Using X.509 Client Certificates - SAP ABAP Webgui (SSL)

Hello,
current runs the integrated ITS (Webgui). We now want the smart card and have adapted to the configuration:
RZ10:
icm/server_port_0=PROT=HTTPS,PORT=1443,TIMEOUT=180                                                                               
icm/HTTPS/verify_client=2   
table USREXTID: C=DE,ST=xxx,L=xxx,O=xxx,OU=xxx,CN=xxx,emailAddress=xxx
smart card certification -> firefox 2.x and IE 7.x install.
SICF: Webgui Service -> Login with Client Certificate
The test (with IE or Firefox) was unsuccessful.
SMICM Trace:
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c   1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
What should I do now?
Thanks, Silke
Full Trace:
sysno      02
sid        RD1
systemid   560 (PC with Windows NT)
relno      7000
patchlevel 0
patchno    148
intno      20050900
make:      multithreaded, ASCII, optimized
pid        5468
[Thr 5416] started security log to file dev_icm_sec
[Thr 5416] ICM running on: sdatu100.pvw.tu-darmstadt.de
[Thr 5416] MtxInit: 30001 0 2
[Thr 5416] IcmInit: listening to admin port: 65000
[Thr 5416] DpSysAdmExtCreate: ABAP is active
[Thr 5416] DpSysAdmExtCreate: VMC (JAVA VM in WP) is not active
[Thr 5416] DpShMCreate: sizeof(wp_adm)          13576     (1044)
[Thr 5416] DpShMCreate: sizeof(tm_adm)          36258120     (18120)
[Thr 5416] DpShMCreate: sizeof(wp_ca_adm)          18000     (60)
[Thr 5416] DpShMCreate: sizeof(appc_ca_adm)     6000     (60)
[Thr 5416] DpCommTableSize: max/headSize/ftSize/tableSize=2000/8/2112040/2112048
[Thr 5416] DpShMCreate: sizeof(comm_adm)          2112048     (1048)
[Thr 5416] DpSlockTableSize: max/headSize/ftSize/fiSize/tableSize=0/0/0/0/0
[Thr 5416] DpShMCreate: sizeof(slock_adm)          0     (96)
[Thr 5416] DpFileTableSize: max/headSize/ftSize/tableSize=0/0/0/0
[Thr 5416] DpShMCreate: sizeof(file_adm)          0     (72)
[Thr 5416] DpShMCreate: sizeof(vmc_adm)          0     (1296)
[Thr 5416] DpShMCreate: sizeof(wall_adm)          (224040/329544/56/100)
[Thr 5416] DpShMCreate: sizeof(gw_adm)     48
[Thr 5416] DpShMCreate: SHM_DP_ADM_KEY          (addr: 028C0040, size: 38968448)
[Thr 5416] DpShMCreate: allocated sys_adm at 028C0040
[Thr 5416] DpShMCreate: allocated wp_adm at 028C1B30
[Thr 5416] DpShMCreate: allocated tm_adm_list at 028C5038
[Thr 5416] DpShMCreate: allocated tm_adm at 028C5068
[Thr 5416] DpShMCreate: allocated wp_ca_adm at 04B591B0
[Thr 5416] DpShMCreate: allocated appc_ca_adm at 04B5D800
[Thr 5416] DpShMCreate: allocated comm_adm at 04B5EF70
[Thr 5416] DpShMCreate: system runs without slock table
[Thr 5416] DpShMCreate: system runs without file table
[Thr 5416] DpShMCreate: allocated vmc_adm_list at 04D629A0
[Thr 5416] DpShMCreate: allocated gw_adm at 04D629E0
[Thr 5416] DpShMCreate: system runs without vmc_adm
[Thr 5416] DpShMCreate: allocated ca_info at 04D62A10
[Thr 5096] IcmProxyWatchDog: proxy watchdog started
[Thr 5416] CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
[Thr 5416] IcmCreateWorkerThreads: created worker thread 0
[Thr 5416] IcmCreateWorkerThreads: created worker thread 1
[Thr 5416] IcmCreateWorkerThreads: created worker thread 2
[Thr 5416] IcmCreateWorkerThreads: created worker thread 3
[Thr 5416] IcmCreateWorkerThreads: created worker thread 4
[Thr 5416] IcmCreateWorkerThreads: created worker thread 5
[Thr 5416] IcmCreateWorkerThreads: created worker thread 6
[Thr 5416] IcmCreateWorkerThreads: created worker thread 7
[Thr 5416] IcmCreateWorkerThreads: created worker thread 8
[Thr 5416] IcmCreateWorkerThreads: created worker thread 9
[Thr 4352] IcmWatchDogThread: watchdog started
[Thr 5672] =================================================
[Thr 5672] = SSL Initialization  on  PC with Windows NT
[Thr 5672] =   (700_REL,Mar 25 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 5672]   profile param "ssl/ssl_lib" = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
           resulting Filename = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
[Thr 5672] =   found SAPCRYPTOLIB  5.5.5C pl17  (Aug 18 2005) MT-safe
[Thr 5672] =   current UserID: SDATU100\SAPServiceRD1
[Thr 5672] =   found SECUDIR environment variable
[Thr 5672] =   using SECUDIR=D:\usr\sap\RD1\DVEBMGS02\sec
[Thr 5672] =  secudessl_Create_SSL_CTX():  PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLC.pse" not found,
[Thr 5672] =      using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] =  secudessl_Create_SSL_CTX():  PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLA.pse" not found,
[Thr 5672] =      using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] ******** Warning ********
[Thr 5672] *** No SSL-client PSE "SAPSSLC.pse" available
[Thr 5672] *** -- this will probably limit SSL-client side connectivity
[Thr 5672] ********
[Thr 5672] = Success -- SapCryptoLib SSL ready!
[Thr 5672] =================================================
[Thr 5672] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject no
X.509 cert data will be removed from header [http_plg.c   720]
[Thr 5672] ISC: created 400 MB disk cache.
[Thr 5672] ISC: created 50 MB memory cache.
[Thr 5672] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0
[Thr 5672] HttpExtractArchive: files from archive D:\usr\sap\RD1\SYS\exe\run/icmadmin.SAR in directory D:/usr/sap/RD1/DVEBMGS02/
