SSSLERR_SERVER_CERT_MISMATCH when configuring end to end SSL
We are configuring the scenario of end-to-end SSL on the web dispatcher
to a central instance NW2004S system (XI). We have followed the
installation guides for the web dispatcher and the procedures for
enabling SSL on the ABAP and JAVA stacks. The document "Configuring
SSL on the Web Dispatcher" states that you need to request a
certificate for the JAVA stack in the name of the web dispatcher so you
do not get the "invalid certificate or does not match the name of the
site". This piece works fine.
Configuring the ABAP stack is different. If we configure the ABAP
stack in the conventional way (CN=hostname, OU=x, O=x, U=US), then we
have no problems hitting the servers directly to test SSL, but when we
try to do a redirect to the Web AS ABAP stack functionality (like
Webgui), I get the above certificate error. Basically, anything with
the url ending in /sap/bc, /sap, etc, routed to the ABAP stack.
If we try to use the methodology specified for the JAVA stack, and
request a certificate in the name of the web dispatcher, I get the
following error:
[Thr 4] Mon Aug 13 21:24:14 2007
[Thr 4] MatchTargetName("FQDN-Central Instance", "CN=FQDN-Web
Dispatcher Server, OU=XXX, O=XXX, C=US") FAILS
[Thr 4] SSL socket: local=0.0.0.0:0 peer=0.0.0.0:0
[Thr 4] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x100c16940)
==SSSLERR_SERVER_CERT_MISMATCH
[Thr 4] *** ERROR => MsHttpLBThread: SapSSLSessionStart (rc=-30)
SSSLERR_SERVER_CERT_MISMATCH [msxxhttp_mt. 7265]
I see this in the ASCS dev_ms trace file for the ABAP stack. The SCS
dev_ms file is fine.
If I change the requested host back to the name of the CI and get
another certificate in the CI's name, there are no errors but I get the
pop up warning about the certificates. I can't use the web dispatcher
for what I want (XI load balancing).
I have searched SAP Notes and SDN and have not come up with any leads.
I solved this problem by setting the following profile parameter on my webdispatcher profile.
wdisp/ssl_ignore_host_mismatch = true
Doesn't fix the underlying problem but got me going until I can figure it out.
Similar Messages
-
Error when configuring Web Dispatcher for SSL with Enterprise Portal
We are in the process of configuring the Web Dispatcher using SSL to connect to our Enterprise Portal (the Web Dispatcher will be in the DMZ). We have followed all of the help.sap.com guides and now have SSL listening on the EP side (port 8103). We are now receiving this strange certificate error when we start the Web Dispatcher:
[Thr 5332] Tue Mar 20 00:36:23 2007
[Thr 5332] MatchTargetName("<FULLY QUALIFIED HOSTNAME>", "CN=XXX, OU=XXX, O=XXXX, C=XX") FAILS
[Thr 5332] SSL socket: local=<IPADDRESS>:4742 peer=<IPADDRESS>:8103
[Thr 5332] <<- ERROR: SapSSLSessionStart(sssl_hdl=009D7670)==SSSLERR_SERVER_CERT_MISMATCH
[Thr 5332] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH [icxxconn.c 2005]
[Thr 5332] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx.c 4919]
[Thr 5332] *** ERROR => Could not connect to SAP Message Server at <FULLY QUALIFIED HOST NAME>. URL=/msgserver/text/logon?version=1.2 [icrxx.c 2301]
[Thr 5332] *** ERROR => rc=-1, HTTP response code: 0 [icrxx.c 2302]
[Thr 5332] *** ERROR => see also OSS note 552286 [icrxx.c 2303]
We have gone through the trouble shooting note 552286 as listed in the error above. Any assistance is appreciated.Hello, did you receive any resolution for this problem? We are receiving a similar error and I am unsure of how to resolve.
-
Internal error int reply to ClientHello on ACE20 module with end-to-end SSL
Hello, world!
