cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SUM 1.0 SP10 p3 - sapcontrol -prot NI_HTTPS GetProcessList KO

Former Member

on ‎07-13-2015 3:34 PM

0 Kudos

Dear All,

to use IE11 on our instances, we're updating our Instances 7.02 SPS09 to SPS16.

you met an issue on an instance (Dual stack SAP SRM 7.00 EHP1 / SAP NW 7.02 SPS09).

OS : Windows 2008 R2 SP1 (x86_64)

DB : MS SQL Server 2008 R2 SP3

ABAP Stack was updated earlier with SPAM Tool.

Now we are updating Java with SUM Tool

All Java Component were updated but SUM is locked to this step "Portal Import Content".

After updating Java Components to SPS16, SAP want to restart NR 00 but can not

Message :

Could not restart SAP instance with number 0.

Could not send the command to start the instance with number 0 on host V0-MR100. Sapcontrol client could not perform action check started on instance 0 Return code condition success evaluated to false for process sapcontrol for action check started.

Log of IMPORT-PORTAL-CONTENT_11.LOG

following command failed : E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm <SecureField> -prot NI_HTTPS -function GetProcessList

GetProcessList

FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND: The specified class was not found.), SapSSLSessionStart failed in plugin_fopen()

When sapcontrol pass by NI_HTTPS, failes

test with sapcontrol with NI_HTTP : works

test with sapcontrol WINHTTPS : works

sapcryptolib given by SUM is more recent as with one used on the instance for SSL configuration.

I updated Cryptolib Library, configure again STRUST (System PSE, SSL Server, SSL Client)

-> still same issue.

Java updated is blocked to this step.

How to bypass this issue ?

Is that possible to force SUM sapcontrol to use NI_HTTP protocol only

if yes how  please

Many thanks for any help given.

---

King Regards

François

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (6)

Answers (6)

Former Member
‎03-24-2016 10:54 AM
0 Kudos

renamed the 'sec' folder under instance directory and gave 'repeat the step' in SUM. it worked!

Show replies
Show replies
former_member230159
Contributor
‎07-16-2015 8:48 PM
0 Kudos

Hi Francois ,

Please have alook at KBA 2177490 - Software Update Manager (SUM) Error in the phase :
INPUT-OS-USER-PASSWORDS .

It contains in detail steps to resolve the issue.

Also have alook at note 1642340 - Using SSL in sapcontrol

Regards

Show replies
Show replies
frank_wagner2
Participant
‎07-22-2015 7:44 AM
0 Kudos

Hello,

Manjunath is right - but to simplify this:

The SSL certificate of the server (sap instance) has to be trusted in SSL client (same sap instance).

  • For ABAP systems:
    Just add the certificate of the SSL server to the certificate list in SSL Client (default) using transaction STRUST of SAP instance.

  • For JAVA systems:
    Use another abap systems STRUST to maintain SAPSSLC.pse and SAPSSLS.pse of java instance or use the sapgenpse commandline to import the SAPSSLS.pse certificate to SAPSSLC.pse

export of SAPSSLS.pse certificate:

Exporting the Server's Certificate Using SAPGENPSE - SAP NetWeaver by Key Capability - SAP Library

import of certificate to SAPSSLC.pse:

Maintaining the Server's Certificate List Using SAPGENPSE - SAP NetWeaver by Key Capability - SAP Li...

Best regards,

Frank

Former Member
‎07-15-2015 4:16 PM
0 Kudos

Precision : SSL Server was done on SID Instance (self signed certificate)

Debug log :

[Thr 11408] =   found CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.34 pl40 (Feb 11 2015) MT-safe

[Thr 11408] =   current UserID: V11\mr1adm

[Thr 11408] =   found SECUDIR environment variable

[Thr 11408] =   using SECUDIR=E:\usr\sap\MR1\DVEBMGS00\sec

sapparam: sapargv(argc, argv) has not been called!

sapparam(1c): No Profile used.

sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline

[Thr 11408]   SapISSLComposeFilename(client_pse): using default "E:\usr\sap\MR1\DVEBMGS00\sec\SAPSSLC.pse"

[Thr 11408] = Client SSL_CTX 0000000004CAE250 pvflags = 192 (TLSv1.0,SSLv3)