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0
[Thr 5672] CsiInit(): Initializing the Content Scan Interface
[Thr 5672]            PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/32/32)
[Thr 5672] CsiInit(): CSA_LIB = "D:\usr\sap\RD1\SYS\exe\run\sapcsa.dll"
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0
[Thr 5672] HttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=3, flags=1052677) for /:0
[Thr 5672] Started service 1443 for protocol HTTPS on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=9
[Thr 5672] Started service 25000 for protocol SMTP on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=8
[Thr 5672] Tue Jul 15 14:38:37 2008
[Thr 5672] *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds [icxxman.c    4578]
[Thr 5672] *** WARNING => IcmNetCheck: 1 possible network problems detected - please check the network/DNS settings [icxxman.c
[Thr 3932] Tue Jul 15 14:39:32 2008
[Thr 3932] *** WARNING => IcmCallAllSchedules: Schedule func 1 already running - avoid recursion [icxxsched.c  430]
[Thr 5416] Tue Jul 15 14:40:23 2008
[Thr 5416] IcmSetParam: Switched trace level to: 3
[Thr 5416] *
[Thr 5416] * SWITCH TRC-LEVEL to 3
[Thr 5416] *
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5416] NiIWrite: hdl 3 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0     | Version: 7000
[Thr 5416] | MsgNo: 2     | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen:     1
[Thr 5416] IcmCreateRequest: Appended request 13
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 4392] IcmWorkerThread: worker 3 got the semaphore
[Thr 4392] REQUEST:
    Type: ADMMSG    Index = 12
[Thr 4392] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 4392] MPI<a>0#5 GetInbuf -1 138968 440 (1) -> 6
[Thr 4392] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 4392] MPI<9>1#4 GetOutbuf -1 1489a0 65536 (0) -> 05348A00 0
[Thr 4392] MPI<a>0#6 FreeInbuf#2 0 138968  0 -> 0
[Thr 4392] MPI<9>1#5 FlushOutbuf l-1 1 1 1489a0 1104 6 -> 053489E0 0
[Thr 4392] IcmWorkerThread: Thread 3: Waiting for event
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0     | Version: 7000
[Thr 5416] | MsgNo: 2     | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen:     1
[Thr 5416] IcmCreateRequest: Appended request 14
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5784] IcmWorkerThread: worker 4 got the semaphore
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5784] REQUEST:
    Type: ADMMSG    Index = 13
[Thr 5784] MPI<c>0#5 GetInbuf -1 1489a0 440 (1) -> 6
[Thr 5784] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5784] MPI<b>1#4 GetOutbuf -1 138968 65536 (0) -> 053389C8 0
[Thr 5784] MPI<c>0#6 FreeInbuf#2 0 1489a0  0 -> 0
[Thr 5784] MPI<b>1#5 FlushOutbuf l-1 1 1 138968 1104 6 -> 053389A8 0
[Thr 5784] IcmWorkerThread: Thread 4: Waiting for event
[Thr 4352] Tue Jul 15 14:40:26 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5416] Tue Jul 15 14:40:29 2008
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8076 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1305
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 3 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen:     1
[Thr 5416] IcmCreateRequest: Appended request 15
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 3932] IcmWorkerThread: worker 5 got the semaphore
[Thr 3932] REQUEST:
    Type: ACCEPT CONNECTION    Index = 14
[Thr 3932] CONNECTION (id=1/8):
    used: 1, type: 1, role: 1, stateful: 0
    NI_HDL: 8, protocol: HTTPS(2)
    local host:  130.83.89.22:1443 ()
    remote host: 192.168.1.3:1305 ()
    status: NOP
    connect time: 15.07.2008 14:40:29
    MPI request:        <0>      MPI response:        <0>
    request_buf_size:   0        response_buf_size:   0
    request_buf_used:   0        response_buf_used:   0
    request_buf_offset: 0        response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 3932] MPI:1 create pipe 052002C0 1
[Thr 3932] MPI<d>1#1 Open( ANONYMOUS 1 1 ) -> 1
[Thr 3932] MPI<d>1#2 Open( ANONYMOUS 1 0 ) -> 1
[Thr 3932] MPI:0 create pipe 05200180 1
[Thr 3932] MPI<e>0#1 Open( ANONYMOUS 0 0 ) -> 0
[Thr 3932] MPI<e>0#2 Open( ANONYMOUS 0 1 ) -> 0
[Thr 3932] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 3932] <<- SapSSLSessionInit()==SAP_O_K
[Thr 3932]      in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 3932]     out: sssl_hdl = 003FFBC0
[Thr 3932] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 3932] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 3932]   SSL NI-sock: local=130.83.89.22:1443  peer=192.168.1.3:1305
[Thr 3932] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 3932] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 3932]   SapISSLServerCacheExpiration(): Calling ServerCacheCleanup() (lifetime=900)
[Thr 3932]   SapISSLServerCacheExpiration(srv,"D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse"): Cache max/before/now = 5000/1/1
[Thr 5096] Tue Jul 15 14:40:32 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 4352] Tue Jul 15 14:40:36 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmCheckForBlockedThreads: check for blocked SSL-threads
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5096] Tue Jul 15 14:40:42 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 3932] Tue Jul 15 14:40:45 2008