We have weird behaviour of our Cisco ACE20 module configured for end-to-end SSL (initiation+termination) - the module from time to time replies with SSLv3/TLSv1 alert "Fatal: internal error" message to the client right after client have sent 'ClientHello' SSL message. So sometimes SSL connection works and sometimes will be immediately closed due to this fatal error. The behaviour is very similar to the one described below:
CSCtc52085—After a client sends a ClientHello message, the SSL hand shake may fail with a fatal alert internal error sent by the ACE. This behavior is intermittent and may occur under the following conditions:
1. An SSL service is configured with the session-cache timeout command (session reuse).
2. SSL connections are aborted by the client after the client sends a ClientHello message to the service in condition 1 and before an internal resource state is changed. This behavior puts the internal resource in an improper state. This error is very timing sensitive.
3. The next connection that uses the internal resource in the improper state fails with a fatal alert internal error. That connection does not have to go to the service in condition 1 to experience this error because the internal resource is shared by all the SSL services.
Workaround: None.
But we have software version A2(3.1) and this bug must have been resolved in this release (at least it's listed in resolved caveats section of release notes).
Software
loader: Version 12.2[123]
system: Version A2(3.1) [build 3.0(0)A2(3.1)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_1.bin
Again, we don't have session-cache timeout configured on the ACE.
On the ACE we have following stats:
ACE1/VC_UNIX# sh stats crypto server
SSL Server Statistics:
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 1
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 2
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 16
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
SSLv2 client hello received: 0
SSLv3 client hello received: 0
TLSv1 client hello received: 68
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 68
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
TLSv1 full handshakes: 33
TLSv1 resumed handshakes: 0
Cipher tlsv1_rsa_rc4_128_md5: 68
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
Session headers extracted: 0
Session headers failed: 0
Server cert headers extracted: 0
Server cert headers failed: 0
Client cert headers extracted: 0
Client cert headers failed: 0
Headers truncated: 0
Redirects due to cert not yet valid: 0
Redirects due to cert expired: 0
Redirects due to unknown issuer cert: 0
Redirects due to cert revoked: 0
Redirects due to no client cert: 0
Redirects due to no CRL available: 0
Redirects due to expired CRL: 0
Redirects due to bad cert signature: 0
Redirects due to other cert error: 0
Internal error: 27
Handshake FlushRX operations: 0
Handshake FlushTX operations: 0
Xscale messages rcvd from ME: 1313330
Xscale messages sent to ME: 2041768
Finish msg split across ssl recs: 0
Fasttx msg ring full: 0
SSL_ME tx msg ring full: 0
N2 encrypt_record: 0
N2 decrypt_record: 144433
N2 random: 439915
N2 handshake_hash: 878094
N2 hash: 0
N2 gpop_master: 291164
N2 gpop_import_master_secret: 5
N2 gpop_pkcs1v15enc: 144430
N2 gpop_pkcs1v15enc_crt: 0
N2 gpop_finish: 291140
N2 gpop_verify: 0
N2 gpop_pkcs1v15dec: 0
N2 gpop_pkcs1v15dec_crt: 146752
N2 rsa_server_full: 15
N2 resume: 12
UXP A: 24576
UXP B: 0
The "Internal error" counter increases with failed connections.
Printscreen from wireshark attached.
Maybe someone has the problem like ours? I have no idea how to troubleshoot these "internal errors"... :-(
Thanks for your replies.Thanks for your reply.
The problem is not server-related, I have exactly the same situation if I do SSL termination only, with unencrypted connection between ACE and backend servers (another servers, with blank apache installed and listening on 443 port for non-SSL traffic) - generally speaking, it works, but often with these "internal errors" - not suitable for production.
