on 01-16-2015 3:01 PM
Hi Gurus,
we try to configure Rapid Content Delivery in SSM.
We have imported all needed certificates for the SSL in STRUST.
Symantec_Class_1_Individual_Subscriber_CA_-_G4
VeriSign_Class_1_Public_Primary_Certification_Authority_-_G3
VeriSign_Class_2_Public_Primary_Certification_Authority_-_G3
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G3
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5
VeriSign_Class_3_Secure_Server_CA
VeriSign_Class_4_Public_Primary_Certification_Authority_-_G3
VeriSign_Inc.
GTE CyberTrust Global Root
But we alway get the following error.
[Thr 1800] Fri Jan 16 15:50:21 2015
[Thr 1800] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 1800] session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"
[Thr 1800] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 1800] secude_error 536872221 (0x2000051d) = "SSL API error"
[Thr 1800] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 1800] 0x2000051d | SAPCRYPTOLIB | SSL_connect
[Thr 1800] SSL API error
[Thr 1800] Failed to verify peer certificate. Peer not trusted.
[Thr 1800] 0xa0600203 | SSL | ssl_verify_peer_certificates
[Thr 1800] Peer not trusted
[Thr 1800] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates
[Thr 1800] peer certificate (chain) is not trusted
[Thr 1800] PropertyBlock:
[Thr 1800] Status :Not successful
[Thr 1800] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 1800] SignerStatus:Not successful
[Thr 1800] SignerVerificationResult:
[Thr 1800] element#no="1":
[Thr 1800] Status :Not successful
[Thr 1800] Validity :Successful
[Thr 1800] BasicConstraints:Successful
[Thr 1800] KeyUsage :Successful
[Thr 1800] ObjectStatus:Not successful
[Thr 1800] SignerCert:
[Thr 1800] Certificate:
[Thr 1800] Subject :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
[Thr 1800] Verification result:
[Thr 1800] Status :Not successful
[Thr 1800] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 1800] SignerStatus:Not successful
[Thr 1800] BasicConstraintsPathLen:1
[Thr 1800] SignerVerificationResult:
[Thr 1800] element#no="1":
[Thr 1800] Status :Not successful
[Thr 1800] Validity :Successful
[Thr 1800] BasicConstraints:Successful
[Thr 1800] KeyUsage :Successful
[Thr 1800] ObjectStatus:Not successful
[Thr 1800] SignerCert:
[Thr 1800] Certificate:
[Thr 1800] Subject :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[Thr 1800] Verification result:
[Thr 1800] Status :Not successful
[Thr 1800] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 1800] SignerStatus:Not successful
[Thr 1800] SignerVerificationResult: None
[Thr 1800]
[Thr 1800] << ---------- End of Secude-SSL Errorstack ----------
[Thr 1800] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 1800] SSL NI-sock: local=172.16.130.221:47564 peer=172.16.143.101:80
[Thr 1800] <<- ERROR: SapSSLSessionStart(sssl_hdl=1115818b0)==SSSLERR_PEER_CERT_UNTRUSTED
[Thr 1800] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0009b898} [icxxconn_mt.c 1957]
Has someone a suggestion?
regards
Chris
Okay, i found my issue.
I imported the certificates to "System-PSE" instead to "SSL Client SSL Client (Standard)"
blunder
regards
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, the error is still there. Not trusted Root Cert.
used the manual solution.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Christian,
Sorry for a long delay in responding to your query.
Good to know that you could manually download and implement the content to your system.
Do you want to configure Automatic download for RCD? or you want to adhere to manual download way?
If you still have issues with Automatic download configuration/ any issues related to RCD, please raise a ticket on SV-SMG-RCD component and my colleagues will assist you on that.
Thanks and Best Regards,
Ambika
Hello Christian,
Are you still facing an error ?
Regards,
Siddhesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can test with a test certificate https://service.sap.com/ssltest . Maybe it helps you.
Regards.
Pablo.
It must be an other issue.
We get still the error.
[Thr 1286] Wed Feb 11 15:28:24 2015
[Thr 1286] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 1286] session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"
[Thr 1286] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 1286] secude_error 536872221 (0x2000051d) = "SSL API error"
[Thr 1286] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 1286] 0x2000051d | SAPCRYPTOLIB | SSL_connect
[Thr 1286] SSL API error
[Thr 1286] Failed to verify peer certificate. Peer not trusted.
