cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPRouter : Certificate renewed but Error coming : A2210220:Own certificate is expired

Go to solution
k_sood
Active Participant

on ‎11-27-2020 4:23 PM

0 Kudos

Hi All,

I have Upgraded the saprouter Version to 7.53 and also Renewed the certificate but still while Starting the SAPRouter , following error is recorded in the dev_rout file . 

Fri Nov 27 16:00:18 2020

*** ERROR => SncPEstablishContext() failed for target='p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE' [D:/depot/b 3638]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [D:/depot/bas/75 3604]

 GSS-API(maj): Miscellaneous failure

 GSS-API(min): A2210220:Own certificate is expired
 Unable to establish the security context
 target="p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE"

<<- SncProcessInput()==SNCERR_GSSAPI
*** ERROR => NiSncIProcIn: SncProcessInput failed (sncrc=-4;0000000002119420;97) [nisnc.c      1003]


<br>

Have Tried a couple of references but still not able to resolve this Error. Any Idea , How can I Resolve this Error ?

Br,

Ketan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

k_sood
Active Participant
‎11-30-2020 2:26 PM

I was able to resolve the problem. The problem was, Username with which i executed the commands to renew the certificate was different than the Admin user.

So the solution was to delete the certificate. Login with the Admin user onto the windows server where the saprouter is running and renew the certificate and start the saprouter again.

Here are some useful commands

sapgenpse get_my_name -n validity

sapgenpse seclogin -p D:\usr\sap\SAPRouter\local.pse -O npsadm

sapgenpse get_pse -v -r certreq -p local.pse "CN=saprouter, OU=00000001, OU=SAProuter, O=SAP, C=DE"

sapgenpse import_own_cert -c srcert -p local.pse

sapgenpse seclogin -p local.pse

sapgenpse get_my_name -n all

niping -c -H sapip -S 3299 -> This normally returns Error.

Br,

Ketan

Show replies
Show replies

Answers (6)

Answers (6)

sankar_27
Active Participant
‎11-30-2020 2:19 PM
0 Kudos

Thanks Katan,

glad to hear that your issue has been resolved

please test the RFC destination "SAPOSS" and mark thread to resolved and close

Thanks , Sankar

Show replies
Show replies
former_member122738
Explorer
‎11-30-2020 9:41 AM
0 Kudos

Hi sankar_27 ,

I have now tried to start the router with the command,

./sapgenpse get_my_name -v -n Issuer

and in the dev_rout file , i can see the following at the end. After that there are no further entries in dev_rout file.

******* NI-ROUTER LOOP ******** 

>>> NiSelISelect: Start (timeout -1) 

>>> NiSelISelectInt: Start 

SiSelNSelect: start select (timeout=-1)

and the result of saprouter -l is as follows:

So can i assume , it is working fine ? can you help further ? Thanks a lot.

Br,

Ketan

Show replies
Show replies
k_sood
Active Participant
‎11-30-2020 8:41 AM
0 Kudos

Hi Sankara,

I logged in as Admin user and the SECUDIR user Environment variable was pointing to some other directory. I set this to point to saprouter directory and then tried to start the saprouter service.

getting this following failure.

In the dev_rout file , there is no certificate failure as it was before, rather failure regarding the saproutttab entries. 

---------------------------------------------------
trc file: "dev_rout", trc level: 1, release: "753"
---------------------------------------------------


Mon Nov 30 09:27:18 2020
SAP Network Interface Router, Version 40.4


command line arg 0:	saprouter
command line arg 1:	-r
main: pid = 6724, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: './saprouttab'
*** ERROR => SNC field without SNC active, skip line 2 [nirout.cpp   10915]
*** ERROR => SNC field without SNC active, skip line 4 [nirout.cpp   10915]
*** ERROR => SNC field without SNC active, skip line 9 [nirout.cpp   10915]
*** ERROR => SNC field without SNC active, skip line 13 [nirout.cpp   10915]
*** ERROR => SNC field without SNC active, skip line 17 [nirout.cpp   10915]
*** ERROR => SNC field without SNC active, skip line 21 [nirout.cpp   10915]
*** ERROR => SNC field without SNC active, skip line 22 [nirout.cpp   10915]
*** ERROR => SNC field without SNC active, skip line 40 [nirout.cpp   10915]
*** ERROR => SNC field without SNC active, skip line 41 [nirout.cpp   10915]

DO you have any further hints for these Issues ?

Br,

Ketan

Show replies
Show replies
former_member122738
Explorer
‎11-28-2020 9:07 AM
0 Kudos

HI Sankara,

Output of the command

./sapgenpse get_my_name -v -n Issuer

with non admin user is as follows :


I have asked for the admin user details, vl try with that once i have. But If the certificate is renewed and is visible on the sap portal, why the new certificate is not being considered while starting the saprouter.

The saprouter server is a windows server.

Br,

Ketan

Show replies
Show replies
sankar_27
Active Participant
‎11-27-2020 10:04 PM
0 Kudos

Hi Ketan

Switch to sidadm user ,run below commands and get correct output

1. ./sapgenpse get_my_name -v -n Issuer

2. ./ sapgenpse get_my_name

3. ./saprouter –n

start router with below command

./saprouter -r -S 3299 -V 3 -K "p:CN=router hostname, OU=0000XXXX, OU=SAProuter, O=SAP, C=DE" &

make sure to clean related process/ reboot os before start the router

Thanks , Sankar

Show replies
Show replies
Sriram2009
Active Contributor
‎11-27-2020 5:47 PM
0 Kudos

Hi Ketan.

Check this blog how you have to perform the SAP router certificate renewal

https://blogs.sap.com/2019/01/07/renewal-of-sap-router-certificate/

Regards

SS

Show replies
Show replies
k_sood
Active Participant
‎11-27-2020 9:15 PM
0 Kudos

Hi Sriram,

I have followed the same blog . The only difference is the result of the following command.

sapgenpse get_my_name -v -n Issuer

I am not able to view the result, probably because I am not logged in as the Administrator user in the SAPRouter server.

I can see the new certificate at the Portal but somehow when the saprouter is starting again , it is not considering the new certificate.

If it may help to suggest a solution, before doing the certificate renewal, I have also done upgrade of the SAPRouter to 7.53 .

Thanks for any further help.

Br,

Ketan

Ask a Question