cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTPS error in ADS configuration.

Former Member

on ‎02-13-2012 2:20 PM

0 Kudos

Hi All,

We are currently configuring ADS based on SSL authentication in ERP system (ECC 6.0 EHP4 ABAP).

ADS will be hosted on the Portal DEV system running on NW 701.

We have followed all steps to configure it via SSL authentication from ADS configuration guide. But when we do a test in SM59, we are getting below error ICM_HTTP_SSL_ERROR.

ICM log shows:

[Thr 1543] Wed Feb 8 14:29:49 2012

[Thr 1543] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 1543] session uses PSE file "/usr/sap/XXX/DVEBMGS01/sec/SAPSSLADS.pse"

[Thr 1543] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 1543] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 1543] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=r3ct1.xxxxx.aaa.ccc.com, OU=SAP Web AS, O=SAP Trust Community, L=WALLDORF, SP=GERMANY, C=DE"

ERROR in get_path: (27/0x001b) Found root certificate of <CN=r3ct1.xxxxx.aaa.ccc.com, OU=SAP Web AS, O=SAP Trust Community, L=WALLDORF, SP=GERMANY, C=DE> which does not fit the given PKRoot

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=r3ct1.xxxxx.aaa.ccc.com, OU=SAP Web AS, O=SAP Trust Community, L=WALLDORF, SP=GERMANY, C=DE> which does not fit the given PKRoot

[Thr 1543] << -

End of Secude-SSL Errorstack -

[Thr 1543] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 1543] SSL NI-sock: local=19.1XX.1X.XX:4XXXX peer=19.1XX.XX.XX:5XXXX

[Thr 1543] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x110f67a30)==SSSLERR_SSL_CONNECT

[Thr 1543] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2031]

Since the error shows that the chain of certificate is missing, we tried to download the certificates to a file with all certificate chain by calling the Portal URL through browser but no luck since the format DER encoded binary and Base_64 encoded does not have options to download all certificates in the chain. But format PKCS has the option but that cannot be used in SAP.

We cannot find any Intermediate Certification authority for the root certificate specified above. Could you please let us know how to get the chain of certificates for the Portal system where ADS will be configured.

Thanks in advance.

Regards,

Yoganand.V

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎02-13-2012 4:49 PM
0 Kudos

Case fixed.

Show replies
Show replies
Former Member
‎02-13-2012 4:41 PM
0 Kudos

Hi,

Sorry but I don't understand your problem : I have never had any problem to get the certificate chain from a SAP Portal when calling an SSL URL with a browser.

You have then to import the CA and sub CA (if any) certificates in transaction STRUST of the abap system.

Regards,

Olivier

Show replies
Show replies
Former Member
‎02-13-2012 4:48 PM
0 Kudos

Hello Oliver,

I have fixed the issue by importing the 'ssl-cert' certificate from VA fro our system, now the RFC 'ADS' is working as expected.

Closing the thread.

Thanks.

Regards,

Yoganand.V

Ask a Question