cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL certificate renew problem, problem with PIN, credentials issue

Former Member

on ‎06-27-2010 3:04 PM

0 Kudos

hi, my SSL certificate on ABAP only system is expired, when I try to renew it i have issue with PIN.

when I want to import SAPSSLS.pse using STRUST , it says :can't open PSE.

I am not able to add the credetials for the SAPSSLS.pse for the user SAPServiceSF3. but I could add for <SIDADM> user.

it gives the below error.

H:\usr\sap\SF3\DVEBMGS00\sec>sapgenpse seclogin -p H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse -x 2bs4SF3 -O hg10521\SAPServicesf3

running seclogin with USER="sf3adm"

creating credentials for user "HG10521\SAPServicesf3"...

seclogin: Couldn't open PSE

ERROR in af_open: (1824/0x0720) Wrong PIN for PSE

ERROR in secsw_open: (1824/0x0720) Wrong PIN for PSE

ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong PIN for PSE

below is dev_icm log content

******************************Thr 2624] = SSL Initialization on PC with Windows NT

[Thr 2624] = (640_REL,Aug 12 2007,mt,ascii,SAP_UC/size_t/void* = 16/64/64)

[Thr 2624] SapISSLComposeFilename(): profile param "ssl/ssl_lib" = "H:\usr\sap\SF3\SYS\exe\run\sapcrypto.dll"

resulting Filename = "H:\usr\sap\SF3\SYS\exe\run\sapcrypto.dll"

[Thr 2624] = found SAPCRYPTOLIB 5.5.5C pl29 (Jan 30 2010) MT-safe

[Thr 2624] = current UserID: HG10521\SAPServicesf3

[Thr 2624] = found SECUDIR environment variable

[Thr 2624] = using SECUDIR=H:\usr\sap\SF3\DVEBMGS00\sec

[Thr 2624] *** ERROR => secudessl_Create_SSL_CTX(): PSE "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse" not found! [ssslsecu.c 1296]

[Thr 2624] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --

secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"

[Thr 2624] >> -

Begin of Secude-SSL Errorstack -

>>

[Thr 2624] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"

ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"

ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"

ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"

ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"

[Thr 2624] << -

End of Secude-SSL Errorstack -

[Thr 2624] *** ERROR => Initialization of SSL library failed -- NO SSL available!

[Thr 2624] =================================================

please help. Pavan KUmar,

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎12-19-2010 7:48 AM
0 Kudos

Hi,

The problem had to do with setting up the PIN for the correct system user that was starting up the service.

Try executing the command for the SAPSERVICE<SID> user.

Regards

Valavan.SM

Show replies
Show replies
Former Member
‎07-29-2010 5:15 PM
0 Kudos

I have created the .pse file but get the following on the ZSST_TEST_PSE program.

Test signature

Signature ERROR - Unknown signer or recipient

Test encryption

Encryption ERROR - Unknown signer or recipient

I do not see how to correct this in note:800240.

Thanks,

Sherry

Edited by: Sherry Samson on Jul 29, 2010 10:47 PM

Show replies
Show replies
Former Member
‎11-02-2010 6:56 PM
0 Kudos

Hello,

I have the same issue

run the ZSSF_TEST_PSE, I also get the following.

Test signature

Signature ERROR - Unknown signer or recipient

Test encryption

Encryption ERROR - Unknown signer or recipient

Did you find out how to resolve the problem?

Thanks

Jean-Yves

Former Member
‎11-20-2010 1:12 AM
0 Kudos

i have the same problem,

someone find how to resolve the problem?

regards

Former Member
‎12-17-2010 10:27 PM
0 Kudos

Same issue here!!

Did anyone find the solution??

Regards

Martin

Former Member
‎12-17-2010 10:27 PM
0 Kudos

Same issue here!!

Did anyone find the solution??

Regards

Martin

former_member227283
Active Contributor
‎06-28-2010 7:40 AM
0 Kudos

Hi,

First time when you created the SSL certificate you may have provided some password when has been stored in PSE file.

