ICM_HTTP_SSL_ERROR

Hi experts..
i am getting the error ICM_HTTP_SSL_ERROR in sxmb_moni while executing the proxy to file scenario and the trace says "no interface found"
i came to know from our forum that this error will come if sm59 connections are not properly in place....is this will also applicable for my scenario also??
plz help me out with solution...
thanx in advance...

Hi
make SSL inactive in sm59...It should work.
regards
krishna

Similar Messages

Error while connecting to external system in SM59 with ICM_HTTP_SSL_ERROR

Hi all,
we have configured an SM59 RFC destination of G type which pings to the external third party server. Before testing we have uploaded the external server certificate in PI system. it was working fine with * HTTP 200 OK* message. since 2 days we are facing the ICM_HTTP_SSL_ERROR while testing the connection. when we telnet from PI to the external system using the port no.443, its getting connected.
so any idea why it started giving the error.
We have check out this forums but of no help.
[ICM_HTTP_SSL_ERROR|ICM_HTTP_SSL_ERROR;
The trace file dev_icm says
[Thr 52] Thu Jan 20 14:34:00 2011
[Thr 52] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
[Thr 52] session uses PSE file "/usr/sap/XD1/DVEBMGS00/sec/SAPSSLDRV.pse"
[Thr 52] No Secude Error present in trace stack!
[Thr 52] SSL_get_state() returned 0x00002141 "SSLv3 read server key exchange B"
[Thr 52] SSL NI-sock: local=192.168.127.70:65243 peer=80.78.2.187:443
[Thr 52] <<- ERROR: SapSSLSessionStart(sssl_hdl=6000000000d50fd0)==SSSLERR_SSL_CONNECT
[Thr 52] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00370a03} [icxxconn_mt.c 1957]
[Thr 81] Thu Jan 20 14:34:15 2011
[Thr 81] IcmWorkerThread: end worker thread 53
[Thr 80] Thu Jan 20 14:44:45 2011
[Thr 80] IcmWorkerThread: end worker thread 52
Thanks,
Asem

Hareen,
We checked the the note 1318906 and followed the steps but error persists.
Could you please advice more on this.
Rahul,
The note you mentioned is for different error "ICM_HTTP_INTERNAL_ERROR".
Br
Asem

HTTP-ADAPTER with HTTPS = ICM_HTTP_SSL_ERROR

Hi,
we are trying to sending data via HTTPS with the HTTP-Adapter. Therefor we create a RFC_Destination with SM59. For HTTP it works fine but after changing to HTTPS we receive a ICM_HTTP_SSL_ERROR.
The server on the other side expect authentification via User/Pwd on port. Also we added an entry in STRUST for CN=anonymous in STRUST.
Any idea whats wrong ?

Hi Sammer,
- authentification is username/pwd.
- SSL is active because of https
- Service is set to the https-port of the server.
I receive the following error in the log.
[Thr 10] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 10] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Class 3 Public Primary Certification Auth
ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
[Thr 10] << ---------- End of Secude-SSL Errorstack ----------
[Thr 10] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 10] SSL socket: local=10.172.11.11:41579 peer=195.14.237.44:3577
[Thr 10] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1054e08b0)==SSSLERR_SSL_CONNECT
[Thr 10] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00021653} [icxxconn_mt.c 1813]
when I delete in STRUST all the certificates under Client_certificate (standard/anonymus) I receive the same error msg. it also the same error when I am trying to connect to another server with https.
regards bernd

ICM_HTTP_SSL_ERROR appeared when I try to replicate Business Partner to Cloud solution.