[Thr 3932]   peer has closed connection
[Thr 3932] <<- SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_CONN_CLOSED
[Thr 3932] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 3932] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 3932] NiICloseHandle: shutdown and close hdl 8 / sock 8076
[Thr 3932] MPI<d>1#3 Close( 1 ) del=0 -> 0
[Thr 3932] MPI<d>1#5 Delete( 1 ) -> 0
[Thr 3932] MPI<d>1#4 Close( 1 ) del=1 -> 0
[Thr 3932] MPI<e>0#3 Close( 0 ) del=0 -> 0
[Thr 3932] MPI<e>0#5 Delete( 0 ) -> 0
[Thr 3932] MPI<e>0#4 Close( 0 ) del=1 -> 0
[Thr 3932] IcmConnFreeContext: context 1 released
[Thr 3932] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 3932] IcmWorkerThread: Thread 5: Waiting for event
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8092 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1309
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: check for client conn timeout
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 60 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen:     1
[Thr 5416] IcmCreateRequest: Appended request 16
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 5708] IcmWorkerThread: worker 6 got the semaphore
[Thr 5708] REQUEST:
    Type: ACCEPT CONNECTION    Index = 15
[Thr 5708] CONNECTION (id=1/9):
    used: 1, type: 1, role: 1, stateful: 0
    NI_HDL: 8, protocol: HTTPS(2)
    local host:  130.83.89.22:1443 ()
    remote host: 192.168.1.3:1309 ()
    status: NOP
    connect time: 15.07.2008 14:40:45
    MPI request:        <0>      MPI response:        <0>
    request_buf_size:   0        response_buf_size:   0
    request_buf_used:   0        response_buf_used:   0
    request_buf_offset: 0        response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5708] MPI:0 create pipe 05200180 1
[Thr 5708] MPI<f>0#1 Open( ANONYMOUS 0 1 ) -> 0
[Thr 5708] MPI<f>0#2 Open( ANONYMOUS 0 0 ) -> 0
[Thr 5708] MPI:1 create pipe 052002C0 1
[Thr 5708] MPI<10>1#1 Open( ANONYMOUS 1 0 ) -> 1
[Thr 5708] MPI<10>1#2 Open( ANONYMOUS 1 1 ) -> 1
[Thr 5708] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 5708] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5708]      in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 5708]     out: sssl_hdl = 003FFBC0
[Thr 5708] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708]   SSL NI-sock: local=130.83.89.22:1443  peer=192.168.1.3:1309
[Thr 5708] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 5708] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5708] NiIHdlGetStatus: hdl 8 / sock 8092 ok, data pending (len=1)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708]   SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"
[Thr 5708] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 5708] SecudeSSL_SessionStart: SSL_accept() failed --
  secude_error 536871698 (0x20000312) = "the client did not send a certificate handshake message for its authentication and we c
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c   1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 5708] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 5708] NiICloseHandle: shutdown and close hdl 8 / sock 8092
[Thr 5708] MPI<f>0#3 Close( 0 ) del=0 -> 0
[Thr 5708] MPI<f>0#5 Delete( 0 ) -> 0
[Thr 5708] MPI<f>0#4 Close( 0 ) del=1 -> 0
[Thr 5708] MPI<10>1#3 Close( 1 ) del=0 -> 0
[Thr 5708] MPI<10>1#5 Delete( 1 ) -> 0
[Thr 5708] MPI<10>1#4 Close( 1 ) del=1 -> 0
[Thr 5708] IcmConnFreeContext: context 1 released
[Thr 5708] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 5708] IcmWorkerThread: Thread 6: Waiting for event
[Thr 4352] Tue Jul 15 14:40:46 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmQueueAppend: queuelen:     1
[Thr 4352] IcmCreateRequest: Appended request 17
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 4196] IcmWorkerThread: worker 7 got the semaphore
[Thr 4196] REQUEST:
    Type: SCHEDULER    Index = 16
[Thr 4196] IcmGetSchedule: found slot 0
[Thr 4196] IcmAlReportData: Reporting data to CCMS Alerting Infrastructure
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmConnCheckStoredClientConn: next client timeout check in 59 sec
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmGetServicePtr: new serv_ref_count: 2
[Thr 4196] PlugInHandleAdmMessage: request received:
[Thr 4196] PlugInHandleAdmMessage: opcode: 136, len: 272, dest_type: 2, subhdlkey: 262145
[Thr 4196] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=4, header_len=0
[Thr 4196] HttpCacheHandler: 4 0 006BBBC4 00000000
[Thr 4196] SCACHE: adm request received:
[Thr 4196] SCACHE: opcode: 136, len: 272, dest_type: 2, dest:
[Thr 4196] MTX_LOCK 3038 00ADEE88
[Thr 4196] MTX_UNLOCK 3051 00ADEE88
[Thr 4196] IctCmGetCacheInfo#5 -> 0
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48, blocks used: 1
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48
[Thr 4196] IcmNetBufFree: free netbuf: 00AD2B48 out of 1 used
[Thr 4196] IcmConnFreeContext: context 1 released
[Thr 4196] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 4196] IcmGetSchedule: next schedule in 30 secs
[Thr 4196] IcmWorkerThread: Thread 7: Waiting for event
[Thr 5096] Tue Jul 15 14:40:52 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)

