cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ERROR during SecudeSSL - Rapid Content Delivery in SSM

Go to solution
Former Member

on ‎01-16-2015 3:01 PM

0 Kudos

Hi Gurus,

we try to configure Rapid Content Delivery in SSM.

We have imported all needed certificates for the SSL in STRUST.

Symantec_Class_1_Individual_Subscriber_CA_-_G4

VeriSign_Class_1_Public_Primary_Certification_Authority_-_G3

VeriSign_Class_2_Public_Primary_Certification_Authority_-_G3

VeriSign_Class_3_Public_Primary_Certification_Authority_-_G3

VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4

VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5

VeriSign_Class_3_Secure_Server_CA

VeriSign_Class_4_Public_Primary_Certification_Authority_-_G3

VeriSign_Inc.

GTE CyberTrust Global Root
But we alway get the following error.



[Thr 1800] Fri Jan 16 15:50:21 2015


[Thr 1800] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL


[Thr 1800]    session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"


[Thr 1800] SecudeSSL_SessionStart: SSL_connect() failed --


[Thr 1800]   secude_error 536872221 (0x2000051d) = "SSL API error"


[Thr 1800] >> ---------- Begin of Secude-SSL Errorstack ---------- >>


[Thr 1800] 0x2000051d | SAPCRYPTOLIB | SSL_connect


[Thr 1800] SSL API error


[Thr 1800] Failed to verify peer certificate. Peer not trusted.


[Thr 1800] 0xa0600203 | SSL | ssl_verify_peer_certificates


[Thr 1800] Peer not trusted


[Thr 1800] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates


[Thr 1800] peer certificate (chain) is not trusted


[Thr 1800] PropertyBlock:


[Thr 1800]   Status      :Not successful


[Thr 1800]   Profile     :1.3.6.1.4.1.694.2.2.2.2


[Thr 1800]   SignerStatus:Not successful


[Thr 1800]   SignerVerificationResult:


[Thr 1800]     element#no="1":


[Thr 1800]       Status      :Not successful


[Thr 1800]       Validity    :Successful


[Thr 1800]       BasicConstraints:Successful


[Thr 1800]       KeyUsage    :Successful


[Thr 1800]       ObjectStatus:Not successful


[Thr 1800]       SignerCert:


[Thr 1800]         Certificate:


[Thr 1800]             Subject     :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US


[Thr 1800]         Verification result:


[Thr 1800]           Status      :Not successful


[Thr 1800]           Profile     :1.3.6.1.4.1.694.2.2.2.2


[Thr 1800]           SignerStatus:Not successful


[Thr 1800]           BasicConstraintsPathLen:1


[Thr 1800]           SignerVerificationResult:


[Thr 1800]             element#no="1":


[Thr 1800]               Status      :Not successful


[Thr 1800]               Validity    :Successful


[Thr 1800]               BasicConstraints:Successful


[Thr 1800]               KeyUsage    :Successful


[Thr 1800]               ObjectStatus:Not successful


[Thr 1800]               SignerCert:


[Thr 1800]                 Certificate:


[Thr 1800]                     Subject     :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US


[Thr 1800]                 Verification result:


[Thr 1800]                   Status      :Not successful


[Thr 1800]                   Profile     :1.3.6.1.4.1.694.2.2.2.2


[Thr 1800]                   SignerStatus:Not successful


[Thr 1800]                   SignerVerificationResult: None


[Thr 1800] 


[Thr 1800] << ---------- End of Secude-SSL Errorstack ----------


[Thr 1800]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"


[Thr 1800]   SSL NI-sock: local=172.16.130.221:47564  peer=172.16.143.101:80


[Thr 1800] <<- ERROR: SapSSLSessionStart(sssl_hdl=1115818b0)==SSSLERR_PEER_CERT_UNTRUSTED


[Thr 1800] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0009b898} [icxxconn_mt.c 1957]

Has someone a suggestion?

regards

Chris

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-02-2015 7:58 AM
0 Kudos

Okay, i found my issue.

I imported the certificates to "System-PSE" instead to "SSL Client SSL Client (Standard)"

blunder

regards

Chris

Show replies
Show replies

Answers (7)

Answers (7)

Former Member
‎03-10-2015 5:18 PM
0 Kudos

Yes, the error is still there. Not trusted Root Cert.

used the manual solution.

Show replies
Show replies
former_member185954
Active Contributor
‎03-10-2015 5:20 PM
0 Kudos

Hello Christian,

Where did you upload the root certificates and how did you upload them ?

I have faced a similar situation and found a solution.

Regards,

Siddhesh

Former Member
‎03-10-2015 5:23 PM
0 Kudos

I downloaded the content manually and implemented to solman.

Former Member
‎04-01-2015 5:02 AM
0 Kudos

Hello Christian,

Sorry for a long delay in responding to your query.