Hello experts,
I'm getting error while trying to replicate Business Partner from CRM to Cloud for Customer.
In SRTUTIL tcode i'm getting error message ICM_HTTP_SSL_ERROR for the outbound Idoc.
I have found description of the error - it means that SSL client certificate is not valid.
Can you please confirm, if all the certificates I have imported is ok?
I have created SLL environment in order to import SSL certificates and use it for RFC logon setup.
2 Certificates, taken from HCI (root and intermediate) were imported to this SSL Environment.
In the other side, I have imported certificate imported from
Message was edited by: Simuella Lapadratti
2 certificates imported to the STRUST SSL Environment:
- Cybertrust Sure Server Standard Validation CA
- GTE Cyber Trust Global Root
In the other side, I have imported client's certificate, taken from SAP CRM system.
Can you please provide your feedback if something else should be added. Thank you!

Hello,
it could be a problem with the client certificate on CRM side. Could you please provide more details about this client certificate. Especially I would need the information from which CA it was signed. Only if the signing CA is trusted on HCI Loadbalancer, then it will work.
Best regards,
Berthold

SOAP:1.023 SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_SSL_ERROR")

Hello all,
can you pls suggest me smth for this:
I am running solman_setup and at phase 5.1 (Configure Web dispatcher) and I have errors:
SOAP:1.023 SRT: Processing error in Internet Communication Framework: ("ICF Error when receiving the response: ICM_HTTP_SSL_ERROR")
L3 - Failed to reach test WS through System Settings (ICM/HTTPURLLOC)
L2 - Failed to reach test WS through ICM
I choosed: No SAP Web Dispatcher used
What I did:
1. re-created users SM_EXTERN_WS and SM_INTERN_WS
2. added table HTTPURLLOC with the full hostname and the port
3. created SSL server standard certificate in STRUST and its green
4. instance profile>>add login/accept_sso2_ticket=1 and login/create_sso2_ticket=2
Thx for any suggestion
Chris

Hello,
I read note 1094342 - ICM trace contains verification of the server's certificate
and I installed in the IE browser the PSE saved from /strust
Thx for any idea
[Thr 140736729089792] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL[Thr 140736729089792] session uses PSE file "/usr/sap/SID/DVEBMGS00/sec/SAPSSLA.pse"[Thr 140736729089792] SecudeSSL_SessionStart: SSL_connect() failed[Thr 140736729089792] secude_error 536872221 (0x2000051d) = "SSLAPI error"[Thr 140736731203328] NiIBlockMode: set blockmode for hdl 92 FALSE[Thr 140736729089792] >> Begin of Secude-SSL Errorstack >>[Thr 140736729089792] 0x2000051dSAPCRYPTOLIB SSL_connect[Thr 140736729089792] SSL API error[Thr 140736729089792] Failed to verify peer certificate. Peer not trusted.
][Thr 140736729089792] << End of Secude-SSL Errorstack[Thr 140736731203328] NiIBlockMode: set blockmode for hdl 92 TRUE[Thr 140736729089792] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"[Thr 140736731203328] SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"[Thr 140736731203328] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL[Thr 140736731203328] session uses PSE file "/usr/sap/SID/DVEBMGS00/sec/SAPSSLS.pse"[Thr 140736731203328] SecudeSSL_SessionStart: SSL_accept() failed[Thr 140736731203328] secude_error 536875078 (0x20001046) = "SSL API error"[Thr 140736729089792] No certificate request received from Server[Thr 140736731203328] >> Begin of Secude-SSL Errorstack >>[Thr 140736731203328] 0x20001046SAPCRYPTOLIB SSL_accept[Thr 140736731203328] SSL API error[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] 0xa0600263 SSL ssl23_accept[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] 0xa0600263 SSL ssl3_read_bytes[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] << End of Secude-SSL Errorstack[Thr 140736731203328] <<- ERROR: SapSSLSessionStart(sssl_hdl=1315bf0)==SSSLERR_SSL_ACCEPT[Thr 140736731203328] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT[Thr 140736729089792] <<- ERROR: SapSSLSessionStart(sssl_hdl=7fffcc023860)==SSSLERR_PEER_CERT_UNTRUSTED[Thr 140736729089792] <<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTED[Thr 140736731203328] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn_mt. 1713][Thr 140736729089792] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {000f3a6b} [icxxconn_mt.c 1989][Thr 140736731203328] <<- SapSSLSessionDone()==SAP_O_K[Thr 140736731203328] in: sssl_hdl = 1315bf0[Thr 140736731203328] ... ni_hdl = 92[Thr 140736731203328] NiICloseHandle: shutdown and close hdl 92/sock 41[Thr 140736729089792] <<- SapSSLSessionDone()==SAP_O_K[Thr 140736729089792] in: sssl_hdl = 7fffcc023860[Thr 140736729089792] ... ni_hdl = 223[Thr 140736729089792] IcmConnConnect(id=15/14955): free MPI request blocks[Thr 140736729089792] MPI<5909c>85#7 GetInbuf -1 21d220 1757 (1) -> MPI_EOS: End Of Stream

