on 06-27-2010 3:04 PM
hi, my SSL certificate on ABAP only system is expired, when I try to renew it i have issue with PIN.
when I want to import SAPSSLS.pse using STRUST , it says :can't open PSE.
I am not able to add the credetials for the SAPSSLS.pse for the user SAPServiceSF3. but I could add for <SIDADM> user.
it gives the below error.
H:\usr\sap\SF3\DVEBMGS00\sec>sapgenpse seclogin -p H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse -x 2bs4SF3 -O hg10521\SAPServicesf3
running seclogin with USER="sf3adm"
creating credentials for user "HG10521\SAPServicesf3"...
seclogin: Couldn't open PSE
ERROR in af_open: (1824/0x0720) Wrong PIN for PSE
ERROR in secsw_open: (1824/0x0720) Wrong PIN for PSE
ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong PIN for PSE
below is dev_icm log content
******************************Thr 2624] = SSL Initialization on PC with Windows NT
[Thr 2624] = (640_REL,Aug 12 2007,mt,ascii,SAP_UC/size_t/void* = 16/64/64)
[Thr 2624] SapISSLComposeFilename(): profile param "ssl/ssl_lib" = "H:\usr\sap\SF3\SYS\exe\run\sapcrypto.dll"
resulting Filename = "H:\usr\sap\SF3\SYS\exe\run\sapcrypto.dll"
[Thr 2624] = found SAPCRYPTOLIB 5.5.5C pl29 (Jan 30 2010) MT-safe
[Thr 2624] = current UserID: HG10521\SAPServicesf3
[Thr 2624] = found SECUDIR environment variable
[Thr 2624] = using SECUDIR=H:\usr\sap\SF3\DVEBMGS00\sec
[Thr 2624] *** ERROR => secudessl_Create_SSL_CTX(): PSE "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse" not found! [ssslsecu.c 1296]
[Thr 2624] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
secude_error 1824 (0x00000720) = "Wrong or Missing PIN for PSE"
[Thr 2624] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 2624] ERROR in SSL_CTX_set_default_pse_by_name: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"
ERROR in ssl_set_pse: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"
ERROR in af_open: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"
ERROR in secsw_open: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"
ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong or Missing PIN for PSE : "H:\usr\sap\SF3\DVEBMGS00\sec\SAPSSLS.pse"
[Thr 2624] << -
End of Secude-SSL Errorstack -
[Thr 2624] *** ERROR => Initialization of SSL library failed -- NO SSL available!
[Thr 2624] =================================================
please help. Pavan KUmar,
Hi,
The problem had to do with setting up the PIN for the correct system user that was starting up the service.
Try executing the command for the SAPSERVICE<SID> user.
Regards
Valavan.SM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have created the .pse file but get the following on the ZSST_TEST_PSE program.
Test signature
Signature ERROR - Unknown signer or recipient
Test encryption
Encryption ERROR - Unknown signer or recipient
I do not see how to correct this in note:800240.
Thanks,
Sherry
Edited by: Sherry Samson on Jul 29, 2010 10:47 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
First time when you created the SSL certificate you may have provided some password when has been stored in PSE file.
Now you have provide the same password while renewing the certificate.
If, you don't remeber the password , then no option, you have to do all the procedure begining from PSE generation.
Thanks
Anil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Anil,
I have already delted the PSE file that is created first time and generated new PSE . deleted all old credetials from the cred_v2 file as well. now I can only see credentials in vred_v2 file for SAPSSLC.pse, but I am really not able to understand how sapgenpse command is deciding my pin as incorrect.
Regards, Pavan Kumar.
hi, yes I have provided. first I have generated server.p12 file using the below command, during that I gave PIN: 2bs4<SID>.
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
after that I have imported server.p12 to SAPSSLS.pse using the below command
sapgenpse import_p12 -p SAPSSLS.PSE -r TC_TrustCenter_Class_2_CA_II.cer -r TC_TrustCenter_Class_2_L1_CA_XI.cer -x -z server.p12
here also I have mentioned the same pin i.e 2bs4<SID>
but credential file not updated. when I try to add credentials manulally, it sayd wrong pin OR MISSING pin.
I tried for both sf3adm & SAPSevicesf3 users.
when I import this SAPSSLS.pse using STRUST, in the passowrd it is not accepting 2bs4<SID>. i.e 2bs4SF3.
Regards, Pavan Kumar.
hi Ail, I used below command.
sapgenpse seclogin -p H:\usr\sap\SF3\DVEBMGS00\sec\
SAPSSLS.pse -x 2bs4SF3 -O SAPServicesf3
running seclogin with USER="sf3adm"
response for the commnad:
************************************
creating credentials for user "HG10521\SAPServicesf3"...
seclogin: Couldn't open PSE
ERROR in af_open: (1824/0x0720) Wrong PIN for PSE
ERROR in secsw_open: (1824/0x0720) Wrong PIN for PSE
ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong PIN for PSE
Regards,
Pavan KUmar.
>we are using the same standard passowrd for nearly 100 customers and 400 systems !.
That is really secure ! Are your customers aware of this unsecure situation ?
If I were one of your 100 customers and I read this SDN post, you would hear about me : a security audit would be on its way very soon...
Regards,
Olivier
Hello oliver,
we have already identified this 6 months back, and following secured PIN strategy that is randomly generated by a tool.
to make the experts like you to understand my situtaion for more clarity, I had given a example, actual passowrd is slightly different. if you want to know passowrd, you do not have any other option except joining my conmpany*, anyway, I accpt your feedback usually custoemers may feel insecure about the post.
hope you are not one among 100 !
Regards,
User | Count |
---|---|
82 | |
10 | |
10 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.