>
silke kubelka wrote:
> SMICM-Log:
>
*** No SSL-client PSE "SAPSSLC.pse" available
>
*** this will probably limit SSL-client side connectivity
>
> is this a problem?
Well, since you want to enable the certificate-based user authentication (where your ABAP server is in the role of the SSL server) this does not matter. But if you intend to use your NWAS ABAP as SSL client (for outbound https communication) then it will matter. To resolve this problem you simply create an SSL Client PSE using transaction STRUST.
Once you've managed to [configure your NWAS ABAP for SSL,|https://service.sap.com/sap/support/notes/510007] you should see (in the ICM trace) that a X.509 client certificate was received. If the certificate-based logon does not succeed, then it's most likely due to some mapping problems - those can be analysed by using the tracing approach described in [note 495911|https://service.sap.com/sap/support/notes/495911].
If you need assistance in enabling the X.509 client certificate authentication you should submit an inquiry to SAP (message component BC-SEC-LGN).
Best regards,
Wolfgang

Similar Messages

  • X.509 client certificate not working through Reverse proxy

    Dear expert,
    We are working on fiori infrastructure. Our current scope is to enable X.509 authentication for both internet and intranet. However, the intranet scenario for X.509 authentication is working fine but internet is not, we got error message of "Base64 decoding of certificate failed". For landscape, the only difference between internet and intranet is we have apache reverse proxy in DMZ. We are using gateway as fron-end server, business suite and HANA in the back-end.
    As X.509 authentication works fine under intranet scenario, we assume that the configuration for X.509 for both front-end and back-end are correct. With that assumption, the issue would exist in reverse proxy. We are using apache 2.4.7 with openssl 1.0.1e, but we have upgraded the openssl to the latest version 1.0.1h for SSL certificate generation. Below are the apache configuration for X.509.
    Listen 1081
    <VirtualHost *:1081>
    SSLEngine on
    SSLCertificateFile  "D:/Apache24/conf/server.cer"
    SSLCertificateKeyFile  "D:/Apache24/conf/server.key"
    SSLCertificateChainFile  "D:/Apache24/conf/server-ca.cer"
    SSLCACertificateFile "D:/Apache24/conf/client-ca.cer"
    SSLVerifyClient optional
    SSLVerifyDepth  10
    SSLProxyEngine On
    SSLProxyCACertificateFile "D:/Apache24/conf/internal-ca.cer"
    SSLProxyMachineCertificateFile "D:/Apache24/conf/server.pem"
    AllowEncodedSlashes On
    ProxyPreserveHost on
    RequestHeader unset Accept-Encoding
    <Proxy *>
         AddDefaultCharset Off
         SSLRequireSSL
         Order deny,allow
         Allow from all
    </Proxy>
    RequestHeader set ClientProtocol https
    RequestHeader set x-sap-webdisp-ap HTTPS=1081
    RequestHeader set SSL_CLIENT_CERT  ""
    RequestHeader set SSL_CLIENT_S_DN  ""
    RequestHeader set SSL_CLIENT_I_DN  ""
    RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
    RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
    RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
    ProxyPass / https://ldcinxd.wdf.sap.corp:1081/  nocanon Keepalive=on
    proxyPassReverse /  https://ldcinxd.wdf.sap.corp:1081/
    We are out of mind on how to resolve this issue. Please kindly help if you have any idea on it.
    thanks,
    Best regards,
    Xian' an

    Hi Samuli,
    Really thanks for your reply.
    Yes, we have tried your suggestion above in the apache configure file above, but when testing the HANA service, we got error message "Certificate could not be authenticated".
    Yes, web dispatcher makes the X.509 authentication much easier as under intranet scenario, no DMZ between browser and web dispatcher. Client certificate pass through web dispatcher directly and it works perfectly this way. Not sure why it doesn' t work through apache reverse proxy.
    Best regards,
    Xian' an

  • Is it possible to use Adobe Interactive Forms in SAP (ABAP) Trial Version?

    Dear All,
    i need some help concerning the usage of Adobe Interactive Forms in SAP (ABAP) Trial Version.
    I installed SAP Netweaver 7.01 (ABAP Trial Version) and i would like to use the Adobe Interactive Form editor (transaction SFP). Is this trial version prepared for this? Is it possible to edit and test Interactive Forms in the ABAP Trial Version too?
    Somebody told me that he installed Adobe Lifecycle Designer 7.1 but the layout manager part of the editor shortdumped when he wanted to go back to other  parts of the editor or he wanted to save what he did...
    Is it enough to install Adobe Lifecycle Designer 7.1? Is there something else to install or configure?
    Thank you for your help in advance.
    All the best, P. Phil.