ICM_HTTP_SSL_ERROR when calling web service

Summary: ICM_HTTP_SSL_ERROR was met when I called web service in ABAP with logical port & RFC Connection of type G.
Details:
1. the test of RFC Connection of type G in SM59 works OK, with SSL inactive and basic authentication.
2. while in ABAP code, the calling to web service throws ICM_HTTP_SSL_ERROR, using the logical port with the RFC Connection as HTTp Destination.
3. also, with using URL directly in logical port settings, the calling to web service in ABAP throws ICM_HTTP_SSL_ERROR.
I searched threads and blog for ICM_HTTP_SSL_ERROR, it seems others met ICM_HTTP_SSL_ERROR in SM59; while my case is the test in SM59 works well.
Anybody can help?
Thanks and kind regards.
Said

Dear Sayid,
The document which you had mentioned here is really helpful.
I'am working on Digital Signature for Form16 in SAP.I stucked up with the same issue.
I went through the document of
Enabling SSL and Client Certificates on the SAP J2EE Engine by Angel Dichev
in that document i went through one note
Note: Per default, the SAP J2EE Engine uses the u201Cssl-credentialsu201D entry for SSL, which contains a
public-key certificate that has been signed by a test CA. Although this certificate can be used for
testing purposes, a certificate that has been signed by a well-known, productive CA should be used
when in production mode.
right now i'am doing it for testing purpose, in the above note it is mentioned that we can use default credentials but when i see the expiry date of this default credentials in my server 1) SSL-Credentials 2)SSL-Credentials-cert it is given that these certificates are Valid Not After 2005 year.
So i got confused now whether to use the default credentials or not.
Please guide me with a solution.
With Regards,
Pradeep.B

Internal Server Error in PI 7.1

Hi,
We have recently moved from XI 3.0 to PI 7.1. We have built an IDoc to file scenario that is resulting in error with information as below:
<SAP:Category>XIServer</SAP:Category>
<SAP:Code area="INTERNAL">CLIENT_RECEIVE_FAILED</SAP:Code>
<SAP:P1>407</SAP:P1>
<SAP:P2>ICM_HTTP_SSL_ERROR</SAP:P2>
<SAP:P3>(See attachment HTMLError for details)</SAP:P3>
<SAP:P4 />
<SAP:AdditionalText />
<SAP:Stack>Error while receiving by HTTP (error code: 407 , error text: ICM_HTTP_SSL_ERROR) (See attachment HTMLError for details)</SAP:Stack>
HTML error is attached to Payload in the message with error information as below:
500 Native SSL error
Error: -14
Version: 7011
Component: ICM
Date/Time: Fri Aug 13 14:33:05 2010
Module: icxxconn_mt.c
Line: 1911
Server: v005_PIS_00
Error Tag:
Detail: IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH
Observations:
Idoc submitted by SAP system is well received by PI system, Mapping is successfully executed to produce the target message. Message has stopped in Inbound Queue with info "XI Error CLIENT_RECEIVE_FAILED.INTERNAL: Queue stopped".
Inference:
Now it should be the turn for Integration engine to submit the message to adapter engine, but I suspect internal communication between these two components have failed.
I think a parameter change should solve this problem. May be it is parameter in rz10 or exchange profile?
Please provide your inputs to resolve the issue.
Thanks,
Suraj

