HTTPs connection from SAP WebAS
Hello,
I have to establish a connection from SAP WebAS to an iSaSiLk server via HTTPS.
The iSaSiLk authentication is based on client certificates.
I've created a SSL client PSE, generated the Certificate Request, imported the certificate response and the chain of certificates associated with no errors. When testing the connection we're getting the following error message:
SAP icm log:
[Thr 1087400256] ->> SapSSLSessionInit(&sssl_hdl=0x2aaaba679980, role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT))
[Thr 1087400256] <<- SapSSLSessionInit()==SAP_O_K
[Thr 1087400256] in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"
[Thr 1087400256] out: sssl_hdl = 0x1a3310c0
[Thr 1087400256] ->> SapSSLSetNiHdl(sssl_hdl=0x1a3310c0, ni_hdl=22)
[Thr 1087400256] NiIBlockMode: set blockmode for hdl 22 TRUE
[Thr 1087400256] <<- SapSSLSetNiHdl(sssl_hdl=0x1a3310c0, ni_hdl=22)==SAP_O_K
[Thr 1087400256] ->> SapSSLSetSessionCredential(sssl_hdl=0x1a3310c0, &cred_name=0x1a49e4e0)
[Thr 1087400256] SapISSLComposeFilename(): Filename = "/usr/sap/XID/DVEBMGS00/sec/SAPSSLSPHTID.pse"
[Thr 1087400256] <<- SapSSLSetSessionCredential(sssl_hdl=0x1a3310c0)==SAP_O_K
[Thr 1087400256] in: cred_name = "/usr/sap/XID/DVEBMGS00/sec/SAPSSLSPHTID.pse"
[Thr 1087400256] ->> SapSSLSetTargetHostname(sssl_hdl=0x1a3310c0, &hostname=0x1a4a09e0)
[Thr 1087400256] <<- SapSSLSetTargetHostname(sssl_hdl=0x1a3310c0)==SAP_O_K
[Thr 1087400256] in: hostname = "<remoteServer_to_be_accessed>"
[Thr 1087400256] ->> SapSSLSessionStart(sssl_hdl=0x1a3310c0)
[Thr 1087400256] SapISSLUseSessionCache(): Creating NEW session (0 cached)
[Thr 1087400256] Tue Jan 13 10:10:22 2009
*[Thr 1087400256] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL*
[Thr 1087400256] session uses PSE file "/usr/sap/XID/DVEBMGS00/sec/SAPSSLSPHTID.pse"
[Thr 1087400256] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 536871693 (0x2000030d) = "none of the PSEs registered with hSsl can suffice the negotiated SSL cipher suite"
[Thr 1087400256] >> Begin of Secude-SSL Errorstack >>
[Thr 1087400256] ERROR in ssl3_get_certificate_request: (536871693/0x2000030d) none of the PSEs registered with hSsl can suffice
[Thr 1087400256] << End of Secude-SSL Errorstack
[Thr 1087400256] SSL_get_state() returned 0x00002150 "SSLv3 read server certificate request A"
[Thr 1087400256] No certificate request received from Server
[Thr 1087400256] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1a3310c0)==SSSLERR_SSL_CONNECT
[Thr 1087400256] ->> SapSSLErrorName(rc=-57)
[Thr 1087400256] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT
[Thr 1087400256] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt
On the iSaSiLk server we're getting:
ssl_debug(2): Starting handshake (iSaSiLk 3.06)...
ssl_debug(2): Received v3 client_hello handshake message.
ssl_debug(2): Client requested SSL version 3.0, selecting version 3.0.
ssl_debug(2): Creating new session 11:5F:04:C9:0D:32:15:B9...
ssl_debug(2): CipherSuites supported by the client:
ssl_debug(2): SSL_RSA_WITH_RC4_128_SHA
ssl_debug(2): SSL_RSA_WITH_RC4_128_MD5
ssl_debug(2): SSL_RSA_WITH_3DES_EDE_CBC_SHA
ssl_debug(2): SSL_RSA_WITH_DES_CBC_SHA
ssl_debug(2): SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
ssl_debug(2): SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
ssl_debug(2): SSL_RSA_EXPORT_WITH_RC4_40_MD5
ssl_debug(2): CompressionMethods supported by the client:
ssl_debug(2): NULL
ssl_debug(2): Sending server_hello handshake message.
