Skip to Content
0
Former Member
Feb 13, 2012 at 02:20 PM

HTTPS error in ADS configuration.

243 Views

Hi All,

We are currently configuring ADS based on SSL authentication in ERP system (ECC 6.0 EHP4 ABAP).

ADS will be hosted on the Portal DEV system running on NW 701.

We have followed all steps to configure it via SSL authentication from ADS configuration guide. But when we do a test in SM59, we are getting below error ICM_HTTP_SSL_ERROR.

ICM log shows:

[Thr 1543] Wed Feb 8 14:29:49 2012

[Thr 1543] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 1543] session uses PSE file "/usr/sap/XXX/DVEBMGS01/sec/SAPSSLADS.pse"

[Thr 1543] SecudeSSL_SessionStart: SSL_connect() failed --

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 1543] >> -


Begin of Secude-SSL Errorstack -


>>

[Thr 1543] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=r3ct1.xxxxx.aaa.ccc.com, OU=SAP Web AS, O=SAP Trust Community, L=WALLDORF, SP=GERMANY, C=DE"

ERROR in get_path: (27/0x001b) Found root certificate of r3ct1.xxxxx.aaa.ccc.com, OU=SAP Web AS, O=SAP Trust Community, L=WALLDORF, SP=GERMANY, C=DE> which does not fit the given PKRoot

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of r3ct1.xxxxx.aaa.ccc.com, OU=SAP Web AS, O=SAP Trust Community, L=WALLDORF, SP=GERMANY, C=DE> which does not fit the given PKRoot

[Thr 1543] << -


End of Secude-SSL Errorstack -


[Thr 1543] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 1543] SSL NI-sock: local=19.1XX.1X.XX:4XXXX peer=19.1XX.XX.XX:5XXXX

[Thr 1543] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x110f67a30)==SSSLERR_SSL_CONNECT

[Thr 1543] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2031]

Since the error shows that the chain of certificate is missing, we tried to download the certificates to a file with all certificate chain by calling the Portal URL through browser but no luck since the format DER encoded binary and Base_64 encoded does not have options to download all certificates in the chain. But format PKCS has the option but that cannot be used in SAP.

We cannot find any Intermediate Certification authority for the root certificate specified above. Could you please let us know how to get the chain of certificates for the Portal system where ADS will be configured.

Thanks in advance.

Regards,

Yoganand.V