on 05-31-2016 12:46 PM
Hello Experts - We are using CRM ABAP stack which is on NW 7.0 EHP2 running on Linux OS
Our requirement is to have SNC active for all RFC connections between ABAP systems.
We had activated SNC in our development (Development system SID - ABC) and Quality systems successfully (Quality system SID - XYZ) by adding following parameters in instance profile (Only 1 application server exists for each system)
snc/enable =1
snc/accept_insecure_rfc=1
snc/accept_insecure_gui=1
snc/accept_insecure_cpic=1
snc/permit_insecure_start=1
snc/data_protection/min=1
snc/extid_login_diag=1
snc/extid_login_rfc=1
snc/gssapi_lib=/usr/sap/<SID>/SYS/exe/run/libsapcrypto.so
snc/identity/as=p:CN=<SID>, OU=IS, O=<organization>, C=CN
sec/libsapsecu=/usr/sap/ABC/SYS/exe/run/libsapcrypto.so
ssf/ssfapi_lib=/usr/sap/ABC/SYS/exe/run/libsapcrypto.so
ssf/name=SAPSECULIB
We have also exported the SNC SAPCryptolib certificate from Dev to Quality and Quality to Dev from Tx. STRUST.
DN (Certificate Name) for system PSE and SNC SAPCryptolib PSE are different.
We also added the entries of other systems in SNC0 transaction.
However, when we are trying to activate the RFC from ABC to XYZ or XYZ to ABC - We are seeing following error when we do a connection test: (Below example when we did a connection test of RFC from ABC to XYZ)
Mon May 30 04:17:52 2016
N *** ERROR => SncPEstablishContext() failed for target='p:CN=XYZ, OU=<OU>, O=Organization, C=CN' [sncxxall.c 3585]
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3551]
N GSS-API(maj): Miscellaneous failure
N GSS-API(min): A2210210:Verification of own certificate by server failed
N Unable to establish the security context
N target="p:CN=XYZ, OU=<OU>, O=Organization, C=CN"
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1035]
M {root-id=0050568624F01ED689BA1E55F2C91704}_{conn-id=00000000000000000000000000000000}_0
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1040]
M {root-id=0050568624F01ED689BA1E55F2C91704}_{conn-id=00000000000000000000000000000000}_0
A RFC 3730 CONVID 81518143
A * CMRC=19 DATA=1 STATUS=1 SAPRC=221 ThSAPCMRCV
A RFC> ABAP Programm: RSRFCPIN (Transaction: SM59)
A RFC> User: <user> (Client: xxx)
A RFC> Destination: <SID>CLNT800 (handle: 2, DtConId: 574BEC703E996EB2E10000000A640267, DtConCnt: 1, ConvId: 81518143,{574BEC70-3E9
9-6EB2-E100-00000A640267})
A RFC> Called function module: RFC_PING
A *** ERROR => RFC ======> CPIC-CALL: 'ThSAPCMRCV' : cmRc=19 thRc=221
Communication terminated
[abrfcio.c 9225]
A {root-id=0050568624F01ED689BA1E55F2C91704}_{conn-id=00000000000000000000000000000000}_0
A *** ERROR => RFC Error RFCIO_ERROR_SYSERROR in abrfcpic.c : 3732
CPIC-CALL: 'ThSAPCMRCV' : cmRc=19 thRc=221
Communication terminated
[abrfcio.c 9225]
A {root-id=0050568624F01ED689BA1E55F2C91704}_{conn-id=00000000000000000000000000000000}_0
A RFC 3557 CONVID 81518143
A * CMRC=19 DATA=1 STATUS=1 SAPRC=221 comread
A *** ERROR => RFC Error RFCIO_ERROR_MESSAGE in abrfcio.c : 1984
[abrfcio.c 9225]
SAP note "1867829 - List of SNC Error Codes " which speaks about the error "A2210210:Verification of own certificate by server failed" jusy says "The verification of the peer certificate failed on the server side. See the log files to find out more details about this non-typical error"
Coudl you please help us the cause for this error and the logs to check (I checked the work process logs and rfc logs but no luck)
Thanks,
Subbu
"A2210210:Verification of own certificate by server failed" means, the SNC Cryptolib PSE of target system is not in certificate List of source System.
Thus in STRUST you must add the SNC Cryptolib PSE of ABC to Certificate list of XYZ SNC Cryptolib and vice versa.
Nevertheless, afterwards we still have the CPIC 221 Error. Any ideas?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
First of all, this is not an "answer" it's a "question", so why did you post it as an answer?
Next: CPIC error 221 can be anything. It only means: "this is not a CPIC error, it's an error in an underlying lib used by CPIC". The important question is: do you also still see the same SNC error code? Otherwise it might be caused by something completely different, and then it is completely wrong here in this topic...
Dear All,
I have a similar situation as posted in question that's why i am answering this question for future reference.
Cause :
This issue occurs if there are credentials for multiple PSEs with the same name. In this case, SNC might use the wrong one and the SNC connection could fail if the wrong PSE has a different trust relationship.
Solution :
Refer SAP Note 1965519 for the same (https://launchpad.support.sap.com/#/notes/1965519).
Thanks,
Pritesh Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Subbu,
did you ever resolve your issue? If so, can you share how you fixed it?
Thanks,
Warren
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Experts - Any suggestions please
Thanks,
Subbu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Subbu,
Check the below sap note
800240 - FAQ: SAP Cryptographic Library error analysis (App. Server)
1965519 - SNC error when having multiple PSEs with same distinguished name
Regards,
Prithviraj
Thank you Prithviraj
As mentioned initially, "DN (Certificate Name) for system PSE and SNC SAPCryptolib PSE are different." - So, we are meeting requirement as mentioned in SAP Note 1965519 - SNC error when having multiple PSEs with same distinguished name
Regarding Note "800240 - FAQ: SAP Cryptographic Library error analysis (App. Server)" - General errors are mentioned, however we didn't see any clue for the error we are receiving:
Error FYI:
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3551]
N GSS-API(maj): Miscellaneous failure
N GSS-API(min): A2210210:Verification of own certificate by server failed
N Unable to establish the security context
Thanks,
Subbu
Hi Subbu.
Could you refer the link fro SNC for RFC connection
BR
SS
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.