cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error while connecting to external server, ICM_HTTP_SSL_ERROR

Go to solution
Former Member

on ‎02-13-2014 5:38 PM

0 Kudos

Hello all,
we get ICM_HTTP_SSL_ERROR an SM59 RFC destination I had change certificat for this connection but still I get the same error. I have this from smicm

[Thr 6868] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00020037} [icxxconn.c 1957]
[Thr 16288] Thu Feb 13 18:23:45 2014
[Thr 16288] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 16288]    session uses PSE file "E:\usr\sap\PXA\DVEBMGS02\sec\SAPSSLC.pse"
[Thr 16288] SecudeSSL_SessionStart: SSL_connect() failed
[Thr 16288]   secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 16288] >>            Begin of Secude-SSL Errorstack            >>
[Thr 16288] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed #
[Thr 16288] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=VeriSign Class 3 Public Primary C
[Thr 16288] ERROR in get_path: (27/0x001b) Found root certificate of <CN=VeriSign Class 3 Public Primary Certification Authority - G
[Thr 16288] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=VeriSign Class 3 Public Primary Certification Author
[Thr 16288] <<            End of Secude-SSL Errorstack
[Thr 16288]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 16288]   SSL NI-sock: local=10.0.26.146:64761  peer=81.200.197.147:443
[Thr 16288] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000002EAE0110)==SSSLERR_SSL_CONNECT
[Thr 16288] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00020043} [icxxconn.c 1957]
[Thr 5564] Thu Feb 13 18:23:48 2014

Any help

Thanks

Reza

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member184720
Active Contributor
‎02-13-2014 5:44 PM
0 Kudos

Hi Reza - 

the verification of the server's certificate chain failed ?

>>>Did you import all the certificates? and make sure they are still valid

Also have a look at the below thread

https://scn.sap.com/thread/1468525

Show replies
Show replies
Former Member
‎02-13-2014 5:54 PM
0 Kudos

Hi Hareesh,

Thanks for reply.

I import  just one cerfificat, what du you mean i all the certificates?

Thanks

former_member184720
Active Contributor
‎02-13-2014 5:58 PM
0 Kudos

Hi Reza - Based on the error message i felt that your SSL might be looking for additional certificates which are missing.

Please check for Oliviers reply in the above thread to understand more.

Your error log shows that : Chain of certificates is incomplete

markangelo_dihiansan
Active Contributor
‎02-14-2014 3:49 AM
0 Kudos

Hi Reza,

By the chain it means that when you view a certificate e.g

When you import the end certificate(the one highlighted) into STRUST, you also need to import VeriSign Class 3 and then VeriSign into the same PSE and in that order. Afterwards, you need to perform an ICM restart.

Regards,

Mark

Former Member
‎02-14-2014 7:29 AM
0 Kudos

Hello Mark,

Thanks for reply

Where should I import VeriSign Class 3 and then VeriSign is it in strust?

thanks  for help.

Reza

markangelo_dihiansan
Active Contributor
‎02-14-2014 7:38 AM
0 Kudos

Hi Reza,

Yes, also in STRUST. In the same PSE as where you imported the end cert.

Regards,

Mark

Former Member
‎02-14-2014 8:48 AM
0 Kudos

Hi Mark,

Thanks for help, It is working now. great.

Reza

Answers (2)

Answers (2)

former_member182455
Active Contributor
‎02-14-2014 5:09 AM
0 Kudos

Hi,

Please refer SAP note 852688 , Hope it will be help ful and please chech the below link

ICM_HTTP_SSL_ERROR

Regards

Show replies
Show replies
former_member182455
Active Contributor
‎02-14-2014 5:05 AM
0 Kudos

Hi,

the problam in 2 causes:

1) the certificate expired or was not set as trusted in the client system.

please gone through the below steps.

steps:

1. the old ssl-certificate expired. To resolve this, create a new one refer to the article:

<Enabling SSL and Client Certificates on the SAP J2EE Engine>

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4...

2. get the certificate with accessing the https url; and with the prompt, install the certificate in your local machine.

3. set the certificate as trusted in transaction /nstrust. Refer to Thomas Jung blog:

/people/thomas.jung3/blog/2005/05/13/calling-webservices-from-abap-via-https

4. restart ICM.

to transaction /nsmicm, Menu: Administration >> ICM >> Exit Soft.

Regards

Show replies
Show replies
Ask a Question