[Thr 1286] 0xa0600203 | SSL | ssl_verify_peer_certificates
[Thr 1286] Peer not trusted
[Thr 1286] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates
[Thr 1286] peer certificate (chain) is not trusted
[Thr 1286] PropertyBlock:
[Thr 1286] Status :Not successful
[Thr 1286] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 1286] SignerStatus:Not successful
[Thr 1286] SignerVerificationResult:
[Thr 1286] element#no="1":
[Thr 1286] Status :Not successful
[Thr 1286] Validity :Successful
[Thr 1286] BasicConstraints:Successful
[Thr 1286] KeyUsage :Successful
[Thr 1286] ObjectStatus:Not successful
[Thr 1286] SignerCert:
[Thr 1286] Certificate:
[Thr 1286] Subject :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
[Thr 1286] Verification result:
[Thr 1286] Status :Not successful
[Thr 1286] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 1286] SignerStatus:Not successful
[Thr 1286] BasicConstraintsPathLen:1
[Thr 1286] SignerVerificationResult:
[Thr 1286] element#no="1":
[Thr 1286] Status :Not successful
[Thr 1286] Validity :Successful
[Thr 1286] BasicConstraints:Successful
[Thr 1286] KeyUsage :Successful
[Thr 1286] ObjectStatus:Not successful
[Thr 1286] SignerCert:
[Thr 1286] Certificate:
[Thr 1286] Subject :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[Thr 1286] Verification result:
[Thr 1286] Status :Not successful
[Thr 1286] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 1286] SignerStatus:Not successful
[Thr 1286] SignerVerificationResult: None
[Thr 1286]
[Thr 1286] << ---------- End of Secude-SSL Errorstack ----------
[Thr 1286] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 1286] SSL NI-sock: local=172.16.130.221:17319 peer=172.16.143.101:80
[Thr 1286] <<- ERROR: SapSSLSessionStart(sssl_hdl=1114bc690)==SSSLERR_PEER_CERT_UNTRUSTED
[Thr 1286] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {000488af} [icxxconn_mt.c 1957]
Now we installed the new certificates, but still get the error.
[Thr 2828] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 2828] session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"
[Thr 2828] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 2828] secude_error 536872221 (0x2000051d) = "SSL API error"
[Thr 2828] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 2828] 0x2000051d | SAPCRYPTOLIB | SSL_connect
[Thr 2828] SSL API error
[Thr 2828] Failed to verify peer certificate. Peer not trusted.
[Thr 2828] 0xa0600203 | SSL | ssl_verify_peer_certificates
[Thr 2828] Peer not trusted
[Thr 2828] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates
[Thr 2828] peer certificate (chain) is not trusted
[Thr 2828] PropertyBlock:
[Thr 2828] Status :Not successful
[Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 2828] SignerStatus:Not successful
[Thr 2828] SignerVerificationResult:
[Thr 2828] element#no="1":
[Thr 2828] Status :Not successful
[Thr 2828] Validity :Successful
[Thr 2828] BasicConstraints:Successful
[Thr 2828] KeyUsage :Successful
[Thr 2828] ObjectStatus:Not successful
[Thr 2828] SignerCert:
[Thr 2828] Certificate:
[Thr 2828] Subject :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
[Thr 2828] Verification result:
[Thr 2828] Status :Not successful
[Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 2828] SignerStatus:Not successful
[Thr 2828] BasicConstraintsPathLen:1
[Thr 2828] SignerVerificationResult:
[Thr 2828] element#no="1":
[Thr 2828] Status :Not successful
[Thr 2828] Validity :Successful
[Thr 2828] BasicConstraints:Successful
[Thr 2828] KeyUsage :Successful
[Thr 2828] ObjectStatus:Not successful
[Thr 2828] SignerCert:
[Thr 2828] Certificate:
[Thr 2828] Subject :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[Thr 2828] Verification result:
[Thr 2828] Status :Not successful
[Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr 2828] SignerStatus:Not successful
[Thr 2828] SignerVerificationResult: None
[Thr 2828]
[Thr 2828] << ---------- End of Secude-SSL Errorstack ----------
[Thr 2828] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 2828] SSL NI-sock: local=172.16.130.221:52457 peer=172.16.143.101:80
[Thr 2828] <<- ERROR: SapSSLSessionStart(sssl_hdl=116f6f4d0)==SSSLERR_PEER_CERT_UNTRUSTED
[Thr 2828] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {000ef4ed} [icxxconn_mt.c 1957]
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
These Notes are already implemented.
Sl. No | Note Number | Short Text |
---|---|---|
1 | 2058016http://service.sap.com/sap/support/notes/2058016 | RCD: Errors during UNCAR of a downloaded SAPCAR ST-CONT file |
2 | 2058571 | RCD: The notified deliveries are not being read from SAP-OSS |
3 | 2099283 | RCD - HTTP Proxy settings for Auto download RFC issue |
4 | 2119938 | Solution Manager Rapid Content Delivery: Import of content fails due to dump in writing file |
Hi
The certificates to be downloaded and imported are
Can you please remove all other certificates from STRUST . All the errors are referring to the wrong certificates .
restar ICM , Reset the trace file and post the log
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Okay, the Wiki article is updated. Rapid Content Delivery - Technical Operations - SCN Wiki
Needed Certificates are.
Hello Christian,
Have you restarted ICM after imported the certificates?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi ,
Can you paste the SMICM log
Goto transaction SMICM - > Goto ->Trace File -> Display all
Thanks ,
Manu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.