on 02-24-2011 12:01 PM
Hi,
I am trying to setup https connection to NWDI. (Netweaver 7.0)
SSL is enabled on Portal, so I can see it in my browser through https (https://<host>:50001/irj/portal), SLD and NWDI are on the same system.
Now I am trying to connect from NWDS 7.0, Development Configuration Pool URL set to "https://<host>:50001", I've set path to keystore file and ve done some additional configuration according to [http://help.sap.com/saphelp_nw70/helpdata/en/4c/941f407b402402e10000000a1550b0/frameset.htm].
After those steps "Ping server" button under Development Configuration Pool URL gave no results (no error, no success). I've found logs of NWDS with exception occuring on ping server action: java.lang.NoClassDefFoundError: com/sap/security/api/certrevoc/CertRevocException.
After placing CertRevocException class in place, NWDS started to give error message on ping action: "Server certificate rejected by ChainVerifier", in log file I see different exception:
!MESSAGE Feb 24, 2011 2:50:31 PM com.sap.security.core.server.https.V3ChainVerifier.verify... [Thread[main,5,main]] Error: NamingException during CertRevoc access
[EXCEPTION]
javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:640)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:280)
at javax.naming.InitialContext.lookup(InitialContext.java:347)
at com.sap.security.core.server.https.V3ChainVerifier.verifyChain(V3ChainVerifier.java:281)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.x.b(Unknown Source)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.r.d(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)
at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)
P.S. I also have NWDS 7.2 on my pc and it can successfully connect to that NWDI server, with same keystore file.
Hi
you have the wrong SAP crypto toolkit:
Feb 25, 2011 2:56:53 PM ....server.https.SecureConnectionFactory [Threadmain,5,main] Warning: SAP Java Crypto Toolkit NOT installed !
iaik_jce_export.jar delivered with 7.0 does not include strong crypto algorithms for SSL due to legal limitations/export regulations. You can download the uncrippled version named iaik_jce.jar from the market place (search for CRYPTO TOOLKIT or that like). Since 7.1x NWDS is delivered with the full iaik_jce.jar, that is the reason why your 7.20 works.
By the way: Make sure to remove iaik_jce_export.jar when you install iaik_jce.jar, otherwise you might get funny classloading problems.
Regards
Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
You are right, it was my mistake to use iaik_jce_export.jar, actually I had proper version (iaik_jce.jar) but classes were loaded from "export".
Removing iaik_jce_export.jar helped with "SAP Java Crypto Toolkit NOT installed", and procces goes a little further, but now I have other exception.
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending v3 client_hello message, requesting version 3.1...
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received v3 server_hello handshake message.
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server selected SSL version 3.1.
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server created new session 01:CC:A4:BB:38:8B:32:38...
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): CompressionMethod selected by server: NULL
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received certificate handshake message with server certificate.
Feb 28, 2011 4:18:31 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 1 elements.
Feb 28, 2011 4:18:31 PM ....https.V3ChainVerifier.verifyChain () [Thread[main,5,main]] Path: Entering method with ([Ljava.security.cert.X509Certificate;@ad8659, iaik.security.ssl.SSLTransport@4f459c)
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Chain to verify:
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: cert [0]
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Subject: CN=<host>
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Issuer: CN=<host>
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Serial: c3f7e1d0
.......
Feb 28, 2011 4:18:31 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: cert revocation status check entered for cert: 0
Feb 28, 2011 4:18:31 PM ....https.V3ChainVerifier.verifyChain () [Thread[main,5,main]] Error: NamingException during CertRevoc access [EXCEPTION]
javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:640)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:280)
at javax.naming.InitialContext.lookup(InitialContext.java:347)
at com.sap.security.core.server.https.V3ChainVerifier.verifyChain(V3ChainVerifier.java:281)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.x.b(Unknown Source)
at iaik.security.ssl.x.a(Unknown Source)
at iaik.security.ssl.r.d(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
So, now problem seems to be with V3ChainVerifier class which is trying to lookup certRevok service.
InitialContext ctx = new InitialContext();
CertRevocStatusService crService = (CertRevocStatusService)ctx.lookup("tc~sec~certrevoc~service"); <----- naming exception here
I've found that they'v changed V3ChainVerifier in 7.2 vesion, now it has different code:
InitialContext ctx = new InitialContext();
Class cl = Class.forName("com.sap.security.api.certrevoc.CertRevocStatusService"); <--- class not found
Object crService = ctx.lookup((String)cl.getField("JNDI_NAME").get(null));
After "Class not found" they just skip revoc status check, but no error occuring.
Feb 28, 2011 4:33:08 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Debug: Unknown error during CertRevoc access. Revocation check failed and will be skipped. com.sap.security.api.certrevoc.CertRevocStatusService
Feb 28, 2011 4:33:08 PM ...ity.core.server.https.V3ChainVerifier [Thread[main,5,main]] Path: Exiting method
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received server_hello_done handshake message.
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending client_key_exchange handshake message (1024 bit)...
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending change_cipher_spec message...
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Sending finished message...
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received change_cipher_spec message.
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Received finished message.
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Session added to session cache.
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Handshake completed, statistics:
Feb 28, 2011 4:33:08 PM com.sap.security.core.server.https.IAIK [Thread[main,5,main]] Debug: ssl_debug(1): Read 603 bytes in 3 records, wrote 310 bytes in 4 records.
Feb 28, 2011 4:33:08 PM ...b.protocol.Connection.prepareSocket() [Thread[main,5,main]] Debug: SSL handshake [succeeded]
User | Count |
---|---|
83 | |
9 | |
9 | |
7 | |
7 | |
7 | |
7 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.