streams.ResponseStream.<init>(ResponseStream.java:65)

at com.tssap.dtr.client.lib.protocol.Connection.prepareSocket(Connection.java:2162)

at com.tssap.dtr.client.lib.protocol.Connection.openSocket(Connection.java:2007)

at com.tssap.dtr.client.lib.protocol.Connection.open(Connection.java:1380)

at com.tssap.dtr.client.lib.protocol.Connection.sendInternal(Connection.java:1534)

at com.tssap.dtr.client.lib.protocol.Connection.send(Connection.java:1427)

at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:341)

at com.sap.lcr.api.cimclient.CIMOMClient.sendImpl(CIMOMClient.java:198)

at com.sap.lcr.api.cimclient.CIMOMClient.send(CIMOMClient.java:146)

at com.sap.lcr.api.cimclient.CIMOMClient.getCIMClass(CIMOMClient.java:545)

at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1185)

at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1196)

at com.sap.lcr.api.cimclient.CIMClient.ping(CIMClient.java:287)

Feb 25, 2011 2:56:53 PM ....lib.protocol.Connection.openSocket() [Thread[main,5,main]] Debug: opening socket failed Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure.[host=<host>:50001][protocol=https][connID=16e1fb1][waited 109ms]

com.sap.lcr.api.cimclient.CIMClientException: IO error: Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure.

at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:358)

at com.sap.lcr.api.cimclient.CIMOMClient.sendImpl(CIMOMClient.java:198)

at com.sap.lcr.api.cimclient.CIMOMClient.send(CIMOMClient.java:146)

at com.sap.lcr.api.cimclient.CIMOMClient.getCIMClass(CIMOMClient.java:545)

at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1185)

at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1196)

at com.sap.lcr.api.cimclient.CIMClient.ping(CIMClient.java:287)

Caused by: java.io.IOException: Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure.

at com.tssap.dtr.client.lib.protocol.Connection.openSocket(Connection.java:2117)

at com.tssap.dtr.client.lib.protocol.Connection.open(Connection.java:1380)

at com.tssap.dtr.client.lib.protocol.Connection.sendInternal(Connection.java:1534)

at com.tssap.dtr.client.lib.protocol.Connection.send(Connection.java:1427)

at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:341)

... 7 more

caused by:

java.io.IOException: Unable to open SSL connection to host "<host>:50001". Peer sent alert: Alert Fatal: handshake failure.

at com.tssap.dtr.client.lib.protocol.Connection.openSocket(Connection.java:2117)

at com.tssap.dtr.client.lib.protocol.Connection.open(Connection.java:1380)

at com.tssap.dtr.client.lib.protocol.Connection.sendInternal(Connection.java:1534)

at com.tssap.dtr.client.lib.protocol.Connection.send(Connection.java:1427)

at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:341)

at com.sap.lcr.api.cimclient.CIMOMClient.sendImpl(CIMOMClient.java:198)

at com.sap.lcr.api.cimclient.CIMOMClient.send(CIMOMClient.java:146)

at com.sap.lcr.api.cimclient.CIMOMClient.getCIMClass(CIMOMClient.java:545)

at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1185)

at com.sap.lcr.api.cimclient.CIMClient.getCIMClass(CIMClient.java:1196)

at com.sap.lcr.api.cimclient.CIMClient.ping(CIMClient.java:287)

Former Member
‎02-25-2011 12:17 PM
0 Kudos

NWDS 7.0.15

Ask a Question