ssl_debug(2): Selecting CipherSuite: SSL_RSA_WITH_RC4_128_SHA
ssl_debug(2): Selecting CompressionMethod: NULL
ssl_debug(2): Sending certificate handshake message with server certificate...
ssl_debug(2): Sending certificate_request handshake message...
ssl_debug(2): Sending server_hello_done handshake message...
ssl_debug(2): IOException while handshaking: Connection closed by remote host.
ssl_debug(2): Sending alert: Alert Fatal: handshake failure
ssl_debug(2): Shutting down SSL layer...
ssl_debug(2): Closing transport...
From the iSaSiLk everything seems to be OK, but on the SAP WebAS the error "none of the PSEs registered with hSsl can suffice the negotiated SSL cipher suite" is really unclear, since the cipher chosen by the iSaSiLk is one of the ciphers sent by SAP WebAS...
Can anyone give me any suggestion?
Hello Olivier,
Thanks for your answer.
I've implemented note 800240 which facilitates the PSE analysis by implementing the report ZSSF_TEST_PSE. With this report I'm able to check all the PSE content, which are:
Filename SAPSSLSPHTID.pse
PIN <no>
Signature X
Encryption X
Profile Parameter
DIR_INSTANCE /usr/sap/XID/DVEBMGS00 /usr/sap/XID/D00
sec/dsakeylengthdefault 1024
sec/libsapsecu /usr/sap/XID/SYS/exe/run/libsapcrypto.so
sec/rsakeylengthdefault 1024
ssf/name SAPSECULIB
ssf/ssf_md_alg SHA1
ssf/ssf_symencr_alg DES-CBC
ssf/ssfapi_lib /usr/sap/XID/SYS/exe/run/libsapcrypto.so
ssf2/name
ssf2/ssf_md_alg SHA1
ssf2/ssf_symencr_alg DES-CBC
ssf2/ssfapi_lib
ssf3/name
ssf3/ssf_md_alg SHA1
ssf3/ssf_symencr_alg DES-CBC
ssf3/ssfapi_lib
Environment variables
USER xidadm
SECUDIR /usr/sap/XID/DVEBMGS00/sec
PSE
Validity 18.12.2008 19:47:04 18.12.2009 19:47:04
Algorithm RSA (OID 1.2.840.113549.1.1.1)
Test signature
Signature OK
Verification OK
Test encryption
Encryption OK
Decryption OK
As you can see, the cipher algorithm used is RSA. Any suggestion... ?
An iSaSiLk server "is a Java programming language implementation of the SSLv2 (client-side), SSLv3, TLS 1.0 and TLS 1.1 protocols. It supports all defined cipher suites (except for Fortezza), including all AES and PSK cipher suites. iSaSiLk implements all standard TLS extensions, comes with an easy to use API and operates on top of the IAIK-JCE Javau2122 Cryptography Extension. iSaSiLk is highly configurable and will work with any alternative JCE implementation supported by a proper provider for supplying the required cryptographic algorithms".
Once again thanks for your answer.
Similar Messages
-
User type for creating the Http connection from sap to xi
Hi Friends,
I need to create the Http and Rfc destination connection from R3 to XI.
For that what type of user is needed, like Dialog user and etc.,
Please guide me.
Thanks in advance
KarthikeyanHi,
If my Understanding is Correct You want to Make the RFC Destination of Type H From R/3 to XI.
If you want to send Any XML Data to XI( In case of Proxies Used means)
For Testing purpose You can use Your User And Once it went to production means You can Use Service User in the Logon Details( Ask Basis people to create one Service User & Use it)
REgards
Seshagiri -
HTTP connection from OSB web service to external system via a Proxy Server
Dear experts,
May I know has anyone tried to use HTTP protocol to send a request from OSB web service to external system via a proxy server? Heard that we need to establish some sort of tunnel (socket) to talk to Proxy Server. Can you please any have sample code or configuration steps to share?