Here is the output from the commands
# show np 1 me-stats -E0
SSL Server Statistics:
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
SSLv2 client hello received: 0
SSLv3 client hello received: 0
TLSv1 client hello received: 0
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
Session headers extracted: 0
Session headers failed: 0
Server cert headers extracted: 0
Server cert headers failed: 0
Client cert headers extracted: 0
Client cert headers failed: 0
Headers truncated: 0
Redirects due to cert not yet valid: 0
Redirects due to cert expired: 0
Redirects due to unknown issuer cert: 0
Redirects due to cert revoked: 0
Redirects due to no client cert: 0
Redirects due to no CRL available: 0
Redirects due to expired CRL: 0
Redirects due to bad cert signature: 0
Redirects due to other cert error: 0
Internal error: 0
SSL Client Statistics:
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 4108
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 63355
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 37662
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
SSLv2 client hello received: 0
SSLv3 client hello received: 0
TLSv1 client hello received: 0
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 4062020
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
TLSv1 full handshakes: 4015344
TLSv1 resumed handshakes: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 4062020
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL authentication cache hits: 4059147
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 4059888
Failed SSL server authentications: 0
Session headers extracted: 0
Session headers failed: 0
Server cert headers extracted: 0
Server cert headers failed: 0
Client cert headers extracted: 0
Client cert headers failed: 0
Headers truncated: 0
Redirects due to cert not yet valid: 0
Redirects due to cert expired: 0
Redirects due to unknown issuer cert: 0
Redirects due to cert revoked: 0
Redirects due to no client cert: 0
Redirects due to no CRL available: 0
Redirects due to expired CRL: 0
Redirects due to bad cert signature: 0
Redirects due to other cert error: 0
Internal error: 20380
Handshake FlushRX operations: 0
Handshake FlushTX operations: 0
Xscale messages rcvd from ME: 12092768
Xscale messages sent to ME: 0x0176adac
Finish msg split across ssl recs: 0
Fasttx msg ring full: 0
SSL_ME tx msg ring full: 0
N2 encrypt_record: 0
N2 decrypt_record: 4015344
N2 random: 8148797
N2 handshake_hash: 4322635
N2 hash: 0
N2 gpop_master: 4041700
N2 gpop_import_master_secret: 0
N2 gpop_pkcs1v15enc: 4041700
N2 gpop_pkcs1v15enc_crt: 0
N2 gpop_finish: 4031710
N2 gpop_verify: 0
N2 gpop_pkcs1v15dec: 0
N2 gpop_pkcs1v15dec_crt: 0
N2 rsa_server_full: 0
N2 resume: 0
UXP A: 24576
UXP B: 0
# show np 1 me-stats "-shttp -v"
HTTP Statistics (Current)
Unknown msgs received: 0 0
Data rx msgs received: 288293958 4
TCP proxy rx msgs received: 9816884 1
Ack trigger rx msgs received: 0 0
TCP event rx msgs received: 52961189 2
Dest decision tx msgs received: 55155089 1
LB dest decision tx msgs received: 0 0
Close tx msgs received: 83942817 0
Inspect allow tx msgs received: 0 0
Inspect drop tx msgs received: 0 0
DRAM blocks read: 577612022 16
Buffers dropped: 2702255 0
Regex states read: 38438408 25
Unproxy cancellations: 0 0
Redundant closes: 2990271 0
Internal errors: 0 0
Conn mismatch errors: 2748628 0
Exception with close: 6 0
Dest errors: 1 0
Total Packet count (Tx & Rx): 490169937 8
Stop regex: 12 0
(Context 5 Statistics)
Parse result LB msgs sent: 121180 0
Drop: LB queue full: 0 0
Parse result Inspect msgs sent: 0 0
Drop: Inspect queue full: 0 0
TCP data msgs sent: 96215 0
TCP queue full: 0 0
SSL data msgs sent: 516306 0
SSL queue full: 0 0
TCP fin msgs sent: 939 0
TCP rst msgs sent: 147 0
SSL fin msgs sent: 102907 0
SSL rst msgs sent: 38548 0
Bounced fin msgs sent: 1481 0
Bounced rst msgs sent: 2 0
Unproxy msgs sent: 25333 0
Drain msgs sent: 113966 0
Reuse msgs sent: 2304 0
Particles read: 1448314 0
HTTP requests: 121688 0
Reproxied requests: 17680 0
Headers inserted: 3825 0
Headers removed: 51 0
Headers rewritten: 0 0
HTTP redirects: 0 0
HTTP chunks: 42154 0
Unproxy conns: 25325 0
Pipelined requests: 0 0
Pipeline flushes: 0 0
Whitespace appends: 0 0
Response entries recycled: 24493 0
Second pass parsing: 0 0
Vserver mismatch errors: 5 0
Analysis errors: 0 0
Static parse errors: 20 0
Max parselen errors: 0 0
Resource errors: 75 0
Invalid path errors: 0 0
Bad HTTP version errors: 0 0
Header insert errors: 75 0
Header rewrite errors: 0 0
Invalid policy errors: 0 0
Invalid rserver errors: 0 0
Recycled requests: 0 0
SSL header insert success: 0 0
SSL header insert errors: 0 0
SSL spoof header deleted: 0 0
Drop: RST pipelined request: 0 0
There's nothing in ACE logs.
