on 10-17-2014 11:01 PM
Experts!
My versions:
SAP CRM 7.0 EHP3 SP05
KERNEL 741_REL v46
OS: AIX 6.1
DB: Oracle 11.2.0.3.0
CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40 (Sep 25 2014) MT-safe
My issue:
We have a Connection type "G" in SM59 HTTP Connection to External Serv.
We use this connection to contact EQUIFAX to check all customers for credit worthiness.
The connection has not been touched in a very long time. But today we started getting errors
Here are the details of the RFC.
As you can see, type G calling a 443 URL
We have a defined ID/pass.
plus we use anonymous SSL for authentication
STRUSTSSO2 shows the details of that
We have a THAWTE cert
Like I said, this was working, but not anymore, We get:
I bumped up the fill ICM trace. See attached TEXT file, but the important stuff is directly below:
[Thr 11309] IcmConnConnect: context 1 assigned to tid: 12, uid: 77, mode: 0
[Thr 11309] keep_alive_timeout: 10, proc_timeout: 0, wp_timeout: 500
[Thr 11309] IcmGetServicePtr: MYFQDNHOST:8010, bind_to_host(0) - new serv_ref_count: 1
[Thr 11309] IcmIConnConnect: direct connect to transport5.ec.equifax.com:443
[Thr 11309] NiHLGetNodeAddr: found hostname 'transport5.ec.equifax.com' in cache
[Thr 11309] NiIGetNodeAddr: hostname 'transport5.ec.equifax.com' = addr 216.46.96.180
[Thr 11309] NiIGetServNo: servicename '443' = port 443
[Thr 11309] NiICreateHandle: hdl 273 state NI_INITIAL_CON
[Thr 11309] NiIInitSocket: set default settings for new hdl 273/sock 53 (I4; ST)
[Thr 11309] NiIBlockMode: set blockmode for hdl 273 FALSE
[Thr 11309] NiICheckPendConnection: connection of hdl 273 to 216.46.96.180:443 established
[Thr 11309] NiIConnect: hdl 273 took local address MYHOSTIP:59320
[Thr 11309] NiIConnect: state of hdl 273 NI_CONNECTED
[Thr 11309] IcmIConnConnect: Connect to host: transport5.ec.equifax.com, service: 443, SAP_O_K(0)
[Thr 11309] <<- SapSSLSessionInit()==SAP_O_K
[Thr 11309] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"
[Thr 11309] out: sssl_hdl = 1137c07f0
[Thr 11309] SSL NI-hdl 273: local=MYHOSTIP:59320 peer=216.46.96.180:443
[Thr 11309] <<- SapSSLSetNiHdl(sssl_hdl=1137c07f0, ni_hdl=273)==SAP_O_K
[Thr 11309] SapISSLComposeFilename(): Filename = "/usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse"
[Thr 11309] <<- SapSSLSetSessionCredential(sssl_hdl=1137c07f0)==SAP_O_K
[Thr 11309] in: cred_name = "/usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse"
[Thr 11309] IcmConnInitClientSSL: using pse /usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse, show client certificate if available
[Thr 11309] <<- SapSSLSetTargetHostname(sssl_hdl=1137c07f0)==SAP_O_K
[Thr 11309] in: hostname = "transport5.ec.equifax.com"
[Thr 11309] NiIBlockMode: set blockmode for hdl 273 TRUE
[Thr 11309] NiIBlockMode: set blockmode for hdl 273 FALSE
[Thr 11309] NiIBlockMode: set blockmode for hdl 273 TRUE
[Thr 11309] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_CONNECTION_LOST
[Thr 11309] session uses PSE file "/usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse"
[Thr 11309] No LastError / ErrorStack available!
[Thr 11309] SSL_get_state()==0x2120 "SSLv3 read server hello A"
[Thr 11309] No certificate request received from Server
[Thr 11309] <<- ERROR: SapSSLSessionStart(sssl_hdl=1137c07f0)==SSSLERR_SSL_CONNECT
[Thr 11309] *** ERROR => SSL handshake with transport5.ec.equifax.com:443 failed: SSSLERR_SSL_CONNECT (-57)
[Thr 11309] SAPCRYPTO:SSL_connect() failed
[Thr 11309]
[Thr 11309] SapSSLSessionStart()==SSSLERR_SSL_CONNECT
[Thr 11309] SSL_connnect() failed (0/0x00) Huh??
[Thr 11309] SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"
[Thr 11309] SSL NI-hdl 273: local=MYHOST-IP:59320 peer=216.46.96.180:443
[Thr 11309] cli SSL session PSE "/usr/sap/CQM/DVEBMGS00/sec/SAPSSLA.pse"
[Thr 11309] Target Hostname="transport5.ec.equifax.com"
So at any rate, that's what I get. Equifax says their side hasn't changed.
I know my side hasn't changed. I know none of my certs have expired.
I know I can directly reach https://transport5.ec.equifax.com//ists/stspost and authenticate straight from my PC or the AIX server using the user/pass they provided. Which is also in the SM59 G RFC.
So I can't blame my firewall/network team.
I have attempted to apply the latest cryptolib after getting this error.
I was at:
CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.22 pl40 (Jul 23 2014) MT-safe
I am now at
CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40 (Sep 25 2014) MT-safe
Still, I'm getting the same error that I attached, and have shown above.
I've done all the easy stuff. I've also search all of the OSS marketplace...SCN, google.
I just need to know...is this me or Equifax??? I've reached out to that company's tech support but they've been less than helpful.
Anything I can provide to them to prove either way would be great.
Anyone got ideas???
Thanks!!!!
NICK
The problem ended up being totally on our end! Our Firewall team had decided to block all SSLv3 communication. I asked them to un-do that change, and then we were working!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
81 | |
24 | |
11 | |
9 | |
7 | |
5 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.