topic Re: HTTPs connection from SAP WebAS in Application Development and Automation Discussions

HTTPs connection from SAP WebAS

Former Member — Tue, 13 Jan 2009 11:49:00 GMT

Hello,

I have to establish a connection from SAP WebAS to an iSaSiLk server via HTTPS.

The iSaSiLk authentication is based on client certificates.

I've created a SSL client PSE, generated the Certificate Request, imported the certificate response and the chain of certificates associated with no errors. When testing the connection we're getting the following error message:

SAP icm log:

[Thr 1087400256] ->> SapSSLSessionInit(&sssl_hdl=0x2aaaba679980, role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT))

[Thr 1087400256] <<- SapSSLSessionInit()==SAP_O_K

[Thr 1087400256] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"

[Thr 1087400256] out: sssl_hdl = 0x1a3310c0

[Thr 1087400256] ->> SapSSLSetNiHdl(sssl_hdl=0x1a3310c0, ni_hdl=22)

[Thr 1087400256] NiIBlockMode: set blockmode for hdl 22 TRUE

[Thr 1087400256] <<- SapSSLSetNiHdl(sssl_hdl=0x1a3310c0, ni_hdl=22)==SAP_O_K

[Thr 1087400256] ->> SapSSLSetSessionCredential(sssl_hdl=0x1a3310c0, &cred_name=0x1a49e4e0)

[Thr 1087400256] SapISSLComposeFilename(): Filename = "/usr/sap/XID/DVEBMGS00/sec/SAPSSLSPHTID.pse"

[Thr 1087400256] <<- SapSSLSetSessionCredential(sssl_hdl=0x1a3310c0)==SAP_O_K

[Thr 1087400256] in: cred_name = "/usr/sap/XID/DVEBMGS00/sec/SAPSSLSPHTID.pse"

[Thr 1087400256] ->> SapSSLSetTargetHostname(sssl_hdl=0x1a3310c0, &hostname=0x1a4a09e0)

[Thr 1087400256] <<- SapSSLSetTargetHostname(sssl_hdl=0x1a3310c0)==SAP_O_K

[Thr 1087400256] in: hostname = "<remoteServer_to_be_accessed>"

[Thr 1087400256] ->> SapSSLSessionStart(sssl_hdl=0x1a3310c0)

[Thr 1087400256] SapISSLUseSessionCache(): Creating NEW session (0 cached)

[Thr 1087400256] Tue Jan 13 10:10:22 2009

*[Thr 1087400256] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL*

[Thr 1087400256] session uses PSE file "/usr/sap/XID/DVEBMGS00/sec/SAPSSLSPHTID.pse"

[Thr 1087400256] SecudeSSL_SessionStart: SSL_connect() failed

secude_error 536871693 (0x2000030d) = "none of the PSEs registered with hSsl can suffice the negotiated SSL cipher suite"

[Thr 1087400256] >> Begin of Secude-SSL Errorstack >>

[Thr 1087400256] ERROR in ssl3_get_certificate_request: (536871693/0x2000030d) none of the PSEs registered with hSsl can suffice

[Thr 1087400256] << End of Secude-SSL Errorstack

[Thr 1087400256] SSL_get_state() returned 0x00002150 "SSLv3 read server certificate request A"

[Thr 1087400256] No certificate request received from Server

[Thr 1087400256] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1a3310c0)==SSSLERR_SSL_CONNECT

[Thr 1087400256] ->> SapSSLErrorName(rc=-57)

[Thr 1087400256] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

[Thr 1087400256] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt

On the iSaSiLk server we're getting:

ssl_debug(2): Starting handshake (iSaSiLk 3.06)...

ssl_debug(2): Received v3 client_hello handshake message.

ssl_debug(2): Client requested SSL version 3.0, selecting version 3.0.

ssl_debug(2): Creating new session 11:5F:04:C9:0D:32:15:B9...

ssl_debug(2): CipherSuites supported by the client:

ssl_debug(2): SSL_RSA_WITH_RC4_128_SHA

ssl_debug(2): SSL_RSA_WITH_RC4_128_MD5

ssl_debug(2): SSL_RSA_WITH_3DES_EDE_CBC_SHA

ssl_debug(2): SSL_RSA_WITH_DES_CBC_SHA

ssl_debug(2): SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

ssl_debug(2): SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

ssl_debug(2): SSL_RSA_EXPORT_WITH_RC4_40_MD5

ssl_debug(2): CompressionMethods supported by the client:

ssl_debug(2): NULL

ssl_debug(2): Sending server_hello handshake message.

ssl_debug(2): Selecting CipherSuite: SSL_RSA_WITH_RC4_128_SHA

ssl_debug(2): Selecting CompressionMethod: NULL

ssl_debug(2): Sending certificate handshake message with server certificate...

ssl_debug(2): Sending certificate_request handshake message...

ssl_debug(2): Sending server_hello_done handshake message...

ssl_debug(2): IOException while handshaking: Connection closed by remote host.

ssl_debug(2): Sending alert: Alert Fatal: handshake failure

ssl_debug(2): Shutting down SSL layer...

ssl_debug(2): Closing transport...