[Thr 11408] = The Client SSL_CTX

[Thr 11408] =    provides this ordered list of 9 ciphersuites:

[Thr 11408] =       1.  TLS_RSA_WITH_AES128_CBC_SHA

[Thr 11408] =       2.  TLS_RSA_WITH_AES256_CBC_SHA

[Thr 11408] =       3.  SSL_RSA_WITH_RC4_128_SHA

[Thr 11408] =       4.  SSL_RSA_WITH_RC4_128_MD5

[Thr 11408] =       5.  SSL_RSA_WITH_3DES_EDE_CBC_SHA

[Thr 11408] =       6.  SSL_RSA_WITH_DES_CBC_SHA

[Thr 11408] =       7.  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

[Thr 11408] =       8.  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

[Thr 11408] =       9.  SSL_RSA_EXPORT_WITH_RC4_40_MD5

[Thr 11408] = Success -- SapCryptoLib SSL ready!

[Thr 11408] =================================================

[Thr 11408]

[Thr 11408] <<- SapSSLInit(read_profile=0)==SAP_O_K

[Thr 11408] NiInit3: NI already initializes (init=1;cur=2048)

[Thr 11408] addrinfo of 'V0-MR100':

[Thr 11408] 0: 10.10.209.93:0 'V0-MR100' <unknown socket type 0> (0-2-0-0-16)

[Thr 11408] NiHLGetNodeAddr: got hostname 'V0-MR100' from operating system

[Thr 11408] NiIGetNodeAddr: hostname 'V0-MR100' = addr 10.10.209.93

[Thr 11408] NiIGetServNo: servicename '50014' = port 50014

[Thr 11408] NiICreateHandle: hdl 1 state NI_INITIAL_CON

[Thr 11408] NiIInitSocket: set default settings for new hdl 1/sock 544 (I4; ST)

[Thr 11408] NiIBlockMode: set blockmode for hdl 1 FALSE

[Thr 11408] NiThrInit enter

[Thr 11408] NiITraceByteOrder: CPU byte order: little endian, reverse network, low val .. high val

[Thr 11408] NiIConnectSocket: hdl 1 is connecting to 10.10.209.93:50014 (timeout=-1)

[Thr 11408] SiPeekPendConn: connection of sock 544 established

[Thr 11408] NiICheckPendConnection: connection of hdl 1 to 10.10.209.93:50014 established

[Thr 11408] NiIConnect: hdl 1 took local address 10.10.209.93:63300

[Thr 11408] NiIConnect: state of hdl 1 NI_CONNECTED

[Thr 11408] NiIBlockMode: set blockmode for hdl 1 TRUE

[Thr 11408] ->> SapSSLSessionInit(&sssl_hdl=00000000020213B0, role=1 (CLIENT), auth_type=3 USE_CLIENT_CERT))

[Thr 11408] <<- SapSSLSessionInit()==SAP_O_K

[Thr 11408]      in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

[Thr 11408]     out: sssl_hdl = 0000000003CAF1B0

[Thr 11408] ->> SapSSLSetNiHdl(sssl_hdl=0000000003CAF1B0, ni_hdl=1)

[Thr 11408] NiIBlockMode: leave blockmode for hdl 1 TRUE

[Thr 11408]   SSL NI-sock: local=10.10.209.93:63300  peer=10.10.209.93:50014

[Thr 11408] <<- SapSSLSetNiHdl(sssl_hdl=0000000003CAF1B0, ni_hdl=1)==SAP_O_K

[Thr 11408] ->> SapSSLSetTargetHostname(sssl_hdl=0000000003CAF1B0, &hostname=0000000002021400)

[Thr 11408] <<- SapSSLSetTargetHostname(sssl_hdl=0000000003CAF1B0)==SAP_O_K

[Thr 11408]      in: hostname = "V0-MR100"

[Thr 11408] ->> SapSSLSessionStart(sssl_hdl=0000000003CAF1B0)

[Thr 11408]   SapISSLUseSessionCache(): Creating NEW session (0 cached)

[Thr 11408] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 11408]    session uses PSE file "E:\usr\sap\MR1\DVEBMGS00\sec\SAPSSLC.pse"

[Thr 11408] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 11408]   secude_error 536872221 (0x2000051d) = "SSL API error"

[Thr 11408] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 11408] 0x2000051d | SAPCRYPTOLIB | SSL_connect

[Thr 11408] SSL API error

[Thr 11408] Failed to verify peer certificate. Peer not trusted.

