cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

https with NWDI

Go to solution
Former Member

on ‎02-24-2011 12:01 PM

0 Kudos

Hi,

I am trying to setup https connection to NWDI. (Netweaver 7.0)

SSL is enabled on Portal, so I can see it in my browser through https (https://<host>:50001/irj/portal), SLD and NWDI are on the same system.

Now I am trying to connect from NWDS 7.0, Development Configuration Pool URL set to "https://<host>:50001", I've set path to keystore file and ve done some additional configuration according to [http://help.sap.com/saphelp_nw70/helpdata/en/4c/941f407b402402e10000000a1550b0/frameset.htm].

After those steps "Ping server" button under Development Configuration Pool URL gave no results (no error, no success). I've found logs of NWDS with exception occuring on ping server action: java.lang.NoClassDefFoundError: com/sap/security/api/certrevoc/CertRevocException.

After placing CertRevocException class in place, NWDS started to give error message on ping action: "Server certificate rejected by ChainVerifier", in log file I see different exception:

!MESSAGE Feb 24, 2011 2:50:31 PM com.sap.security.core.server.https.V3ChainVerifier.verify... [Thread[main,5,main]] Error: NamingException during CertRevoc access

[EXCEPTION]

javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:640)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)

at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:280)

at javax.naming.InitialContext.lookup(InitialContext.java:347)

at com.sap.security.core.server.https.V3ChainVerifier.verifyChain(V3ChainVerifier.java:281)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.x.b(Unknown Source)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.r.d(Unknown Source)

at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)

at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)

at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)

P.S. I also have NWDS 7.2 on my pc and it can successfully connect to that NWDI server, with same keystore file.

Show replies
Show replies
Answer
View Entire Topic
Former Member
‎02-28-2011 9:11 AM
0 Kudos

Hi

you have the wrong SAP crypto toolkit:

Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Threadmain,5,main] Warning: SAP Java Crypto Toolkit NOT installed !

iaik_jce_export.jar delivered with 7.0 does not include strong crypto algorithms for SSL due to legal limitations/export regulations. You can download the uncrippled version named iaik_jce.jar from the market place (search for CRYPTO TOOLKIT or that like). Since 7.1x NWDS is delivered with the full iaik_jce.jar, that is the reason why your 7.20 works.

By the way: Make sure to remove iaik_jce_export.jar when you install iaik_jce.jar, otherwise you might get funny classloading problems.

Regards

Michael

Show replies
Show replies
Former Member
‎02-28-2011 1:24 PM
0 Kudos

Hi,

You are right, it was my mistake to use iaik_jce_export.jar, actually I had proper version (iaik_jce.jar) but classes were loaded from "export".

Removing iaik_jce_export.jar helped with "SAP Java Crypto Toolkit NOT installed", and procces goes a little further, but now I have other exception.

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending v3 client_hello message, requesting version 3.1...

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received v3 server_hello handshake message.

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server selected SSL version 3.1.

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server created new session 01:CC:A4:BB:38:8B:32:38...

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): CompressionMethod selected by server: NULL

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received certificate handshake message with server certificate.

Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 1 elements.

Feb 28, 2011 4:18:31 PM ....https.V3ChainVerifier.verifyChain () [Thread[main,5,main]] Path: Entering method with ([Ljava.security.cert.X509Certificate;@ad8659, iaik.security.ssl.SSLTransport@4f459c)

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Chain to verify:

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: cert [0]

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Subject: CN=<host>

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Issuer: CN=<host>

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Serial: c3f7e1d0

.......

Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: cert revocation status check entered for cert: 0

Feb 28, 2011 4:18:31 PM ....https.V3ChainVerifier.verifyChain () [Thread[main,5,main]] Error: NamingException during CertRevoc access [EXCEPTION]

javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:640)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)

at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:280)

at javax.naming.InitialContext.lookup(InitialContext.java:347)

at com.sap.security.core.server.https.V3ChainVerifier.verifyChain(V3ChainVerifier.java:281)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.x.b(Unknown Source)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.r.d(Unknown Source)

at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)

Former Member
‎02-28-2011 1:37 PM
0 Kudos

So, now problem seems to be with V3ChainVerifier class which is trying to lookup certRevok service.

InitialContext ctx = new InitialContext();
CertRevocStatusService crService = (CertRevocStatusService)ctx.lookup("tc~sec~certrevoc~service");  <----- naming exception here

I've found that they'v changed V3ChainVerifier in 7.2 vesion, now it has different code:

InitialContext ctx = new InitialContext();
Class cl = Class.forName("com.sap.security.api.certrevoc.CertRevocStatusService"); <--- class not found
Object crService = ctx.lookup((String)cl.getField("JNDI_NAME").get(null));

After "Class not found" they just skip revoc status check, but no error occuring.

Feb 28, 2011 4:33:08 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Unknown error during CertRevoc access. Revocation check failed and will be skipped. com.sap.security.api.certrevoc.CertRevocStatusService

Feb 28, 2011 4:33:08 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Path: Exiting method

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received server_hello_done handshake message.

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending client_key_exchange handshake message (1024 bit)...

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending change_cipher_spec message...

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending finished message...

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received change_cipher_spec message.

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received finished message.

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Session added to session cache.

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Handshake completed, statistics:

Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Read 603 bytes in 3 records, wrote 310 bytes in 4 records.

Feb 28, 2011 4:33:08 PM ...b.protocol.Connection.prepareSocket() [Thread[main,5,main]] Debug: SSL handshake [succeeded]

Former Member
‎02-28-2011 3:44 PM
0 Kudos

Hi

I have seen that exception on some older 7.0 SPs. It filled the NWDS log but SSL worked nevertheless.

Regards

Michael

Former Member
‎03-01-2011 8:19 AM
0 Kudos

Well, for me, those exception coused problems with connecting to NWDI, so I've updated V3ChainVerifier class a little

Now my SSL connection works, so the problem is solved.

Ask a Question