    Yes, you need the lifecycle designer installed.  That should be enough to work with the SFP transaction.  But to actually use the form, I think you do need the ADS(Adobe Document Services) which runs on the java stack.
    Regards,
    Rich Heilman

  • Client certificate as part of SSL

    I am using the javax.xml.soap.SOAPConnection in my application hitting an HTTPS site to get SOAP data. From what I can see, this is using the default JSSE behavior for the entire SSL session. The server is requesting a client certificate during the SSL handshake. This is where my problem is coming up.
    Since I have done nothing to set up the SSL connection explicitly, I am unclear on where the application will pick the certificate up from? I added my client SSL certificate to a custom .keystore in my runtime directory as well as in the $JAVA_HOME/jre/lib/security/cacerts, but when I run the application with the "-Djavax.net.debug=all" (debug on), I do not see the client cert being sent.
    So, my questions were:
    (a) which keystore should my cert be added to?
    (b) how do I specify to the JSSE which cert in the keystore defines my client SSL cert? i.e. which cert should the JSSE send back to the server when a request for cert is received from the server. I found no "setClientCert" like API, but then I am not really talking at the socket level either from the SoapConnection class.
    (c) is there a default "alias" name that I need to use when I import my cert such that the JSSE will pick it?
    Attached are snippets from my debug log.
    *** ClientHello, v3.1
    <<< Some cipher information here >>>
    *** ServerHello, v3.1
    <<< Some cipher information here >>>
    *** Certificate chain
    << Servers certificate here >>>
    *** CertificateRequest
    << server is requesting the client certificate here>>
    *** ServerHelloDone
    *** Certificate chain
    << SHOULD HAVE HAD THE CLIENT CERT, but instead is blank>>
    KeyExchange, etc. continues but when I send the data, I get a 403 forbidden.
    Any help would be appreciated. Thanks.
    Madhuri

    Thanks for your help.
    I have resolved my problem. It turned out that in order to get Sun's JSSE to read my keystore, I needed to set the "javax.net.ssl.keyStore" system property. I chose to let the default trust manager "cacert" be used and that worked fine. The other problem that I had to fix was to have my key contain the full cert chain to the CA, before it got sent.
    I found the following article on the ibm developerworks finally resolve most of my questions.
    http://www-106.ibm.com/developerworks/java/library/j-customssl/
    I still have an open issue that will post seperately dealing with the key that JSSE picks from the keystore. It just takes the first key that matches the cert request and doesn't seem related to any naming and the only way to explicitly specify the key to use is by writing a custom KeyStore and have that be used in the SSL socket creation. However, when I am using the SOAP classes, I am a few levels of abstraction away from the actual Socket creation and this prevents me from setting the client cert explicitly. Any ideas?

  • Using Cisco VPN client certificate for built in IPSec?

    Hi,
    Does anybody know if it is possible to "convert" a certificate exported from Cisco VPN client and import it into the Keychain for using it with built-in IPSec in Snow Leopard?
    Thanks,
    Oli

    I too am having trouble importing the Cisco certificate. It would be nice for some clear documentation. We've been successful converting the x.509 cer to KPCS#7 using openssl which will import into the keychain. However, the VPN (Cisco IPSec) sill doesn't see it.

  • Can I set the iPad to use the same client certificate by default?

    I have an ipad which has more than one client cert installed.   is there a way to select one of the certificates as the default when visiting websites that require client cert auth?
    Thanks

    I do not know of any way to specify only some bookmarks to open in a new tab. You could middle-click on a bookmark to make it open in a new tab.
    There are add-ons that can make all bookmarks open in a new tab, such as:
    * [https://addons.mozilla.org/en-US/firefox/addon/13784/ Open Bookmarks in New Tab]
    * [https://addons.mozilla.org/en-US/firefox/addon/1122/ Tab Mix Plus]
    * [https://addons.mozilla.org/en-US/firefox/addon/59961/ Tab Utilities]
    * [https://addons.mozilla.org/en-US/firefox/addon/62581/ Tab Utilities Lite]
    * [https://addons.mozilla.org/en-US/firefox/addon/14439/ Tabberwocky]
    All but the first of those will add many other tab browsing features. There will be other tabbed related add-ons that can open all bookmarks in a new tab, you can find them by searching https://addons.mozilla.org/

  • How to use X.509 secure PI?

    I think that X.509 provides the maximum security for communication.
    We want to know how to use X509 wherever it is possible in PI.
    Would you please provide some blogs?  Thanks!

    Hello Tina,
    Watch this threads these will be use ful information
    Use X.509, SNC and SSL for PI communication channels
    Re: Using X.509 client certificates Logon for SAPGUI
    WS-Security with PI 7.1
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/50d07121-07a5-2c10-5280-a081de9b851c?quicklink=index&overridelayout=true
    if you think valueble in your requirment then give me the points !
    Regards,
    Ravi.

  • Webdav using Client Certificates

    Hello all
    Finder (10.5.6) seems not to be able to use Webdav with client certificates. Especially in conjunction with Alfresco Share this would be nice.
    Any ideas?
    Pascal.

    Hi,
    > have a question, if we use this mechansim do we have to mainatin User's cerificate in user master or >this is not needed as we are accepting the connection from the intermediary server which is trusted by >the J2EE engine.
    I think it depends from your Biller Direct application.
    In my company we use Rosettanet B2B with SAP XI and have this setup :
    Internet -- https --> Apache -- https --> Web dispatcher -- https --> SAP J2EE PI
    The client certificate from the B2B partner is sent up to SAP PI and we did not have to set the certificate in the user mast.
    We did have to import the certificate in the J2EE keystore and to configure the Rosettanet connector.
    Regards,
    Olivier

  • Designating the specific client certificate to use from within an applet

    With JRE 1.4.x, my applet will use a specific client certificate for connection to an https url which requires a client certificate - I did that by defining runtime parameters for the jre (-Djavax.net.ssl.keyStore=...) but with JRE 1.5.x, the same runtime options doesn't seem to have any effect (even if I configure the plugin not to use the browser's store of certificates).
    I like the new "use browser certifcate store" feature of the JRE 1.5.x, but can I have a way to designate, programmatically in the code of my applet, which specific certificate to use?