Thanks for the replies.
In the preliminary analysis, it is found that Integration Engine and Adapter Engine connectivity is not maintained correctly.
Instead of https://<sid>:/sap/xi/engine?type=entry, it should be maintained as http://<sid>:/sap/xi/engine?type=entry
We need to find the place where this setting can be done and hence restore the connection.
Inference is made based on SLDCHECK that shows the url as 'http://<sid>:/sap/xi/engine?type=entry' and in the audit log of the monitoring it shows as https://<sid>:/sap/xi/engine?type=entry
Best Regards,
Suraj

Error in Proxy

Error in Proxy
SSL_ERROR_CONNECTION_LOST
Performing the connection test by clicking the "Test Connection" in transaction SM59, I am getting ICM_HTTP_SSL_ERROR.

Hi,
Check the following threads:
ICM_HTTP_SSL_ERROR for plain HTTPS with RFC Destination type G
ICM_HTTP_SSL_ERROR
SSL_ERROR_CONNECTION_LOST
Error 'Create failed : Argument not found' in SM59
Thnx
Chirag

HTTP Adapter outbound (SSL) processing

I am trying to send a XML message (an Invoice) from XI to an external Customer via HTTP Adapter.
The site I am posting the message to is SSL.
I have installed the Customer's Certificate via STRUST under SSL Client (Standard) and can see it in the
certificate list.
Within the Communication Channel for HTTP Adapter I have tried Addressing Type of URL
and also with a HTTP (SM59) destination. Both do not work.
The setting used for both are
host : workflw.externalcustomer.xxx.com Service: 443
Path : /SubmitInvoiceUAT/SubmitInvoice.asmx/SubmitCXML
HTTP Proxy : internetproxy.mycompany.com
Proxy Servuce : 80
SSL Active : SSL Client Certificate ANONYM SSL Client(Anonymous). As no client cert is used for logon
I have attempted a connection test within SM59 for the HTTP Destination and I receive the error
ICM_HTTP_SSL_ERROR.
1) If the SSL Client Certificate ONLY for logon then how does XI know what cert to encyrption with?.
2) Should Verisign/Thawte etc CA certs be also installed in STRUST ?
Does that "public" key for encryption need to be placed anywhere (eg STRUST) or will XI just do
3) this when it does the handshake with the external HTTPS site it is posting to ?
4) Also the transaction STRUST may (or may not depending on how the documentation is interpreted) need the installation of some certs into its PSE (Personal Security Environment). But exactly what they mean is a mystery. I have created what I thought was the servers cert but cannot see to create a dev.connector.boc.com named certificate. Perhaps that is not needed.
Here is the help <a href="http://help.sap.com/saphelp_nw70/helpdata/en/e8/1f1041a0f6f16fe10000000a1550b0/frameset.htm">SAPHelp on PI HTTPS Config</a>
5) Also OSS note 510007 it advises to check a number of settings. I have had a look at what I can ..namely via transaction RZ10 and I can see one parameter and should that be changed to include a HTTPS ? .i,e currently it is set to icm/server_port_0 PROT=HTTP,PORT=80$$,PROCTIMEOUT=3600

Hello
As a process you have done well. I suspect the problem could be with " SSL Client Certificate ". Check weather the SSL Client Certificate is Valid version.
Best practice.
 Alway when we are communicating with HTTP outbound. It is better to have a STANDALONE ftp location for both SENDER and RECEIVE xml DATA transfter files.
 I hope I answered your question. It was nice answering your question. Feel free to reach SDN if you have any questions.
Regards