From the iSaSiLk everything seems to be OK, but on the SAP WebAS the error "none of the PSEs registered with hSsl can suffice the negotiated SSL cipher suite" is really unclear, since the cipher chosen by the iSaSiLk is one of the ciphers sent by SAP WebAS...

Can anyone give me any suggestion?

Re: HTTPs connection from SAP WebAS

Former Member — Tue, 13 Jan 2009 11:58:34 GMT

Hi,

For SSL PSE certificates, with the abap stack, I always had to select RSA (and not DSA) for the cipher algorythm.

All the cipher suite problems I have had were always where I selected DSA by error in STRUST.

Maybe a check to do ?

PS : For my information, what is a iSaSiLk server ?

Regards,

Olivier

Re: HTTPs connection from SAP WebAS

Former Member — Tue, 13 Jan 2009 12:11:02 GMT

Hello Olivier,

Thanks for your answer.

I've implemented note 800240 which facilitates the PSE analysis by implementing the report ZSSF_TEST_PSE. With this report I'm able to check all the PSE content, which are:

Filename SAPSSLSPHTID.pse

PIN <no>

Signature X

Encryption X

Profile Parameter

DIR_INSTANCE /usr/sap/XID/DVEBMGS00 /usr/sap/XID/D00

sec/dsakeylengthdefault 1024

sec/libsapsecu /usr/sap/XID/SYS/exe/run/libsapcrypto.so

sec/rsakeylengthdefault 1024

ssf/name SAPSECULIB

ssf/ssf_md_alg SHA1

ssf/ssf_symencr_alg DES-CBC

ssf/ssfapi_lib /usr/sap/XID/SYS/exe/run/libsapcrypto.so

ssf2/name

ssf2/ssf_md_alg SHA1

ssf2/ssf_symencr_alg DES-CBC

ssf2/ssfapi_lib

ssf3/name

ssf3/ssf_md_alg SHA1

ssf3/ssf_symencr_alg DES-CBC

ssf3/ssfapi_lib

Environment variables

USER xidadm

SECUDIR /usr/sap/XID/DVEBMGS00/sec

PSE

Validity 18.12.2008 19:47:04 18.12.2009 19:47:04

Algorithm RSA (OID 1.2.840.113549.1.1.1)

Test signature

Signature OK

Verification OK

Test encryption

Encryption OK

Decryption OK

As you can see, the cipher algorithm used is RSA. Any suggestion... ?

An iSaSiLk server "is a Java programming language implementation of the SSLv2 (client-side), SSLv3, TLS 1.0 and TLS 1.1 protocols. It supports all defined cipher suites (except for Fortezza), including all AES and PSK cipher suites. iSaSiLk implements all standard TLS extensions, comes with an easy to use API and operates on top of the IAIK-JCE Javau2122 Cryptography Extension. iSaSiLk is highly configurable and will work with any alternative JCE implementation supported by a proper provider for supplying the required cryptographic algorithms".

Once again thanks for your answer.

Re: HTTPs connection from SAP WebAS

Former Member — Tue, 13 Jan 2009 12:40:34 GMT

You should also configure the SSL library (typically sap crypto lib). using the parameter ssl/ssl_lib. In addition, you have to make sure that the list of CA certificates trusted by the server includes the one you used for the client certificate generation (intermediate CA's are ok though).

As Oliver has said: Only use RSA keys. AFAIK DSA is not supported by the SSL (TLS) protocol. Do not use the MD5 algorithm (this one has been broken badly).

Re: HTTPs connection from SAP WebAS

Former Member — Tue, 13 Jan 2009 13:09:05 GMT

Hello Sietze,

Related to the SSL Libraries, we've implemented the parameters mentioned in SAP Note 510007 (Setting-up SSL on the Web Application Server ABAP):

ssf/name = SAPSECULIB

ssf/ssfapi_lib - /usr/sap/XID/SYS/exe/run/libsapcrypto.so

sec/libsapsecu - /usr/sap/XID/SYS/exe/run/libsapcrypto.so

ssl/ssl_lib - /usr/sap/XID/SYS/exe/run/libsapcrypto.so

icm/server_port_2 - PROT=HTTPS,PORT=1443

Relating to the CA certificates that was well remembered but all the certificates were included in the PSE including the certificate response. Does the certificate request needs to be placed on the certificate list?