[Thr 11408] 0xa0600203 | SSL | ssl_verify_peer_certificates

[Thr 11408] Peer not trusted

[Thr 11408] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates

[Thr 11408] peer certificate (chain) is not trusted

[Thr 11408] Certificate:

[Thr 11408]   Certificate:

[Thr 11408]       Subject     :CN=V0-MR100..FULL.QUALIFIED.DOMAINE

[Thr 11408]       Issuer      :CN=V0-MR100..FULL.QUALIFIED.DOMAINE

[Thr 11408]       Serial number:0x0a20150714133801

[Thr 11408]       Validity:

[Thr 11408]         Not before  :Tue Jul 14 14:38:01 2015

[Thr 11408]         Not after   :Fri Jan  1 01:00:01 2038

[Thr 11408]       Key:

[Thr 11408]         Key type    :rsaEncryption (1.2.840.113549.1.1.1)

[Thr 11408]         Key size    :2048

[Thr 11408]       PK_Fingerprint_MD5:7F01 5A69 08A1 F61A 4547 7ACC FA44 DD14

[Thr 11408]     Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

[Thr 11408]     Fingerprint_MD5:6A:F4:B0:DA:7A:7E:E8:B8:6B:8D:80:B3:D4:8D:77:08

[Thr 11408]     Fingerprint_SHA1:1766 D413 A5A4 466D 265A 0771 2FA7 5CCD A750 4307

[Thr 11408]   Verification result:

[Thr 11408]     Status      :Not successful

[Thr 11408]     Profile     :1.3.6.1.4.1.694.2.2.2.2

[Thr 11408]     DirectlyTrusted:Not successful

[Thr 11408]

[Thr 11408] << ---------- End of Secude-SSL Errorstack ----------

[Thr 11408] Wed Jul 15 17:08:47 2015

[Thr 11408]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 11408]   No certificate request received from Server

[Thr 11408] Base64-Dump of peer certificate (len=711 bytes)

[Thr 11408]

[Thr 11408] -----BEGIN CERTIFICATE-----

[Thr 11408] bla bla bla bla bla bla bla bla bla bla bla bla

[Thr 11408] -----END CERTIFICATE-----

[Thr 11408]   Subject DN: CN=V0-MR100..FULL.QUALIFIED.DOMAINE

[Thr 11408]   Issuer  DN: CN=V0-MR100..FULL.QUALIFIED.DOMAINE

[Thr 11408] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000003CAF1B0)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 11408] NiICloseHandle: shutdown and close hdl 1/sock 544

[Thr 11408] ->> SapSSLSessionDone(&sssl_hdl=00000000020213B0)

[Thr 11408] <<- SapSSLSessionDone()==SAP_O_K

[Thr 11408]      in: sssl_hdl   = 0000000003CAF1B0

[Thr 11408]          ... ni_hdl = 1

[Thr 11408] ->> SapSSLErrorName(rc=-102)

[Thr 11408] <<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTED

15.07.2015 17:08:47

GetProcessList

FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND: The specified class was not found.), SapSSLSessionStart failed in plugin_fopen()

---

Regards

François

Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎07-15-2015 6:37 PM
0 Kudos

Hello,

This is strange...



sapparam: sapargv(argc, argv) has not been called!


sapparam(1c): No Profile used.


sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline

Can you try applying the latest kernel patch level?

If the issue persists, try creating a "test.cer" file with the following content:

-----BEGIN CERTIFICATE-----

MIICJzCCAZCgAwIBAgIFAKd2cC0wDQYJKoZIhvcNAQEEBQAwRjETMBEGA1UEChMK

YXBwLXNlcnZlcjEbMBkGA1UECxMSc3NsLWVuYWJsZWQtc2VydmVyMRIwEAYDVQQD

Ewlsb2NhbGhvc3QwHhcNMDYwMzMwMDYzOTAwWhcNMjcwMzMwMDc1NDM2WjBGMRMw

EQYDVQQKEwphcHAtc2VydmVyMRswGQYDVQQLExJzc2wtZW5hYmxlZC1zZXJ2ZXIx

EjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

wvRgyXzVIxChBsUkZN096pQPRisWgMNattEeSHhCXsdNia99NANBvKOL9pWcDcUM

m8s+59huOtHBZzSvkKB28ojS/G/C2d7wQ4NNtX2ON18a1e+yuwJ7ozzWmjWJ5tJ1

T00mOsu566EdXVOY5JOGdrihCHs2kzDpvSe/DDlMc4ECAwEAAaMhMB8wHQYDVR0O

BBYEFJIixbsxpNLUw2B5uL78uwaunhviMA0GCSqGSIb3DQEBBAUAA4GBAGDHK14f

9OAIQnaFSS13hLbsx7kcvF/YOdEw5oVrt1nxcRSGsm0tSh4QV1YNzqzMaINmiMMN

l5yeVN1ePud/Lx9dYzN1cpAA0PrWFJ4Y2nkgmmFSb6hXI/QJZnzYW8M8+Foe23qd

PaVCwWoy8Vc2in/fs2DXQ9YfGbMGZdgk9n+X

-----END CERTIFICATE-----


Then, import the "test.cer" file with the command:

sapgenpse maintain_pk -p SAPSSLC.pse -a /path/to/test.cer

You can remove this certificate from the "SAPSSLC.pse" file afterwards.

Regards,

Isaías

Former Member
‎07-16-2015 8:50 AM
0 Kudos

Hello Isaias,

update kernel + disp+work was our first initiative.

Issue persists. we opened a OSS Call

What about the certificate you given please ?

---

Regards

François

Former Member
‎07-16-2015 9:49 AM
0 Kudos

Hi Francois,

I'm also getting the same issue here..

It's a new installation on:-

OS : Windows 2012 R2

DB : MS SQL Server 2012 SP1 CU7

Kernel : 721 Ext UC 402

Solman 7.1 SPS13

Following your post and hope to get an update from SAP as well

Regards,

William

isaias_freitas
Advisor
Advisor
‎07-16-2015 7:03 PM
0 Kudos

Hello François,

You can open the ".cer" file at Windows.

You will see it is a self-signed certificate issued by "localhost" to "localhost", and it is valid for a long time .

This was just an attempt to workaround the error entry:



[Thr 11408] <<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTED

Anyway, that "sapparam" entries are still puzzling me.

Regards,

Isaías

Former Member
‎07-17-2015 9:53 AM
0 Kudos

Hello Isaias,

you were correct.

I did sapcontrol test in debug mode

E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm password -prot NI_HTTPS -function GetProcessList -debug

It gives lots of information, specially the base64 certificate

-----BEGIN CERTIFICATE-----

MIICwzCCAasCCAogFQcUE1cBMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNVBAMTGVYw

..................................................................................

NUlzvncUKpH2ASKa+ENwZmuOkHZBgkmG8ybY1T3uxuJf4vY+oS8v

-----END CERTIFICATE-----

I copy this certificate in a txt file

Then i integrate it to SAPSSLC.pse

sapgenpse maintain_pk -p E:\usr\sap\SID\DVEBMGS00\sec\SAPSSLC.pse -a C:\SID.txt

=> test again of sapcontrol

E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm password -prot NI_HTTPS -function GetProcessList


GetProcessList

OK

name, description, dispstatus, textstatus, starttime, elapsedtime, pid

msg_server.EXE, MessageServer, GREEN, Running, 2015 07 16 18:31:40, 15:50:24, 4996

disp+work.EXE, Dispatcher, GREEN, Running, Message Server connection ok,

Dialog Queue time: 0.00 sec, AS Java: All processes running, 2015 07 16 18:31:40, 15:50:24, 3128

igswd.EXE, IGS Watchdog, GREEN, Running, 2015 07 16 18:31:40, 15:50:24, 8180

-> Repeat step in SUM : OK

-> SUM finished until End

Former Member
‎07-17-2015 9:59 AM
0 Kudos

Issue Solved

Many thanks to you Isaias

---

Best Regards

François

Former Member
‎07-17-2015 2:44 PM
0 Kudos

Hello Chin

Solution was given today : Jul 17, 2015 10:53 AM

---

Regards

François

isaias_freitas
Advisor
Advisor
‎07-17-2015 6:11 PM
0 Kudos

Hello François,

I'm glad that I was able to help .