Thank you very much!!http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/consolehelp/global_resources.html#wp1137294
Adding Proxy Servers
Use the Summary of Proxy Servers page to add and configure Proxy Server resources and make them available in Oracle Service Bus as a system resource. You must be in an active session to configure or reconfigure Proxy Server resources.
1. If you have not already done so, click Create to create a new session or click Edit to enter an existing session. See Using the Change Center.
2. Select System Administration > Proxy Servers.
3. Click Add.
4. In the Name field, enter a name for the Proxy Server resource. This is a required field.
5. In the Description field, enter a short description for the Proxy Server resource.
6. In the Host-Port Parameters section, enter the following information:
1. In the Server Host field, enter the host name or IP address of the Proxy Server. This is a required field.
The Server Host name for the Oracle Service Bus proxy server must be identical to the server host name of the actual proxy server.
2. In the Clear Text Port field, enter the Proxy Server clear-text port number.
3. In the SSL Port field, enter the Proxy Server SSL port number. You must enter either a clear text or SSL port number.
4. Click Add.
You can configure multiple Proxy Servers for each Proxy Server resource. This enables Oracle Service Bus to perform load balancing and offer fault tolerance features for the Proxy Server resource.
7. If the Proxy Server performs proxy authentication, enter a user name in the User Name field, and the associated password in the Password and Confirm Password fields.
These fields are optional, and required only if the Proxy Server is secured.
8. Click Save to create and save the Proxy Server resource in the current session.
9. To end the session and deploy the configuration to the run time, click Activate under Change Center. -
HTTPS connection from servlet to another webserver
Hi,
We want to make a https connection from a servlet in weblogic server to another
web server (not necessarily weblogic). We also need dual authentication. But whenever
we use URL.openConnection(), it always returns us weblogic's internal https and
SSL implementation. Since weblogic has no documentation about how to use these
internal classes, such as how to set trusted server certificate, and how to set
client certificate (servlet is a client of another web server). We want to use
jsse, after setting JSSE required system properties, I still get a weblogic's
httpsURLConnection. Can any of you tell me how to resolve this issue?
Thanks.
XinshiYeah, I'm using JSSE now. Here is what I did:
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provide());
Provider prov = new SimpleSecureProvider();
prov.setProperty("SecureRandom.efficient", "test.EfficientSecureRandom");
Security.insertProviderAt(prov, 1);
You don't really need the provider stuff to get the example working. I use it
to get around a quick in JSSE where the random number generator takes 15-30 seconds
to generate a random sequence at start up.
SimpleSecureProvider looks like this:
public class SimpleSecureProvider extends Provider
public SimpleSecureProvider()
super("SimpleSecureProvider-", 1.0, "Hack to enable more efficient random
seed generator");
test.EfficientSecureRandom is bascially an exact copy of Sun's SecureRandom.java
with the only difference that I used my own random number generator.
Anyway, rest of the code you need looks like this:
URL url= new URL("htps://someplace.com");
URLConnection sconnection = url.openConnection();
Do whatever.
I also stored jcert.jar, jnet.jar, jsse.jar in /usr/java/jdk1.3/lib/ext
I think that is everything.
I just noticed that service pack 9 has a security example that does not require
all these jsse hacks. I'm trying to get it to work, but not having much luck.
Anybody got this working right?
"Jayesh Patel" <[email protected]> wrote:
See if this works,
1. Add the 'j2ee.jar' to CALSSPATH in weblogic startup script.
2. Set the property SSLHandlerEnabled flase in config.xml
3. Add the following property permission to the
weblogic.policy' file under a 'grant' directive
for all codebases (bottom): 'permission java.security.AllPermission'
4. Use the following bit of source code to create an https connection:
import com.sun.net.ssl.*; ....
com.sun.net.ssl.HttpsURLConnection connection;
System.setProperty ("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider() );
URL url = new URL( "https", hostname, query );
-Jayesh
connection = (com.sun.net.ssl.HttpsURLConnection )url.openConnection(
"Xinshi Sha" <[email protected]> wrote in message
news:[email protected]...