Error using HTTPS

I am trying to send data from an SAP system to a non-SAP system using the HTTP adapter. The url is using port 9082 and am using a certificate for authentication. I have opened a hole in our firewall for the transmission.
I set up SM59 with the url/port/path, and specified the certificate installed in STRUST.
When I run a test, I get the following error in XI.
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- 
- <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="">
<SAP:Category>XIAdapter</SAP:Category>
<SAP:Code area="PLAINHTTP_ADAPTER">ATTRIBUTE_CLIENT</SAP:Code>
<SAP:P1>407</SAP:P1>
<SAP:P2>ICM_HTTP_SSL_ERROR</SAP:P2>
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText />
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack>HTTP client. Code 407 reason ICM_HTTP_SSL_ERROR</SAP:Stack>
<SAP:Retry>A</SAP:Retry>
</SAP:Error>
I'm not real sure what this means and can't find anything in the forums about this. Can anyone offer any assistance?

Larry,
Ok so your using the HTTPS adapter, have you uploaded the certificate to the keystore in visual administrator?
Which version of XI/PI are you using? You may need to run the SSO2 Wizard (if PI/SP14 or above) otherwise kestore in VA should give you the necessary set up.
Make sure you set up HTTP and SSL correctly here is the link for the setup in NW04:
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
check the "Technically Enabling SSL" it describes the steps needed to run strust and J2EE Visual Adminstrators (utilitizing the keystore) here is a little snipet from the web page:
● Use the J2EE Visual Administrator to set up an SAP Web AS J2EE engine as HTTPS server. If not already done, you have to import a certificate generated by a CA identifying the SAP Web AS into the keystore named service_ssl in the Keystore service. In addition, you have to assign this certificate in the SSL Provider service.
● Use the J2EE Visual Administrator to set up an SAP Web AS J2EE engine as HTTPS client. If not already done, you have to import the certificate of the CA of the HTTPS serveru2019s certificate into the J2EE engineu2019s keystore view named TrustedCAs.
Good luck this should help you even a little.
Rocco

How to create ABAP Proxy for SSL secured ABAP Service

Hi guys,
I try to set up transport security for my ABAP web service. The service should be called via a ABAP Proxy.
These are my steps to create the ABAP web service:
1. Create function module (se80)
2. Create web service (web service definition) (service wizard)
2.1 Authentication = STRONG
2.2 Transport Guarantee = BOTH
3. Activate service (wsconfig)
4. Control service (wsadmin)
Afterwards I tried to create the proxy but when I add the WSDL URI I always get an
HTTP error (return code 407, message "ICM_HTTP_SSL_ERROR")
I tried to find a "How to" but I was not successfull. Also the saphelp http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm was not helpful for me.
Hopfully you can help me! Every comment is appreciated!
Regards

I advise to have a look into the ICM trace file (dev_icm) - either by using ABAP transaction ST11 or SMICM.
There you should find error details. Most likely it's about the "chain verifier" complaining that he's unable to verify the certificate of the communication peer.
In that case [SAP Note 1094342|https://service.sap.com/sap/support/notes/1094342] might be helpful.