Good to know that you could manually download and implement the content to your system.

Do you want to configure Automatic download for RCD? or you want to adhere to manual download way?

If you still have issues with Automatic download configuration/ any issues related to RCD, please raise a ticket on SV-SMG-RCD component and my colleagues will assist you on that.

Thanks and Best Regards,

Ambika


former_member185954
Active Contributor
‎03-10-2015 5:00 PM
0 Kudos

Hello Christian,

Are you still facing an error ?

Regards,

Siddhesh

Show replies
Show replies
Former Member
‎02-09-2015 9:50 AM
0 Kudos

Show replies
Show replies
juanpablo_guerrero
Explorer
‎02-10-2015 7:05 PM
0 Kudos

Hello Christian,

Have you created a certificate request, sent it to a CA and imported the certificate response in STRUST according with note 510007?

Regards.

Pablo.

Former Member
‎02-11-2015 7:18 AM
0 Kudos


Why should should we need this only for RCD? Pay for CA certificate to use Rapid Content Delivery. It's absurd. SAP should accept SAP Server self signed certificates for this service from SolMan. No other service at SolMan need this.

regards

Chris

juanpablo_guerrero
Explorer
‎02-11-2015 2:15 PM
0 Kudos

You can test with a test certificate https://service.sap.com/ssltest .  Maybe it helps you.

Regards.

Pablo.

Former Member
‎02-11-2015 2:30 PM
0 Kudos

It must be an other issue.

We get still the error.



[Thr 1286] Wed Feb 11 15:28:24 2015


[Thr 1286] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL


[Thr 1286]    session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"


[Thr 1286] SecudeSSL_SessionStart: SSL_connect() failed --


[Thr 1286]   secude_error 536872221 (0x2000051d) = "SSL API error"


[Thr 1286] >> ---------- Begin of Secude-SSL Errorstack ---------- >>


[Thr 1286] 0x2000051d | SAPCRYPTOLIB | SSL_connect


[Thr 1286] SSL API error


[Thr 1286] Failed to verify peer certificate. Peer not trusted.


[Thr 1286] 0xa0600203 | SSL | ssl_verify_peer_certificates


[Thr 1286] Peer not trusted


[Thr 1286] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates


[Thr 1286] peer certificate (chain) is not trusted


[Thr 1286] PropertyBlock:


[Thr 1286]   Status      :Not successful


[Thr 1286]   Profile     :1.3.6.1.4.1.694.2.2.2.2


[Thr 1286]   SignerStatus:Not successful


[Thr 1286]   SignerVerificationResult:


[Thr 1286]     element#no="1":


[Thr 1286]       Status      :Not successful


[Thr 1286]       Validity    :Successful


[Thr 1286]       BasicConstraints:Successful


[Thr 1286]       KeyUsage    :Successful


[Thr 1286]       ObjectStatus:Not successful


[Thr 1286]       SignerCert:


[Thr 1286]         Certificate:


[Thr 1286]             Subject     :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US


[Thr 1286]         Verification result:


[Thr 1286]           Status      :Not successful


[Thr 1286]           Profile     :1.3.6.1.4.1.694.2.2.2.2


[Thr 1286]           SignerStatus:Not successful


[Thr 1286]           BasicConstraintsPathLen:1


[Thr 1286]           SignerVerificationResult:


[Thr 1286]             element#no="1":


[Thr 1286]               Status      :Not successful


[Thr 1286]               Validity    :Successful


[Thr 1286]               BasicConstraints:Successful


[Thr 1286]               KeyUsage    :Successful


[Thr 1286]               ObjectStatus:Not successful


[Thr 1286]               SignerCert:


[Thr 1286]                 Certificate:


[Thr 1286]                     Subject     :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US


[Thr 1286]                 Verification result:


[Thr 1286]                   Status      :Not successful


[Thr 1286]                   Profile     :1.3.6.1.4.1.694.2.2.2.2


[Thr 1286]                   SignerStatus:Not successful


[Thr 1286]                   SignerVerificationResult: None


[Thr 1286] 


[Thr 1286] << ---------- End of Secude-SSL Errorstack ----------


[Thr 1286]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"


[Thr 1286]   SSL NI-sock: local=172.16.130.221:17319  peer=172.16.143.101:80


[Thr 1286] <<- ERROR: SapSSLSessionStart(sssl_hdl=1114bc690)==SSSLERR_PEER_CERT_UNTRUSTED


[Thr 1286] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {000488af} [icxxconn_mt.c 1957]
robert_warde4
Active Participant
‎03-10-2015 4:43 PM
0 Kudos

Hi Did you resolve this issue?

I am seeing the same problem (using dual stack PI system) and it is because the client does not have a trusted cert. Now this worked BEFORE we upgraded the sap cyrptographic library.

Former Member
‎02-03-2015 1:47 PM
0 Kudos

Now we installed the new certificates, but still get the error. 



