cancel
Showing results for 
Search instead for 
Did you mean: 

Certificate file content disappeared from the ICM trace level 3 in ABAP 7.58

Sandra_Rossi
Active Contributor

Hello,

I see different content in the ICM trace level 3 (transaction code SMICM) concerning the certificates. In a system with ABAP 7.52, I could see the certificate contents (below in base 64, between BEGIN CERTIFICATE and END CERTIFICATE), but I can't see them in another system with ABAP 7.58.

Do you know if there's a profile parameter is implied or the feature has changed between 7.52 and 7.58?

Thank you!

Sandra

NB 1: I have said trace level 3, but it's possible that level 2 is sufficient (in ABAP 7.52) to obtain the content of the certificate.

NB 2: I have also posted the question/issue here: Certificate file content disappeared from the ICM trace in ABAP 7.58 · Issue #6 · sandraros/zcerti (...

ABAP 7.52 ICM trace level 2:

[Thr 139675634906880] CCL[VERIFY]: Cli-00000011: Verification result of SSL server certificate (failed)
[Thr 139675634906880] Verification result header:
[Thr 139675634906880] Verification errors
[Thr 139675634906880] The chain of certificates is incomplete or untrusted, missing certificate of
[Thr 139675634906880] CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[Thr 139675634906880] Verified certificate:
[Thr 139675634906880] Subject: CN=github.com, O="GitHub, Inc.", L=San Francisco, SP=California, C=US
[Thr 139675634906880] Issuer: CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1, O=DigiCert Inc, C=US
[Thr 139675634906880] Serial Number: 0C:D0:A8:BE:C6:32:CF:E6:45:EC:A0:A9:B0:84:FB:1C
[Thr 139675634906880] -----BEGIN CERTIFICATE-----
[Thr 139675634906880] MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw
...
[Thr 139675634906880] 3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ
[Thr 139675634906880] vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw==
[Thr 139675634906880] -----END CERTIFICATE-----
[Thr 139675634906880] Used signer certificate:
[Thr 139675634906880] Subject: CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1, O=DigiCert Inc, C=US
[Thr 139675634906880] Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[Thr 139675634906880] Serial Number: 07:F2:F3:5C:87:A8:77:AF:7A:EF:E9:47:99:35:25:BD
[Thr 139675634906880] -----BEGIN CERTIFICATE-----
[Thr 139675634906880] MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh
...
[Thr 139675634906880] xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA==
[Thr 139675634906880] -----END CERTIFICATE-----
[Thr 139675634906880] Certificate verification result:
[Thr 139675634906880] Certificate:
[Thr 139675634906880] Subject: CN=github.com, O="GitHub, Inc.", L=San Francisco, SP=California, C=US
[Thr 139675634906880] Verification result:
[Thr 139675634906880] Status: Not successful
[Thr 139675634906880] SignerStatus: Not successful

ABAP 7.58 ICM trace level 3:

[Thr 139843524822784] CCL[VERIFY]: Certificate verification result (failed)
[Thr 139843524822784] BEGIN VERIFICATION RESULT
[Thr 139843524822784] # Messages
[Thr 139843524822784] INFO: Verification time - Tue Apr 2 12:53:02 2024
[Thr 139843524822784] ERROR: The chain of certificates is incomplete or untrusted, missing certificate of [A6:CF:64:DB] CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=J
[Thr 139843524822784] # Summary
[Thr 139843524822784] #01 Certificate (End Entity): VALID
[Thr 139843524822784] Subject: CN=github.com
[Thr 139843524822784] Issuer: CN=Sectigo ECC Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, SP=Greater Manchester, C=GB
[Thr 139843524822784] Fingerprint (SHA256): FD:6E:9B:0E:F3:98:BC:D9:04:C3:B2:EC:16:7A:7B:0F:DA:72:01:C9:03:C5:3A:6A:6A:E5:D0:41:43:63:EF:65
[Thr 139843524822784] Validity: Thu Mar 7 00:00:00 2024 / Fri Mar 7 23:59:59 2025
[Thr 139843524822784] PKI validation: FAILED: Validation of dependents - Issuer Certificate (Issuer - Only Invalid Certificates Found)
[Thr 139843524822784] #02 Certificate (Issuer): VALID
[Thr 139843524822784] Subject: CN=Sectigo ECC Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, SP=Greater Manchester, C=GB
[Thr 139843524822784] Issuer: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, SP=New Jersey, C=US
[Thr 139843524822784] Fingerprint (SHA256): 61:E9:73:75:E9:F6:DA:98:2F:F5:C1:9E:2F:94:E6:6C:4E:35:B6:83:7C:E3:B9:14:D2:24:5C:7F:5F:65:82:5F
[Thr 139843524822784] Validity: Fri Nov 2 00:00:00 2018 / Tue Dec 31 23:59:59 2030
[Thr 139843524822784] PKI validation: FAILED: Validation of dependents - Issuer Certificate (Issuer - Only Invalid Certificates Found)
[Thr 139843524822784] #03 Certificate (Issuer): VALID
[Thr 139843524822784] Subject: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, SP=New Jersey, C=US
[Thr 139843524822784] Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, SP=Greater Manchester, C=GB
[Thr 139843524822784] Fingerprint (SHA256): A6:CF:64:DB:B4:C8:D5:FD:19:CE:48:89:60:68:DB:03:B5:33:A8:D1:33:6C:62:56:A8:7D:00:CB:B3:DE:F3:EA
[Thr 139843524822784] Validity: Tue Mar 12 00:00:00 2019 / Sun Dec 31 23:59:59 2028
[Thr 139843524822784] PKI validation: FAILED: Validation of dependents - Issuer Certificate (ERROR: Issuer - No Certificates Found)
[Thr 139843524822784] # Results
[Thr 139843524822784] Certificate Result #01: FAILED
[Thr 139843524822784] Certificate (End Entity): [FD:6E:9B:0E] CN=github.com
[Thr 139843524822784] Trusted: -
[Thr 139843524822784] Policy: -
[Thr 139843524822784] Revocation: Untested
[Thr 139843524822784] OCSP: Untested
[Thr 139843524822784] Issuer: ERROR: Issuer - Only Invalid Certificates Found
[Thr 139843524822784] Issuer Result: FAILED
[Thr 139843524822784] Signature: Succeeded
[Thr 139843524822784] KeyUsage: Untested
[Thr 139843524822784] BasicConstraints: Untested
[Thr 139843524822784] Validity: Untested
[Thr 139843524822784] Certificate: ERROR: Issuer Certificate Failed

 

View Entire Topic

Hello Sandra,

I cannot answer for sure, but did you compare the values of e.g., the following parameters:

icm/HTTP/trace_info

icm/HTTP/ssl_debug_info

rdisp/TRACE_HIDE_SEC_DATA

is/HTTP/extended_logging_info

icm/log_level

You might also check the parameter reference whether there is something that might fit to your described behaviour:

https://help.sap.com/docs/ABAP_PLATFORM_NEW/bd78479f4da741a59f5e2a418bd37908/497e41074a204431bb4d003...

Maybe this is helpful for you.

Sandra_Rossi
Active Contributor

Thanks, icm/HTTP/ssl_debug_info seems to be a good candidate. Let me compare all anyway between the two systems (next Tuesday).

icm/HTTP/ssl_debug_info: "Extended SSL tracing: A new profile parameter icm/HTTP/ssl_debug_info enables tracing of SSL-specific information in the developer trace without having to set global trace level 2." (little change maybe: the data would be in the developer trace rather than in the ICM trace; note that I never looked at the developer trace in my tests).

Concerning icm/HTTP/trace_info and rdisp/TRACE_HIDE_SEC_DATA, they seem to be very specific to what is inside HTTP requests/responses, not certificates.

The two last ones seem are not very clear to me, they seem to be about some general information.

EDIT:

 7.52 SP04 Kernel 753 PL4007.58 SP0 Kernel 793 PL51
icm/HTTP/trace_infoFALSEFALSE
icm/HTTP/ssl_debug_infoFALSEFALSE
rdisp/TRACE_HIDE_SEC_DATAonon
is/HTTP/extended_logging_infoN/A1
icm/log_level11