Forgot to mention - we are running ACE in one-arm mode, but I don't believe it makes a difference. -
Certificate question in Web Dispatcher End-To-End SSL scenario
Hy experts,
in end-to-end SSL scenario the web dispatcher (WD) is not used to encrypt/decrypt data, it is only used to forward requests.
So I think we do need a certificate for the portal server, but none for the web dispatcher itself, right?
Another point is which data should be given for CN, DN, OU etc in this scenario (Portal or WD ??)
kind regards
TomTom,
For end to end SSL you do not need a certificate for the Web dispatcher but your J2EE engine should be configured to be accessible over SSL.
If you get the SSL certificate issued for the J2EE based on the name of the J2EE host it will result in a warning message as portal will be accessed using host name of Web dispatcher, so get the certificate issued under the name of the web dispatcher hostname. So, adjust your CN, DN, OU accordingly.
Cheers!! -
Error in Configuration and End to end monitoring
Hi all,
I am getting error in RWB under configuration and end to end monitoring.
End to end monitoring iam getting
"Neither the messager server nor the application server can be reached for system pirdev.titan.co.in"
and under
Configuration
"Cannot read the configuration for the selected domain because the system was unable to connect to the monitoring server (possibly due to incorrect logon data). Error message: Neither the messager server nor the application server can be reached for system pirdev.titan.co.in"
Please help me.
Regards
Pradeep P NHi,
Have you gone throgh these threads.
Neither the messager server nor the application server can be reached
Error when I click "End-to-End monitoring" in XI runtime workbench
Neither the messager server nor the application server can be reached
Regards
Goli Sridhar -
Best practice SSL End-to-End in Exchange 2010 CAS loadbalancing
Hi,
I was wondering if there is a best practice for deploying SSL End-to-End in Exchange 2010 CAS loadbalancing.
We have ACE modules A5(1.1) and ANM 5.1(0), although there seems to be a template available in ANM it doesn't work. It throws a error when deploying, i believe the template is corrupt.
As I am undersome pressure to deploy this asap I am looking for a sample config. I found one for SSL offloading, but I need one for End-to-End SSL.
Thanks in advance,
DionHi Dion,
You can open up a case with TAC to have that template reviewed and confirm if the problem is at the ACE or ANM side.
In the meantime here is a nice example for End-To-End SSL that can help you to get that working:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
For CAS load balancing there's nothing special other than opening the right ports, I'd advise you to get SSL working first and take it from there, if any problem comes up you can post it here and we'll give you a hand.
HTH
Pablo -
ACE 4710 Appliance end-to-end SSL
Hello,
Am I able to use a port other than 443 to the servers in a end to end SSL config? For example, 443 to the users and 8443 to the servers?
Thanks,
DaveHi Dave,
Sure that's not a problem at all. Just make sure you add the 8443 after the rserver name in the serverfarm configuration
serverfarm host REAL_SERVERS
probe HTTPS-KEEPALIVE
rserver SERVER_01 8443
inservice
rserver SERVER_02 8443
inservice
Hope this helps,
Sean -
Hi,
Is it possible to configure 1024 bits crypto from Client to ACE and 2048 bits from ACE-server, using a CA certificated ? Is Somebody has a config example ?
ThanksHere is a link to a configuration document regarding end to end SSL. The 2048 keys/certs would be configured on the SSL server, not sure what device that would be in your environment, maybe a webserver?