[Thr 2828] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL


[Thr 2828] session uses PSE file "/usr/sap/SSM/DVEBMGS01/sec/SAPSSLC.pse"


[Thr 2828] SecudeSSL_SessionStart: SSL_connect() failed --


[Thr 2828] secude_error 536872221 (0x2000051d) = "SSL API error"


[Thr 2828] >> ---------- Begin of Secude-SSL Errorstack ---------- >>


[Thr 2828] 0x2000051d | SAPCRYPTOLIB | SSL_connect


[Thr 2828] SSL API error


[Thr 2828] Failed to verify peer certificate. Peer not trusted.


[Thr 2828] 0xa0600203 | SSL | ssl_verify_peer_certificates


[Thr 2828] Peer not trusted


[Thr 2828] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates


[Thr 2828] peer certificate (chain) is not trusted


[Thr 2828] PropertyBlock:


[Thr 2828] Status :Not successful


[Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2


[Thr 2828] SignerStatus:Not successful


[Thr 2828] SignerVerificationResult:


[Thr 2828] element#no="1":


[Thr 2828] Status :Not successful


[Thr 2828] Validity :Successful


[Thr 2828] BasicConstraints:Successful


[Thr 2828] KeyUsage :Successful


[Thr 2828] ObjectStatus:Not successful


[Thr 2828] SignerCert:


[Thr 2828] Certificate:


[Thr 2828] Subject :CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US


[Thr 2828] Verification result:


[Thr 2828] Status :Not successful


[Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2


[Thr 2828] SignerStatus:Not successful


[Thr 2828] BasicConstraintsPathLen:1


[Thr 2828] SignerVerificationResult:


[Thr 2828] element#no="1":


[Thr 2828] Status :Not successful


[Thr 2828] Validity :Successful


[Thr 2828] BasicConstraints:Successful


[Thr 2828] KeyUsage :Successful


[Thr 2828] ObjectStatus:Not successful


[Thr 2828] SignerCert:


[Thr 2828] Certificate:


[Thr 2828] Subject :CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US


[Thr 2828] Verification result:


[Thr 2828] Status :Not successful


[Thr 2828] Profile :1.3.6.1.4.1.694.2.2.2.2


[Thr 2828] SignerStatus:Not successful


[Thr 2828] SignerVerificationResult: None


[Thr 2828] 


[Thr 2828] << ---------- End of Secude-SSL Errorstack ----------


[Thr 2828] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"


[Thr 2828] SSL NI-sock: local=172.16.130.221:52457 peer=172.16.143.101:80


[Thr 2828] <<- ERROR: SapSSLSessionStart(sssl_hdl=116f6f4d0)==SSSLERR_PEER_CERT_UNTRUSTED


[Thr 2828] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {000ef4ed} [icxxconn_mt.c 1957]
Show replies
Show replies
Former Member
‎02-04-2015 7:14 AM
0 Kudos

These Notes are already implemented.

Sl. No Note NumberShort Text
1 2058016http://service.sap.com/sap/support/notes/2058016  RCD: Errors during UNCAR of a downloaded SAPCAR ST-CONT file
2 2058571 RCD: The notified deliveries are not being read from SAP-OSS
3 2099283  RCD - HTTP Proxy settings for Auto download RFC issue
42119938 Solution Manager Rapid Content Delivery: Import of content fails due to dump in writing file
manumohandas82
Active Contributor
‎01-16-2015 4:33 PM
0 Kudos

Hi

The certificates to be downloaded and imported are

  • GTE CyberTrust Global Root
  • VeriSign Class 3 Secure Server CA
  • VeriSign Class 3 Public Primary Certification Authority

Can you please remove all other certificates from STRUST .  All the errors are  referring to the wrong certificates .

restar ICM , Reset the trace file   and post the log

Show replies
Show replies
Former Member
‎01-19-2015 7:07 AM
0 Kudos

Okay, the Wiki article is updated. Rapid Content Delivery - Technical Operations - SCN Wiki

Needed Certificates are.

  • VeriSign Class 3 Public Primary Certification Authority - G5
  • Baltimore CyberTrust Root
  • GTE CyberTrust Global Root
juanpablo_guerrero
Explorer
‎01-16-2015 4:09 PM
0 Kudos

Hello Christian,

Have you restarted ICM after imported the certificates?

Show replies
Show replies
Former Member
‎01-19-2015 6:58 AM
0 Kudos

yes

manumohandas82
Active Contributor
‎01-16-2015 3:19 PM
0 Kudos

Hi ,

Can you paste the SMICM log

Goto transaction SMICM - >  Goto ->Trace File -> Display all

Thanks ,

Manu

Show replies
Show replies
Former Member
‎01-16-2015 4:05 PM
0 Kudos

This is the SMICM log in this quote.

regards

Chris

Ask a Question