    With JRE 1.4.x, my applet will use a specific client certificate for connection to an https url which requires a client certificate - I did that by defining runtime parameters for the jre (-Djavax.net.ssl.keyStore=...) but with JRE 1.5.x, the same runtime options doesn't seem to have any effect (even if I configure the plugin not to use the browser's store of certificates).
    I like the new "use browser certifcate store" feature of the JRE 1.5.x, but can I have a way to designate, programmatically in the code of my applet, which specific certificate to use?

  • How to Use IDOC and ALE in SAP?

    Hi anybody,
                     I want Use Idoc and ALE in sap ABAP. What is inbound and outbout process of IDOC?
    Please give me sample code for Idoc . and Sample code for ALE.
    anybody Please tell me.
    Thanks
    Regards,
    S.Muthu.
    IT Dept.

    hi,
    Follow the link for step by step ALE/IDOC tutorials.
    http://www.sapmaterial.com/idoc_sample.html
    http://www.****************/Tutorials/ALE/ALEMainPage.htm
    An IDoc is not a process.
    The term IDoc stands for intermediate document. It is simply a data container used to exchange information between any two processes that can understand the syntax and semantics of the data. An IDoc is created as a result of executing an outbound ALE or EDI process. In an inbound ALE or EDI process, an IDoc serves as input to create an application document.
    IDocs are stored in the database.
    In the SAP system, they are stored in database tables. Several utilities are available to display the information contained in an IDoc and present it in different ways. For details, refer to Chapter 11, "Monitoring the Interface."
    Every IDoc has a unique number.
    When an IDoc is generated in the system, a unique number is assigned to it. This number is unique within a client.
    IDocs are independent of the sending and receiving systems. They can be used for SAP-to-SAP and SAP to non-SAP process communication as long as the participating processes can understand the syntax and semantics of the data.
    IDocs are based on EDI standards, ANSI ASC X12 and EDIFACT, but are closer to the EDIFACT standards. The size and format of data elements in an IDoc type are derived from these standards wherever applicable. For example, if a material number is represented by 20 characters in an EDIFACT message, the corresponding data element in the IDoc is also 20 characters. If there is a conflict in data size between standards, the one with greater length is adopted. This approach ensures compatibility with most standards.
    IDocs are independent of the direction of data exchange. An inbound and an outbound process can use an IDoc. For example, the ORDERS01 IDoc is used by the Purchasing module to send a purchase order, and is also used by the Sales and Distribution module to accept a sales order. Using this technique avoids creating redundant IDoc types for the same information.
    IDocs can be viewed in a text editor and do not contain any binary data. Data is stored in character format. When transferred to the operating system, an IDoc is stored in a file in text format and can be viewed using a regular text editor. However, the contents make sense only if you understand the structure and format of the data in that IDoc. In the Appendix, "FAQs, User Exits, and Miscellaneous Resources," you will find an example of an IDoc file.
    Hope this helps, Do reward.
    Edited by: Runal Singh on Mar 5, 2008 6:09 PM

  • Non-Deterministic Exception When Connecting With Wrong Client Certificate

    I am working on an internal application and need to determine the correct client-side SSL certificate to use when connecting to a server (the user can supply multiple client-side certificates). I had expected that if I connected to a server using the wrong client certificate the java client would throw a SSLHandshakeException and I could then try the next certificate. This seems to work some of the time, however the java client will sometimes throw a “SocketException: Software caused connection abort: recv failed”, in which case it is not possible to know that the wrong certificate caused the problem.
    Below is the code I have been using to test as well as the intermittent SocketException stack trace. Does anyone have an idea as to how to fix this problem? Thanks in advance.
    Note: the TrustAllX509TrustManager is a trust manager that trusts all servers.
    protected void connectSsl() throws Exception {
          final String host = "x.x.x.x";
          final int portNumber = 443;
          final int socketTimeout = 10*1000;
          // Note: Wrong certificate (expect SSLHandshakeException).
          final String certFilename = "C:\\xxx\\clientSSL.P12";
          final String certPassword = "certPassword";
          final BufferedInputStream bis = new BufferedInputStream(new FileInputStream(new File(certFilename)));
          final char[] certificatePasswordArray = certPassword.toCharArray();
          final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
          final KeyStore keyStore = KeyStore.getInstance("PKCS12");
          keyStore.load(bis, certificatePasswordArray);
          keyManagerFactory.init(keyStore, certificatePasswordArray);
          final KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
          final SSLContext context = SSLContext.getInstance("SSL");
          context.init(keyManagers, new TrustManager[]{new TrustAllX509TrustManager()}, new SecureRandom());
          final SocketFactory secureFactory = context.getSocketFactory();
          final Socket socket = secureFactory.createSocket();
          final InetAddress ip = InetAddress.getByName(host);
          socket.connect(new InetSocketAddress(ip, portNumber), socketTimeout);
          socket.setSoTimeout(socketTimeout);
          // Write the request.
          final OutputStream out = new BufferedOutputStream(socket.getOutputStream());
          out.write("GET / HTTP/1.1\r\n".getBytes());
          out.write("\r\n".getBytes());
          out.flush();
          InputStream inputStream = socket.getInputStream();
          ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
          byte[] byteArray = new byte[1024];
          int bytesRead = 0;
          while ((bytesRead = inputStream.read(byteArray)) != -1) {
             outputStream.write(byteArray, 0, bytesRead);
          socket.close();
          System.out.println("Response:\r\n" + outputStream.toString("UTF-8"));
       }Unexpected SocketException:
    main: java.net.SocketException: Software caused connection abort: recv failed
         at java.net.SocketInputStream.socketRead0(Native Method)
         at java.net.SocketInputStream.read(SocketInputStream.java:129)
         at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
         at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435)
         at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
         at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
         at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
         at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
         at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)