SSSLERR_SERVER_CERT_MISMATCH

We are getting the following error in the SXMB_MONI Trace on any message using a receiver adapter residing on the adapter engine. They all previously worked. The error occurs on the Call Adapter step. In the URL below, the <host> is NOT fully qualified, and I know this is the problem, but where is this defined? We are on PI 7.1. This same URL, without the fully qualified host, also shows on SXI_CACHE Goto->Adapter Engine Cache (Adapter Engine URL). Where is the URL defined or at least the host in the URL?
- <Trace level="1" type="B" name="CL_XMS_PLSRV_IE_ADAPTER-ENTER_PLSRV">
<Trace level="3" type="T">Channel for adapter engine: SFTP</Trace>
- <Trace level="1" type="B" name="CL_XMS_PLSRV_CALL_XMB-CALL_XMS_HTTP">
<Trace level="2" type="T">return fresh values from cache</Trace>
<Trace level="2" type="T">Get logon data for adapter engine (SAI_AE_DETAILS_GET):</Trace>
<Trace level="3" type="T">URL = https://<host>:<port>/MessagingSystem/receive/AFW/XI</Trace>
<Trace level="3" type="T">User = PIxxxISU</Trace>
<Trace level="3" type="T">Cached = X</Trace>
<Trace level="3" type="T">Creating HTTP-client</Trace>
<Trace level="3" type="T">HTTP-client: creation finished</Trace>
<Trace level="3" type="T">Security: Basic authentication</Trace>
<Trace level="3" type="T">Serializing message object...</Trace>
<Trace level="3" type="T">HTTP-client: sending http-request...</Trace>
<Trace level="3" type="T">HTTP-client: request sent</Trace>
<Trace level="3" type="T">HTTP-client: Receiving http-response...</Trace>
<Trace level="3" type="System_Error">HTTP-Client: exception during receive: HTTP_COMMUNICATION_FAILURE</Trace>
</Trace>
Additional errors in the Trace:
IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH
Error while receiving by HTTP (error code: 407, error text: ICM_HTTP_SSL_ERROR)

Hi Susan,
Please check the links with the same issue:
Adapter URL - hostname vs FQDN
Error using HTTPS
Internal Server Error in PI 7.1
Regards,
Naveen

HTTP Connection to External Server

Hi,
I had some problem with my RFC connection on SM59.
I get this error ICM_HTTP_SSL_ERROR.
I get this error forn dev_icm file
= Success -- SapCryptoLib SSL ready!
Thr 3964
Thr 3964 Started service 443 for protocol HTTPS on host "sapehd1.ssi.ad"(on all adapters) (processing timeout=60, keep_alive_timeout=30)
Thr 3964 Started service 25025 for protocol SMTP on host "sapehd1.ssi.ad"(on all adapters) (processing timeout=60, keep_alive_timeout=30)
Thr 3964 Tue Jun 15 00:00:02 2010
Thr 3964 *** WARNING => IcmNetCheck: NiHostToAddr(www.doesnotexist.qqq.nxst) took 5 seconds http://icxxman.c 4586
Thr 3964 Tue Jun 15 00:00:07 2010
Thr 3964 *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds http://icxxman.c 4606
Thr 3964 *** WARNING => IcmNetCheck: 2 possible network problems detected - please check the network/DNS settings http://icxxman.c 4662
Thr 5520 Tue Jun 15 00:01:07 2010
Thr 5520 *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
Thr 5520 session uses PSE file "D:\usr\sap\EHD\DVEBMGS00\sec\SAPSSLDIBS.pse"
Thr 5520 SecudeSSL_SessionStart: SSL_connect() failed --
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
Thr 5520
Begin of Secude-SSL Errorstack
Thr 5520 ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US"
ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
Thr 5520 <<
End of Secude-SSL Errorstack
Thr 5520 SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
Thr 5520 SSL NI-sock: local=192.168.42.112:4581 peer=85.236.67.2:443
Thr 5520 <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000002F34BB0)==SSSLERR_SSL_CONNECT
Thr 5520 *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT http://icxxconn.c 2012
Any help
Thanks