Hi,
We want to make a https connection from a servlet in weblogic serverto
another
web server (not necessarily weblogic). We also need dual authentication.But whenever
we use URL.openConnection(), it always returns us weblogic's internalhttps and
SSL implementation. Since weblogic has no documentation about how
to
use
these
internal classes, such as how to set trusted server certificate, andhow
to set
client certificate (servlet is a client of another web server). Wewant to
use
jsse, after setting JSSE required system properties, I still get aweblogic's
httpsURLConnection. Can any of you tell me how to resolve this issue?
Thanks.
Xinshi -
HTTPS connection from database
Hi all,
I have to implement https connection from a database with a Web server which requests a client certificate. I have the certificate in the wallet, but UTL_HTTP does not send it to the Web server.
So, is there any way to connect to a Web server which requires a client certificate?Could you explain how transport protocol influences certificate exchange during SSL session?
-
HTTPS connection from portal to external webserver
Hi,
I am looking for a way to open a HTTPS connection from portal server to an external webserver. According to <a href="http://help.sap.com/saphelp_nw04/helpdata/en/e2/71c83edf72e16be10000000a114084/content.htm">SAP</a> the code should look like
KeyStore keystoreCAs = ...
SecureConnectionFactory factory = new SecureConnectionFactory(keystoreCAs, null);
HttpURLConnection con = factory.createURLConnection("https://www.mycompany.com");
Does not look difficult, <b>but how do I create the keystore object</b>? The keystore object should somehow be connected to the portal server's keystore which manages the certificates of trusted Certificate Authorities.
Any ideas?
Regards,
MartinHi,
meanwhile I solved the problem by my own. The solution slightly simplified is given below.
javax.naming.InitialContext ctx = new javax.naming.InitialContext();
java.lang.Object o = ctx.lookup("keystore");
com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub manager = (com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub) o;
java.security.KeyStore keystoreCAs = manager.getKeystore("TrustedCAs");
com.sap.security.core.server.https.SecureConnectionFactory factory = new SecureConnectionFactory(keystoreCAs, null);
java.net.HttpURLConnection con = factory.createURLConnection("https://www.mycompany.com");
For connecting via a proxy the host name and port number of the proxy have to be set as System properties using "https.proxyHost" and "https.proxyPort".
java.util.Properties systemSettings = System.getProperties();
systemSettings.put("proxySet", "true");
systemSettings.put("https.proxyHost","192.168.0.1") ;
systemSettings.put("https.proxyPort", "80") ;
Additionally you have to make sure that the server's certificate is issued by a trusted Certification Authority (Must have an entry in your Keystore "TrustedCAs"). To verify this use the Visual Administrator and view service "Key Storage".
Regards,
Martin -
Is direct connection from SAP BI 7.0 to XCelsius already available?
Hello,
Is direct connection from SAP BI 7.0 to XCelsius already available?
ThanksIn Xcelsius SP2, visualizations can be connected to an SAP system and use live data returned by an SAP query.
Refer Xcelsius SP2 what's new guide:
http://help.sap.com/businessobject/product_guides/xcelsius2008SP2/en/sp2_xcelsius_new_en.pdf -
Remote Connection from SAP to MS-SQL server
Hello Experts,
We have been following 2 options so far and we have come across some issues
The first Option is to call a stored procedure (this is our preferred method) which does the data transfer for us
We have been able to test this scenario successfully from SQL Server side
However, while calling the stored proc via native SQL from ABAP we have come across an issue which is due to SQL 2005 changes (Schema implementation and difference in the security context)
While calling the stored procedure from the ABAP Code we have an error
The program short dumps with runtime error DBIF_DSQL2_SQL_ERROR, exception CX_SY_NATIVE_SQL_ERROR. The database error code is 15274, and the error text is
"Access to the remote server is denied because the current security context is not trusted."