    Thanks for the quick response. Here are answers to the questions:
    1) No, this issue is not associated with one particular certificate. I have tried several certificates and see the same issue.
    2) I agree it would be simpler to only send the required certificate, but unfortunately the project requires that the user be able to specify multiple certificates and, if a client-side certificate is required, the application try each one in turn until the correct certificate is found.
    3) Yes, I realize the TrustAllX509TrustManager is insecure, but I am using this for testing purposes while trying to diagnose the client certificate problem.
    In terms of testing, I am just wrapping the above code in a try/catch block and executing it in a loop. It is quite odd that the same exact code will sometimes generate a SSLHandshakeException and other times a SocketException.
    One additional piece of information: if I force the client code to use "SSLv3" using the Socket.setEnabledProtocols(...) method, the problem goes away (I consistently get a SSLHandshakeException). However, I don't think this solves my problem as forcing the application to use SSLv3 would mean it could not handle TLS connections.
    The code to specify the SSLv3 protocol is:
    SSLSocket sslSocket = (SSLSocket) socket;
    sslSocket.setEnabledProtocols(new String[] {"SSLv3"});
    One other strange issue: if instead of specifying the SSLv3 protocol using setEnabledProtocols(...) I instead specify the protocol when creating the SSLContext, the SocketException problem comes back. So if I replace:
    final SSLContext context = SSLContext.getInstance("SSL");
    with:
    final SSLContext context = SSLContext.getInstance("SSLv3");
    and remove the "sslSocket.setEnabledProtocols(new String[] {"SSLv3"})" line, I see the intermittent SocketException problem.
    All very weird. Any thoughts?

  • ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

    Hello, I´m stucked with this problem for 3 weeks now.
    I´m not able to configure the EAP-TLS autentication.
    In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
    The ISE´s certificate has been issued with the "server Authentication certificate" template.
    The clients have installed the certificates  also the certificate chain.
    When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
    and "OpenSSLErrorMessage=SSL alert
    code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
    I don´t know what else can I do.
    Thank you
    Jorge

    Hi Rik,
    the Below are the certificate details
    ISE Certificate Signed by XX-CA-PROC-06
    User PKI Signed by XX-CA-OTHER-08
    In ISE certificate Store i have the below certificates
    XX-CA-OTHER-08 signed by XX-CA-ROOT-04
    XX-CA-PROC-06 signed by XX-CA-ROOT-04
    XX-CA-ROOT-04 signed by XX-CA-ROOT-04
    ISE certificate signed by XX-CA-PROC-06
    I have enabled - 'Trust for client authentication' on all three certificates
    this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
    when i check the certificates of current user in the Client PC this is how it shows.
    XX-CA-ROOT-04 is listed in Trusted root Certification Authority
    and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

  • Web service Security using X.509 certificate

    Hi All,
    I have a web service deployed on the SAP Web AS J2EE.
    I want to include Authentication option in my web service
    I have configured the settings for using X.509 certificate(HTTPS) in my
    web service configuration and similarly I've configured my client proxy
    for the same.
    My question is..... from where do I get the X.509 certificate?
    actually I have the .crt and .der files, which I created from
    the visual administrator.
    And also do I need to install anything on my SAP server
    in order to use the authentication service? (Any prerequisite)
    Thanks,
    Talimeren

    Hi Talimeren,
    when you want to use certificates you have to setup SSL which you've started already. You have to get and import a server certificate which authenticates the server while the client creates a SSL connection. The cert has to assigned to the SSL port. For NW04 you can find the guide here http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
    If you want client authentication by certificates as well you have to import at least one root certificate from a certficate authority (CA) which you trust and by which all user certificates are signed.
    SAP delivers the IAIK library for WebAS security, but this depends on your WebAS version and installation. I suggest you setup SSL and try to make a connection. If the connection can be made, the security library should be there.
    HTH
    Daniel
    Message was edited by: Correct Link
            Daniel Sass

  • Using the Execute Preloaded Option for ABAP Dataflows in SAP BODS

    Hello All,
    This is regarding the use of Advanced Option in SAP Application Type (ECC) Datastore settings in SAP BODS 4.2, where there are two options to select from for ABAP Execution Option property: (1)Generate and Execute and (2) Execute Preloaded. Since our ECC client is often locked by BASIS team even on DEV environment, we would like to make use of the second option 'Execute Preloaded' so that we could extract the data from ECC tables without having to ask the BASIS team to unlock the ECC client every time before extraction.
    The problem is that we are getting an error upon generating and uploading the ABAP program to ECC client. I have searched the blogs and so far I have only found that there are certain ABAP programs or function modules that come with SAP BODS which need to be installed by BASIS team on ECC side to allow the ABAP dataflows to be generated and uploaded to ECC server. I would appreciate it if anyone could provide a list of which function modules BASIS needs to install on ECC or a blog that provides details around using this option.
    So far, from the SAP BODS designer, we are performing below steps but getting an error upon generating and uploading the ABAP dataflow program:
    1. Create a test ABAP Dataflow using SAP ECC datastore. Provide the ABAP program options.
    2. Right click, select Generate ABAP Program.
    3. Once the ABAP Program Generation Dialog box appears, check the box "Upload Generated Program".
    4. Upon clicking OK, we are getting the following error:
    The ABAP program <ZRTEST01> for ABAP data flow <RT_TEST_R3> (datastore <R3_DS>) was not uploaded: < RFC CallReceive error <Function /BODS/RFC_ABAP_INSTALL_AND_RUN: RFC_ABAP_MESSAGE- Exception condition "NOT_SUPPORTED_BY_GUI" trigger[SAP NWRFC 720][SAP Partner ### ][clientname][servername][accountname][4103]>. >.
    Any help would be greatly appreciated.
    Thanks,
    Rizwan