Please mark the thread as "answered" and assign points .

Best regards,

Isaías

Former Member
‎07-24-2015 9:30 AM
0 Kudos

Hi François,

Thanks, good to know yours working.

I had tried the given solutions and managed to get the process list OK. However I'm getting error "No instance were detected via sapcontrol. Most probably there is no local sapstartsrv process running." when repeat the steps in SUM.

Had escalated this to SAP for checking.

Regards,

Will

Former Member
‎07-24-2015 9:43 AM
0 Kudos

Hello Isaias,

i try to close this discussion and given awards but i have issues with my account.

Many thanks for your help

---

Regards

François

Private_Member_27907
Participant
‎09-10-2015 10:57 AM
0 Kudos

Hi François,

thanks to your reply my issue was solved too.

Regards

former_member202835
Explorer
‎04-18-2016 9:59 AM
0 Kudos

Hi François

Could solve my problem with your description. Thank you very much!

Regards, Robert

former_member185239
Active Contributor
‎07-14-2015 3:07 PM
0 Kudos

Hi Francois,

I believe , you have select the  Option "Authentication with user and password is not required" in the SUM tool.

If yes , then you have to reset the upgrade , and start it from begining without selecting the above option.

Check the sapnote

http://service.sap.com/sap/support/notes/2189669

With Regards

Ashutosh Chaturvedi

Show replies
Show replies
Former Member
‎07-15-2015 9:53 AM
0 Kudos

Hello Ashutosh

Thanks for your reply.

Content of the OSS Note are in Prepare actions steps in SUM documentation.

ACL authorizations have to be find correctly i think

---

Best Regards

François

isaias_freitas
Advisor
Advisor
‎07-14-2015 1:56 PM
0 Kudos

Hello François,

Once SUM detects that HTTPS is available, it will force the usage of NI_HTTPS and there is no way to change that afterwards.

The only way would be to disable HTTPS completely, and then reset SUM, starting from the beginning as well.

However, I do not think this is required. The error indicates that there is something wrong with the certificates:



following command failed : E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm <SecureField> -prot NI_HTTPS -function GetProcessList




GetProcessList


FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND: The specified class was not found.), SapSSLSessionStart failed in plugin_fopen()

Try running the same command, but adding "-debug":



E:\usr\sap\SID\DVEBMGS00\exe\sapcontrol -debug -nr 0 -host V0-SID00 -user V11\sidadm <SIDadm password> -prot NI_HTTPS -function GetProcessList

Share the output here so we can further assist you.

Kind regards,

Isaías

Show replies
Show replies
Former Member
‎07-15-2015 9:09 AM
0 Kudos

Hello Isaias,

Yes, SUM detects HTTPS is on this instance, so wants only to communicate with this protocol.

SAP wants to pass by NI_HTTPS evenif we select WINHTTPS in SUM steps ...

as we'are with kernel 721 PL500, so we applied following OSS Notes :

- 1495075

- and 1439348

Issue is better now but i'm still locked

E:\usr\sap\MR1\DVEBMGS00\exe\sapcontrol -nr 0 -host V0-SID00 -user V11\sidadm <password>

-prot NI_HTTPS -function GetProcessList

sapparam: sapargv(argc, argv) has not been called!

sapparam(1c): No Profile used.

sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline

13.07.2015 17:54:20

GetProcessList

FAIL: NIECONN_REFUSED (WSAECONNREFUSED: Connection refused), NiRawConnect failed

in plugin_fopen()

i have to find how to well configure ACL authorization.

HTTPS in configured on all SRM instance, we start DEV platform this weekend, we have to solve it.

No reset possible to bypass. issue met here will serve for others plafforms.

---

Best Regards

François

Former Member
‎07-14-2015 8:51 AM
0 Kudos

Hello Francois,

Please check following SAP note:-

955233 - Upgrade to J2EE 6.40 SP17/NW04s SP8 fails during deployment

Regards

Anand

Show replies
Show replies
Former Member
‎07-15-2015 9:00 AM
0 Kudos

Hello Anand,

There is no relationship between my issue and this OSS Note.

---

Regards

François

Ask a Question