This issue is new after the SQL Server 2005.
We are trying to resolve that.
Secondly we have been trying the DBCON option as well as per OSS Note 323151
We have a few things thatu2019s impacting our scenario:
The remote servers are in a different domain
The remote servers are located in DIZ
Remote server is a named instance
Remote server has been configured with a different port than standard (1565) u2013 All Connection strings will need port in there
The Database name starts with a numeric value
Due a combination of factors as mentioned above the standard approach does not work
Have any of you used this approach while connecting from SAP to MS-SQL server? Do you know of any successful methods to connect to SQL using ABAP (or not) from SAP.
Thanks in advance,Yes,
DBConnect & UDConnect.
Works like a charm.
We write data into a MS-SQL database via DBConnect & an ABAP program (using open sql). -
Upgrade from SAP Webas 6.40 to SAP Netweaver 2004s
Do we have to change the virtual host name used for high availability clustering environment to local host name before we conduct the upgrade from SAP WebAS 6.40 to SAP NetWeaver 2004's ?
Do we have to change the virtual host name used for high availability clustering environment to local host name before we conduct the upgrade from SAP WebAS 6.40 to SAP NetWeaver 2004's ?
-
SAP DB Connection from SAP BI on HP UNIX to MS SQL External Database
Dear All,
Greetings!
I have a scenario to configure a SAP DB Connection from SAP BI System on HP UNIX 11i to the external legacy system MS SQL 2000 Enterprise for data upload. I am interested in connecting the SQL server as a Source System to the BI System.
I read through documents mentioning about installation of a Client driver in the SAP BI System, I also downloaded the JDBC client software and tried installing the same, but the steps as mentioned Setting the CLASSPATH or connecting to the server did not work.
Please help me in connecting the SQL Server as Source System, I would like to know in detail about the same - so kindly help me with the links to documents and guides about the same.
Thank you
Regards,
Vineeth DamodarShort answer: this does not work.
Long answer: To connect directly to the database you need
- a database client for the source system
- a database interface library for the source system
Both of them are not available for HP-UX if the target database is SQL server --> doesn't work.
What you can do is: add a Windows application server to your BI system (heterogeneous installations work and are supported) and add there the database client and the database interface library.
Markus -
Connection from SAP ERP 6 to B1i2007
Hello,
the test-connection between B1i and SAP is working, but when trying to test the connection from SAP to B1i, SAP gives the error mesaage that "the program is not registered".
The B1i-System seems to be not registered in the SAP and it is only shown as "external client" (and not as registered server).
Another problem is that in B1i we have entered as programID-name "B1iRFC" but SAP shows "tomcat5" as TP-name.
I thought B1i would register automatically on the SAP with the name of the programm-id entered.
Do we have to change someting in the tomcat-server or where to find the problem?
Thank you,
PeterHello Eddy,
thank you for your answer, but in R/3 I define a RFC-connection with a registered server programm by using the programID out of the B1i-RFCP-configuration, right?
And when trying to make a test-connection, I got an error message that there is no registered program with this programID.
I thought that B1i have to be registered in SAP or in the SAP-Gateway with the name of this programID.
I think my problem is the registered server program in R/3. Where do I get this program and how to register in the R/3 gateway? Isn't the tomcat-server this program?
Best regards,
Peter -
Connection from SAP to our systems involving 2 saprouters
connection from SAP to our systems involving 2 saprouters
we have 1 saprouter inside a dmz and another for connecting to our systems.
we are guessing that this is possible
SAP (sapserv2) -
SNC----> saprouter1 (DMZ, SNC connection) -
> saprouter2 (P * * 3200) ---> SAP1, SAP2...
But how could we do that?
How can we let SAP know that they need to connect to 2 saprouters instead of 1?
The "Mantain System Data" in sap service marketplace only lets us introduce 1 saprouter.
And how should be the saproutettab of the 2 saprouters?
saprouter1:
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 000.00.00.00 *
P * saprouter2 3299
saprouter2:
P * * 3200
P * * 3600
is that possible?