    All,
    The BASIS team reviewed steps provided in the BODS document and attempted to install the Function Modules but now none of the BODS jobs would work. All BODS jobs are being terminted with the Syntax Error error when extracting data from ECC using ABAP dataflows:
    17740 16404 R3C-150412 06/17/2014 9:38:46 AM |Data flow RT_DF_TEST_PC207
    17740 16404 R3C-150412 06/17/2014 9:38:46 AM RFC CallReceive error <Function /BODS/RFC_ABAP_INSTALL_AND_RUN: RFC_ABAP_RUNTIME_FAILURE-(Exception_Key: SYNTAX_ERROR)- Syntax
    17740 16404 R3C-150412 06/17/2014 9:38:46 AM error in program /BODS/SAPLBODS                          .[SAP NWRFC 720][SAP Partner 740 ][DEV1][Server][account][4103]>.
    22052 20572 R3C-150412 06/17/2014 9:38:46 AM |Data flow RT_DF_TEST_PC207
    22052 20572 R3C-150412 06/17/2014 9:38:46 AM RFC CallReceive error <Function /BODS/RFC_ABAP_INSTALL_AND_RUN: RFC_ABAP_RUNTIME_FAILURE-(Exception_Key: SYNTAX_ERROR)- Syntax
    22052 20572 R3C-150412 06/17/2014 9:38:46 AM error in program /BODS/SAPLBODS                          .[SAP NWRFC 720][SAP Partner 740 ][DEV1][Server][account][4103]>.

  • How to save the data to sap abap using Adobe Flex

    Hi Everybody......
    I am new to Adobe flex with sap abap.
          How to save the data in sap abap using Adobe Flex coding is Action Script and using RFC web service.
    Please give me any suggisions on that.
    Thank you
    Venkatesh V

    Hi Venkatesh,
    Try with folowing coding...
    <?xml version="1.0" encoding="utf-8"?>
    <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute"
         initialize="initApp()">
         <mx:Label x="10" y="23" text="Airline" width="90" id="lblAirline"/>
         <mx:TextInput x="108" y="21" id="txtAirline"/>
         <mx:Button x="10" y="49" label="Get Data" id="btnGetData" enabled="false" click="getData()"/>
         <mx:DataGrid x="10" y="97" id="dgFlightData" dataProvider="">
         </mx:DataGrid>
           <mx:Script>
              <![CDATA[
                   import mx.collections.ArrayCollection;
                   import mx.rpc.AbstractOperation;
                   import mx.rpc.events.FaultEvent;
                   import mx.rpc.soap.LoadEvent;
                   import mx.rpc.events.ResultEvent;
                   import mx.rpc.soap.WebService;
                   [Bindable] public var flightData:ArrayCollection;
        private var flightWS:WebService;
         private function initApp():void{
              flightWS = new WebService();
              flightWS.wsdl = "http://uscib20.wdf.sap.corp:50021/sap/bc/soap/wsdl11?services=ZGTEST&sap-client=000";
            flightWS.addEventListener(FaultEvent.FAULT,onWSError);
              flightWS.addEventListener(LoadEvent.LOAD,onWSDLLoaded);
             flightWS.addEventListener(ResultEvent.RESULT,onFlightWSGotResult);
              flightWS.loadWSDL();
    private function getData():void{
              var operation:AbstractOperation = flightWS.getOperation("ZGTEST");
              var input:Object = new Object();
              input.Airline = txtAirline.text.toUpperCase();
              operation.arguments = input;
              operation.send();
         private function onWSError  (event:FaultEvent):void{
         private function onWSDLLoaded(event:LoadEvent):void{
              btnGetData.enabled = true;
         private function onFlightWSGotResult(event:ResultEvent):void{
              flightData = event.result.SFLIGHT;
              ]]>
         </mx:Script>
    </mx:Application>
    Regards,
    Vinoth

Maybe you are looking for

  • Tango Video calls on Nokia Belle

    When will Nokia make Tango or any other video calls application available on Nokia Belle mobiles, such appliocation are very imoprtant to have, and Nokia should invite the developers to make such applications compatible with our Nokia latest mobiles.

  • Change apple account user

    Received iPad but someone already logged on with their apple I'd.  How do I change it so I can use my apple I'd.   Problem first occurred in trying to download an app.   I don't know this other persons I'd and want to reset account name. Help appreci

  • Recursive deletion of master table

    Hi experts, I want clearly fully procedure for recursive deletion master table(through primary key)

  • Iview Km, Entry Points.

    Hi, I've created a Iview type Km Entry Points. I've my Desktop and my theme. When I show the Km Iview into the standard theme, the iview show Ok but when i show de Iview into my theme, the text into the iview is very small, if i show another iview, t

  • 3ds max on iMac OS X 10.9.4

    Hello, I just purchased an iMac 27 inch OS X 10.9.4 // 3.2 GHz Intel Core i5. I need to install 3ds max studio on my device as soon as possible, I was told to buy a windows operating system and then install it on the iMac and start using it via bootc