Skip to Content
avatar image
Former Member

How to trace certificate login failure?

Hi all

We have a SOAP sender channel in which we want to use a signed request from a 3rd party to make the login at the PI system.

The certifiate are exported and installed in the NWA-keystore and correspondingly related to a user in the UME.

Everything is configured in the adapter (pointing out the certifate use, etc.).

But when we sign and send and XML-request via SOAP-UI when get a "Logon Error Message"-repsonse like this:

Anmeldung fehlgeschlagen

Was ist passiert ?

Der Aufruf der URL http://192.168.0.18/sap/xi/engine wurde aufgrund fehlerhafter Anmeldedaten abgebrochen.

Hinweis

Die Anmeldung wurde im System XXX ausgef�hrt.

Die Anmeldung wurde f�r den Mandanten 100 und den Benutzer test und die Sprache durchgef�hrt.

Was k�nnen Sie tun ?

�berpr�fen Sie die Angabe �ber den Mandanten, Benutzer und das Passwort auf Tippfehler.

Falls Sie noch �ber keine Benutzerkennung verf�gen, so wenden Sie sich an Ihren Systemadministrator.

Fehlercode: ICF-LE-http-c:004-l:-T:531-C:6-U:5-P:5-L:6

HTTP 401 - Unauthorized

Ihr SAP Internet Communication Framework Team

We have tried to trace both via XPI Monitor and using the trace facilities in the Internet Communication Framework but there are absolutely no indication of why the logon attemt fails 😔

How do you experts search for these type of logon errors? Is there a security log that I should look into? Or is there some other setting that I should be aware of?

Please note that I can see the auth.error in the XPI Monitor, but I cannot determine the reason of the error from the log entries:

[Thr 5888] DpRqPutIntoQueue: put request into queue (reqtype 1, prio LOW, rq_id 57440)

[Thr 5888] IcmConnRollInWP: rolled in WP -old roll reason was: ICM_ROLL_NONE(0)

[Thr 5888] HttpSrvHdlRequest: Subhandler rc=704

[Thr 5888] IcmPlCheckRetVal: Next status: WRITE_RESPONSE(4)

[Thr 5888] IcmHandleNetRead(id=46/152295): read_len: 5246, HandleNetData returned: 4

[Thr 5888] IcmHandleNetRead(id=46/152295): status 1 -> 4

[Thr 5888] IcmReadFromPartner(id=46/152295): read with maximum timeout 500

[Thr 5888] IcmConnRollInWP: no need to roll in WP status: ROLLED IN

[Thr 5888] MPI<45b96>66#3: GetInbuf: waiting for new buffer 0 0

[Thr 5888] MPI<45b96>66#5 GetInbuf 500 0 0 (0) -> MPI_EOUTOFBAND: out-of-band message

[Thr 5888] MPI<45b96>66#6 ReadOOB 00000000 06000000 35000000 00 -> MPI_OK

[Thr 5888] IcmHandleOOBData: Received data on 1st MPI (seqno: 0, type=6, reason=Request processed in wp(6)): 53/29369/

[Thr 5888] IcmHandleOOBData: request will be processed in wp 6

[Thr 5888] IcmConnRollInWP: no need to roll in WP status: ROLLED IN

[Thr 5888] MPI<45b96>66#7: GetInbuf: waiting for new buffer 0 0

[Thr 5888] MPI<45b96>66#10 GetInbuf 500 3d7520 1385 (1) -> MPI_EOS: End Of Stream

[Thr 5888] Address Offset IcmReadFromPartner received

[Thr 5888]

[Thr 5888] 00000000097175D8 000000 48545450 2f312e31 20343031 20556e61 HTTP/1.1 401 Una

[Thr 5888] 00000000097175E8 000016 7574686f 72697a65 640d0a53 65742d43 uthorized..Set-C

...

Many rewards points will be given to your input 😊

Thanks in advance

Peter Michael

Edited by: Peter Michael Jensen on Feb 27, 2012 11:08 AM

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Mar 01, 2012 at 05:37 PM

    Hi,

    You can check notes:

    #1045019 - Web diagtool for collecting traces

    #1019634 - Troubleshooting SSL problems

    #982127 - Troubleshooting authentication problems

    Regards,

    Caio

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 01, 2012 at 07:49 AM

    Hi again,

    If I get the trace file shown below in the Internet Communication Framework.

    Does this mean that we have passed the adapter engine and that the message has reached the integration engine?

    Thanks and Regards

    Peter Michael

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 01, 2012 at 03:42 PM

    Dear Peter

    What is the HTTP security level for your sender soap adapter?

    For un authiorozed error you should check the user logon credentials which is maintained.

    PS - you dont have to lure people with promise of points, they will help you even if you dont give 😊

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi,

      Thanks for the reply.

      The certifikate is delivered to PI as an attachment and the connection between the PI box and our firewall/load balancer is HTTP.

      Best Regards

      Peter Michael