on 2018 Jun 08 3:52 AM
Hello Team,
I am trying to connect to an external webserver from SAP ECC.
I have created an SSL client identity and imported the Server certificates to this PSE in STRUST. I have also added the other certificates in the entire server certificate chain to the PSE. When I try to test the connection, I get the following error:
***************************************************************************************************
[Thr 11512] SSL NI-sock: local=x.y.z.a:8000 peer=a.b.c.d:443
[Thr 11512] <<- SapSSLSetNiHdl(sssl_hdl=52134acd0, ni_hdl=163)==SAP_O_K
[Thr 11512] IcmConnInitClientSSL: using default pse, show client certificate if available
[Thr 11512] <<- SapSSLSetTargetHostname(sssl_hdl=52134acd0)==SAP_O_K
[Thr 11512] in: hostname = "client web url"
[Thr 11512] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
[Thr 11512] session uses PSE file "/usr/sap/hostname/D02/sec/SAPSSLC.pse"
[Thr 11512] No Secude Error present in trace stack!
[Thr 11512] SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"
[Thr 11512] No certificate request received from Server
[Thr 11512] <<- ERROR: SapSSLSessionStart(sssl_hdl=52134acd0)==SSSLERR_SSL_CONNECT
[Thr 11512] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT
[Thr 11512] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00010090} [icxxconn_mt.
[Thr 11512] <<- SapSSLSessionDone()==SAP_O_K
[Thr 11512] in: sssl_hdl = 52134acd0
[Thr 11512] ... ni_hdl = 193
***************************************************************************************
Request clarification before answering.
Hello Praveen,
The first error that is occurring is:
[Thr 11512] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
This would occur when the network connection was closed.
You can capture a network trace (tcpdump) to see whether anything unusual is occurring (like the SAP server receiven reset - RST - packets).
The analysis should continue from a network perspective.
Regards,
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Isaias,
Thanks for your inputs. While i check on the network part , i wanted to update you that connection seems to work fine from the browser level. Do you think there would a chance that it works with the same certificates in browser level but stop working from SAP due to Network issue. Kindly confirm. Thanks.
Regards,
Praveen
Hello Praveen,
I do not know any SAP Note that would address network tracing.
You network / operating system team should be able to help you.
"tcpdump" would have to be executed as "root".
A typical command for Linux would be "tcpdump -i any -n -w <file.pcap>".
Usually executing "man <command>" works on any Linux/UNIX server, so you get help with the command ;-).
Regards,
Isaías
This was resolved by adding ssl/client_ciphersuites = 982:HIGH:MEDIUM:+e3DES profile parameter.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
77 | |
30 | |
8 | |
8 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.