on 2018 Apr 03 2:45 PM
I'm trying to retrieve data from an open data api. I have downloaded the certificate from the site and imported it into STRUST (SSL Client Anonymous). Then I created a HTTP connection to external server in SM59. In the beginning it worked fine, until last week when the api changed its URL and so its DNS. Ofcourse it could no longer be reached by the current host. So I did above steps again for the new URL (changed everything accordingly like hostname etc. in SM59), but this time I receive following error: SSL handshake with 'hostname:port' failed: SSSLERR_CONN_CLOSED (-10)#Remote Peer has closed the network connection##SapSSLSessionStartNB()==SSSLERR_CONN_C LOSED##
Anyone has an idea on how to solve this?
Hi Sven,
Interesting question 🙂 had me googling and I have got it to bypass the error SSSLERR_CONN_C LOSED message.
By setting the parameter mentioned in this note to true on my NPL demo system 751
2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client
"To enabled SNI seticm/HTTPS/client_sni_enabled to "true". This parameter is dynamic."
If your interested 🙂 my googling was a result of trying and failing with openssl client connections ( to see another non browser connection.)
The errors in this connection led me to these links which mentioned Server Name Indication (SNI) as a way of using more certificates on one IP address. Which must be the case for "public.brussels-parking-guidance.om" and the SAP parameter is required.
Hope it helps 🙂
Cheers
Robert
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi all,
I could simulate the issue using an internal test system.
I was discussing this case with a BC-SEC-SSL colleague, and then I saw Robert's update.
I performed some tests and it worked for me. Thus, setting "icm/HTTPS/client_sni_enabled = TRUE" should be the solution.
Thank you, Robert! Well done :-).
Regards,
Isaías
Notify: db8ac33b71d34a778adf273b064c4883 , svenswennen
Wow! Congrats Rob!
Hello Robert
Thanks for the answer. I'm new to SAP and I want to verify if I'm going to do this correctly. For this paramater am I correct that I have to go to RZ10, fill in the profile I'm using and then create this parameter (because I don't see the parameter in any of the profiles)?
Or am i completely incorrect and is "icm/HTTPS/client_sni_enabled = TRUE" found somewhere else? I tried googling it but it only says what it is and does but not where to modify it.
Kind regards
Sven Swennen
Hello Sven,
You are correct.
You access the transaction RZ10 and create the parameter there, at the instance profile (or even at the DEFAULT.PFL, so all instances have this parameter set; this also avoids the need to set the parameter on each instance profile).
You would have to restart SAP to activate the changes made to the profiles.
However, the parameter in question (icm/HTTPS/client_sni_enabled) is dynamically switchable.
Thus, besides creating the parameter through RZ10 (so SAP already starts with the desired value when restarted), you can activate the new value immediately through the transaction RZ11.
Kind regards,
Isaías
Thank you so much, all of you for helping me out.
I will create this paramater, but I'll have to discuss with my boss if it's possible to restart SAP overnight or if I have to wait till the next update since I'm doing this on our company server they will probably won't like it if I casually restart it now. I'll let it know if it worked or not, so fingers crossed :).
UPDATE: if everything goes to plan I should be able to test it wednesday, so if it all works I'll mark this one as the correct answer.
Thanks for all the help & kind regards
Sven Swennen
Hello Sven,
Just remarking that you can switch the value of the parameter dynamically, through transaction RZ11.
Therefore, there is no need to restart SAP :-).
This, however, does not eliminate the need to set the parameter at the profile too (RZ10).
Being a dynamic change, it will be lost if/when SAP is restarted. Setting the parameter at the profile ensures that SAP already starts with the desired value.
Kind regards,
Isaías
Problem has been resolved thank you very much!
Kind regards
Sven
sonjadeissenboeck , theoretically, that should be possible with function module SPFL_PARAMETER_CHANGE_VALUE, but my gut feeling is that manipulating profile parameters in ABAP programs is likely to be a bad idea. You might want to take this question over to the ABAP Development tag and see what folks think of it there. Why not set this parameter regularly and keep it that way? Does it break an existing connection you have to an external resource? If so, when you dynamically set it in your code, you're going to break that connection temporarily anyway, so it seems a better option would be to work with that external resource to get it to support SNI.
Cheers,
Matt
User | Count |
---|---|
71 | |
10 | |
8 | |
7 | |
6 | |
6 | |
6 | |
6 | |
6 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.