Many thanks !!Hi
As far as my experience goes with this you have to maintain both router information in oss1 tcode
Also mention second router on the second router tab on the SMP data
I hope it should work with that as it will automatically create router table -
Setting up a https connection between SAP CRM and genesys gplus adapter
Hello All-
We are integrating SAP CRM with genesys mysap gplus adapter. We are struck in setting up a https connection between sap and gplus adapter.
Can anyone here help me out in this like how to get the SSL Protocol, keystore, keystore password,truststore and truststore password.
Information abt Adapters server certificate. Do we need to configure the adapter for the proxy also?
Any additional comment will help. Thanks in advance!Hello Vinod,
Please refer the following OSS notes 564085.
Please reward if helpful.
regards,
Muralidhar Prasad.C -
Hi,
I have (stupid perhaps) question.
Is this scenario possible:
SNC connection from SAP GUI to SAP Router, and non-SNC connection from SAP Router to SAP System.
I know how to set up scenario like this:
SAP System --- (non-SNC conn) --- saprouter1 --- (SNC conn) --- saprouter2 --- (non-SNC conn) --- SAP GUI.
Best regards,
Marek MajchrowskiWolfgang,
To be sure myself and Marek understand, can you confirm the different scenarios supported:
Scenario 1:
SAP GUI --- (non SNC conn) --- saprouter1 --- (SNC conn) --- saprouter2 --- (non-SNC conn) --- SAP System
With this scenario, it would be possible for a user to logon using SAP GUI onto the SAP System, but without SAP GUI SNC.
Scenario 2:
SAP GUI --- (SNC conn) --- saprouter1 --- (non SNC conn) --- saprouter2 --- (SNC conn) --- SAP System
With this scenario it would be possible to logon to the SAP System using SAP GUI, and using SNC authentication.
Also, with this scenario the SAP GUI software and SAP System software would consider this to be similar to:
SAP GUI -- (SNC conn) -- SAP System
Scenario 3:
This is the scenario mentioned by Marek in his initial question:
SAP GUI -- (SNC conn) -- saprouter1 -- (non SNC conn) -- SAP System
With this scenario it will not be possible to logon to SAP System using SNC, and only possible if the SAP GUI is configured to not use SNC. In other words the SNC connection between SAP GUI and saprouter1 is available, but cannot be used.
Thanks,
Tim
Edited by: Tim Alsop on Feb 25, 2008 5:24 PM -
Problem in connection from SAP to XI
Hi Guys,
I have problem to connect from SAP to XI. We have existing SAP R/3 (IS-H) and we newly installed XI. We decided to use ABAP proxy to send data from SAP to XI. When I go to SPROXY system showing No Connection to Integration Builder. Please kindly advice what configuration we need to in SAP side in order to connect XI.
Its Very Urgent. Please advice me.
Thanks in Advance.
Regards,
Anil.Anil,
could you please have a look to SAP Note 689847 - XI 3.0: SPROXY - No connection to the Integration Builder
Cheers,
-Sunil
Maybe you are looking for
-
HT4623 Printing from iPad 2 using iOS 6 to Wi-Fi printer
Need help printing from iPad 2 using iOS 6.0.1 to HP printer.
-
When printing the dasboards in PDF, what are all the ways you can control the output? My PDF keeps shrinking and it's just not to the scale I would expect it to be for the amount of room allowed on the landscaped page. Please advise!
-
Sales order number from Sales invoice
Hello All , I have a requirement in which when I am running a certain mass update program in which the sales invoice will be populated with a certain number in the Sales invoice text . However before running it I need to ensure that Sales order corre
-
Download OS X MOuntain Lion onto other device
Can you download OS X Mountain Lion onto another MacBook Pro laptop - I own two? or do I have to pay to download it again?
-
Documents related to Reports and Analytics
Hello, Does anyone documents, links, ebooks, tutorials related to Reports and Analytics in CRMOD? If so, please mail to [email protected] Thanks, Raghu