Hi,
I had some problem with my RFC connection on SM59.
I get this error * ICM_HTTP_SSL_ERROR. I get this error forn dev_icm file *
= Success -- SapCryptoLib SSL ready!
Thr 3964 ================================================= Any help Thanks
Thr 3964 Started service 443 for protocol HTTPS on host "sapehd1.ssi.ad"(on all adapters) (processing timeout=60, keep_alive_timeout=30)
Thr 3964 Started service 25025 for protocol SMTP on host "sapehd1.ssi.ad"(on all adapters) (processing timeout=60, keep_alive_timeout=30)
Thr 3964 Tue Jun 15 00:00:02 2010
Thr 3964 *** WARNING => IcmNetCheck: NiHostToAddr(www.doesnotexist.qqq.nxst) took 5 seconds http://icxxman.c 4586
Thr 3964 Tue Jun 15 00:00:07 2010
Thr 3964 *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds http://icxxman.c 4606
Thr 3964 *** WARNING => IcmNetCheck: 2 possible network problems detected - please check the network/DNS settings http://icxxman.c 4662
Thr 5520 Tue Jun 15 00:01:07 2010
Thr 5520 *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
Thr 5520 session uses PSE file "D:\usr\sap\EHD\DVEBMGS00\sec\SAPSSLDIBS.pse"
Thr 5520 SecudeSSL_SessionStart: SSL_connect() failed --
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
Thr 5520 >>
Begin of Secude-SSL Errorstack
>>
Thr 5520 ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US"
ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
Thr 5520 <<
End of Secude-SSL Errorstack
Thr 5520 SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
Thr 5520 SSL NI-sock: local=192.168.42.112:4581 peer=85.236.67.2:443
Thr 5520 <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000002F34BB0)==SSSLERR_SSL_CONNECT
Thr 5520 *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT http://icxxconn.c 2012
Any help
Thanks

How to make an HTTP request via SSL

Hi,
I´m using an instance of the class CL_HTTP_CLIENT to make an HTTP request to a https server. as long as it requires an SSL authentication, it returns an ICM_HTTP_SSL_ERROR error message.
How do I tell my program to ask for user´s certificate, and use it in the http request?
I´m supossed to have hundreds of users online running this application (it´s over SRM 5.0). How can I reach this?
Thanks you very much.
Federico.

Hello Frederico,
>1. By creating a new client, you mean go to "Environment->SSL Client Identitites" in STRUST, right? >Can I use a previously existing one?
I meant to create a new client SSL PSE. By default in a new Netweaver abap system, you have 3 of them : ANONYM, DFAULT and WSSE.
If you need more of them, you can create them with the menu "Go to-->Environment->SSL Client Identitites".
>2. I need this PSE client to have several 'identitites', I mean, to include several certificates from all my >users. Is it possible? If it´s not; how should I do so?
It seems that you want a different certificate per user. These client certificates in STRUST are designes to identify a SAP abap system, not human users. If you have 1000 users, you will not create 1000 certificates in STRUST !
Usually, you use only 2 entries here, one for anonymous HTTPS access and one authenticated HTTPS access. It is unusual to have several different identities for the same abap server. But it might be possible : for exemple, one identity on the intranet and an other one on the Internet.
>3. When I had my new PSE client, and my HTTP RFC destination of type 'G' configured to use that >PSE client, and when in abap I instantiate my http client (using CREATE_BY_DESTINATION method, >from CL_HTTP_CLIENT class): How does SAP knows which certificate to use? Because there will be >several users (hundreds) running this code to retrieve their specific data from a third party server.
>How does SAP knows whom certificate must use?
The certificate used will be the one defined in the HTTP destination.
You still seem to make the confusion between server client certificates and users client certificates.
a users client certificate is stored in the user's PC (or smartcard) and is used for HTTPS connections from the user's browser to the SSL server, not for an HTTPS connection from the ABAP server to another server.
Regards,
Olivier

Client_Receive_Failed

Hi experts,
we are conerning an problem with our PI. Until last week our whole system works fine. Now we are getting an ICM_HTTP_SSL_ERROR when we are uploading a file to a PI directory.
There is an process implemented that makes an RFC-call from PI to ERP. It seems we can't receive the result from the RFC-call.
It seems like the Adapter Engine is not avaiable.
Can anyone help pls?
Thx in advance for all answers.

Hello Shabarish,
that seems to be the problem.
Thx for your fast answer.

ICM_HTTP_SSL_ERROR

Similar Messages

Maybe you are looking for