When you mention "Only use RSA keys. AFAIK DSA is not supported by the SSL (TLS) protocol. Do not use the MD5 algorithm (this one has been broken badly)." , have you seen anything on my description that suggested that I'm using DSA or the MD5 algorithm? Because from the PSE I've created, I've used RSA and not DSA, and SHA-1 and not MD5 but maybe I'm missing something.... All of your suggestions are welcomed

Re: HTTPs connection from SAP WebAS

Former Member — Tue, 13 Jan 2009 14:05:46 GMT

No, the certificate request does not need to put in the PSE (and you won't be able to do this). It is generated based on the contents of the PSE. The response contains the certificate, so you have to import the response. You should also include the root certificate from your PKI in the list of trusted certificates. Did you do this?

Regarding RSA and SHA-1: No, I just want to make sure you don't do this.

Re: HTTPs connection from SAP WebAS

Former Member — Tue, 13 Jan 2009 14:30:15 GMT

Hello Gonçalo,

I have implemented the ZSSF_TEST_PSE report in my CRM 2007 test system and I get a nearly identical result from it. I also get the RSA cipher algorythm.

Did you check your SSL client certificate with the report ? Filename SAPSSLSPHTID.pse seems to me to be a SSL server certificate....

This client certificate should include the CA list of the servers you want to connect to.

But your error message is not about CA...

If your client certificate uses also RSA, I'm out of ideas for your problem...

Olivier

Re: HTTPs connection from SAP WebAS

Former Member — Tue, 13 Jan 2009 17:18:12 GMT

Hi Sietze,

Yes, all the certificates were included without the certificate request When you mentioned the certificate request I thougt "Nice, that's it :)" .

Once again, thanks for your answer!

Re: HTTPs connection from SAP WebAS

Former Member — Tue, 13 Jan 2009 17:29:23 GMT

Hello Olivier,

Yes, the result is from my client certificate. The name SAPSSLSPHTTID means SaphetyID, that's why the 'S' may lead to confusion.

My error is strangely related to the cipherSuite, but both use RSA and on the iSaSiLk server response it seems everything is OK with the cipher...

Like you said, I'm running out of ideas...

Re: HTTPs connection from SAP WebAS

Former Member — Wed, 14 Jan 2009 12:37:28 GMT

Hello Gonçalo,

Then the last trial to do is to open an OSS message and hope that it will not be considered as consulting...

Regards,

Olivier

Re: HTTPs connection from SAP WebAS

Former Member — Wed, 14 Jan 2009 22:44:09 GMT

Hello Olivier,

Done that but still waiting for a reply....

Thanks for your suggestions, p o i n t a w a r d e d to you and Sietze... (not the maximum 10 but maybe you can still remember something... )

Edited by: Julius Bussche on Jan 15, 2009 11:31 AM

Re: HTTPs connection from SAP WebAS

Former Member — Thu, 15 Jan 2009 09:22:48 GMT

Sorry, I can't answer you. When I try, I get the phrase: "We are sorry but your message can not be posted since you have used forbidden words/phrases. Please edit your post according to the forum guidelines and re-post." but I don't know why.

Re: HTTPs connection from SAP WebAS

Wolfgang_Janzen — Thu, 15 Jan 2009 10:29:57 GMT


> Hello Olivier,
> 
> Done that but still waiting for a reply.... 
> 
> Thanks for your suggestions, point awarded to you and Sietze... (not the maximum 10 but maybe you can still remember something...   )

Kind advice: add a reference (URL) to this SDN thread - it might help to speed-up processing ....

Re: HTTPs connection from SAP WebAS

Former Member — Thu, 15 Jan 2009 10:33:32 GMT

> but I don't know why.

Content filters against points begging. Legacy problem...

I fixed it with a work-around.

Cheers,

Julius

Re: HTTPs connection from SAP WebAS

Former Member — Thu, 15 Jan 2009 11:02:50 GMT

I didn't beg for points. I don't care for it. I am sorry, I don't feel retyping everything.

Re: HTTPs connection from SAP WebAS

Former Member — Thu, 15 Jan 2009 11:07:34 GMT

I know, but the content filters let the original post through for some reason, and when you tried to quote it combined with some word you used, it blocked your post.

The system filters for "p o i n t s" combined with "a w a r d e d".

The content filters are usefull, but also cause some silly hassles.

Sorry about that,

Julius