Now you have provide the same password while renewing the certificate.

If, you don't remeber the password , then no option, you have to do all the procedure begining from PSE generation.

Thanks

Anil

Show replies
Show replies
Former Member
‎06-28-2010 7:47 AM
0 Kudos

Dear Anil,

I have already delted the PSE file that is created first time and generated new PSE . deleted all old credetials from the cred_v2 file as well. now I can only see credentials in vred_v2 file for SAPSSLC.pse, but I am really not able to understand how sapgenpse command is deciding my pin as incorrect.

Regards, Pavan Kumar.

former_member227283
Active Contributor
‎06-28-2010 7:50 AM
0 Kudos

Hi Pavan,

did you provided any PIN while generating PSE ???

Thanks

Anil

Former Member
‎06-28-2010 8:00 AM
0 Kudos

hi, yes I have provided. first I have generated server.p12 file using the below command, during that I gave PIN: 2bs4<SID>.

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12

after that I have imported server.p12 to SAPSSLS.pse using the below command

sapgenpse import_p12 -p SAPSSLS.PSE -r TC_TrustCenter_Class_2_CA_II.cer -r TC_TrustCenter_Class_2_L1_CA_XI.cer -x -z server.p12

here also I have mentioned the same pin i.e 2bs4<SID>

but credential file not updated. when I try to add credentials manulally, it sayd wrong pin OR MISSING pin.

I tried for both sf3adm & SAPSevicesf3 users.

when I import this SAPSSLS.pse using STRUST, in the passowrd it is not accepting 2bs4<SID>. i.e 2bs4SF3.

Regards, Pavan Kumar.

former_member227283
Active Contributor
‎06-28-2010 8:20 AM
0 Kudos

Hi,

Can you tell us what command you have given while generating the credentil file ?

While executing the command to generate credential file , whether it asked you for password ??

Thanks

Anil

Former Member
‎06-28-2010 8:36 AM
0 Kudos

hi Ail, I used below command.

sapgenpse seclogin -p H:\usr\sap\SF3\DVEBMGS00\sec\

SAPSSLS.pse -x 2bs4SF3 -O SAPServicesf3

running seclogin with USER="sf3adm"

response for the commnad:

************************************

creating credentials for user "HG10521\SAPServicesf3"...

seclogin: Couldn't open PSE

ERROR in af_open: (1824/0x0720) Wrong PIN for PSE

ERROR in secsw_open: (1824/0x0720) Wrong PIN for PSE

ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong PIN for PSE

Regards,

Pavan KUmar.

former_member227283
Active Contributor
‎06-28-2010 9:06 AM
0 Kudos

Hi,

I will suggest you to do this excercise again with any other simple password.

Thanks

Anil

Former Member
‎06-28-2010 9:13 AM
0 Kudos

Hi, ok, I will try but passowrd should be a problem as of my knowledge. becos same passowrd I used for test and prd systems it is running fine. we are using the same standard passowrd for nearly 100 customers and 400 systems !.

Regards,

Pavan KUmar.

Former Member
‎06-28-2010 10:25 AM
0 Kudos

>we are using the same standard passowrd for nearly 100 customers and 400 systems !.

That is really secure ! Are your customers aware of this unsecure situation ?

If I were one of your 100 customers and I read this SDN post, you would hear about me : a security audit would be on its way very soon...

Regards,

Olivier

Former Member
‎06-28-2010 11:23 AM
0 Kudos

Hello oliver,

we have already identified this 6 months back, and following secured PIN strategy that is randomly generated by a tool.

to make the experts like you to understand my situtaion for more clarity, I had given a example, actual passowrd is slightly different. if you want to know passowrd, you do not have any other option except joining my conmpany*, anyway, I accpt your feedback usually custoemers may feel insecure about the post.

hope you are not one among 100 !

Regards,

Ask a Question