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml -
Hello,
I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.
I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".
Is there any clear documentation on how to configure an end to end SSL ?
I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.
I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.
Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?just don't know where to start.
I feel like you do not have the right key/cert.
This would be the very first thing to verify.
Where did you get your key and cert ?
What certificate authority signed your certificate ?
The creation of the session key requires the use of an RSA key pair (private/public).
Every server must have a public and a private key associated with a certificate signed by a certificate authority.
If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.
Maybe you should start be reading on the subject from various article available on the WEB.
openssl is a great tool to generate keys and certficates.
I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.
Then import everything into ACE.
Once you have valid key/cert we can continue with the configuration.
Gilles -
ACE SSL Offload Advantage on End to End SSL
Is there any advantages to doing SSL termination on ACE if you are doing End to End SSL? It seems as thought it's just another place to manage certs, when you could just pass the port 443 traffic to the server and let it do the SSL decription/encryption.
centralized point of management of your certs
performances (hardware-based)
you can use strong ciphers on the client side and weaker ciphers on the server sides, reducing the load on the servers
use of SSL Reuse combined to TCP offload
There are some whitepapers available on cisco.com on this topic. -
What's the difference between END-TO-END SSL and other SSL?
Could anyone summarize all of the differences?
Thanks a lot! Points guaranteed.Hi,
SSL end-to-end means that the web dispatcher is just forwarding the
HTTPS requests to the backend system without unpacking / decrypting the data.
This can be configured by icm/server_port_<XX> = ...,PROT=ROUTER,..
To be able to configure the ROUTER protocol on the web dispatcher you also
must have configured HTTPS / SSL on the relevant backend system.
Configuring SSL "only" means that the web dispatcher is listening to HTTPS and you can decide with the relevant parameters, if the communication to the backend is HTTP or if it is again reencrypted using HTTPS.
This would end up in using the parameter icm/server_port_<xx> = ...,PROT=HTTPS,....
Kind Regards
Thomas Alt -
ERWB end to end monitor configuration error
Error msg:
Configuration saved RFC ping failed for the following RFC destinations (created upon saving) in the system PI0001: PMIMZ020020090413
Incorrect RFC Destinations: When the configuration is saved, an RFC destination is created on the monitoring server for each XI component to enable end-to-end monitoring of the respective XI component. However, the test call failed for the destinations listed. Therefore, you must check the call and the authorization on the monitoring server for the destinations concerned, by using transaction SM59. Also check whether RFC user used for the destination is maintained in the relevant XI component. Note that a component can only be monitored when its RFC destination is maintained correctly.
Incorrect RFC Destinations
Component Type Name of Component RFC Destination Message for RFC Call
ALE-LogicalSystem MZ0CLNT200 PMIMZ020020090413 Error when opening an RFC connection
When I check the RFC destination, I found XI createPMI destination with Load balancing Status "YES" every time, and failed the connect test.Hi,
Please check the RFC's PMIMZ020020090413 in SM59.
There you will find the test conncetion tab. Please check if you are able to login to target system or not.
If not please set the logon parameters and host name.
Also if the name and password are correct, check the following points
1. The user is not locked on system that is the target of the RFC.
2. Assigned the Authorisation object S_RFCACL for the user. It is to allow the user to access the trusted/trusting system.
3. If you are on PI7.1 please check if the sm59 destination has fully qualified hostname.
I hope it should solve your problem.
Best Regards
Jitender Chauhan. -
Is there a way to link text fields, so when you reach the end of one line it moves to the next?
I often use Acrobat Pro to create forms, whether it be from an existing document or from scratch, and this has always irritated me. I know you can create a text field and select the Multi-line option; however, this is not what I am looking to do. I have a form that has a Yes or No Radio Button, then below it says "If yes, please explain:" followed by 3 lines to respond. When I run it through the Form Creator, it places three text fields on the response lines - as it should. The first line is shorter because of the text, which is why I cannot use the Multi-line option. So is there a way to link these three text fields, so that when I reach the end of the first line it stops and automatically moves to the next?
Here is a picture of what I am looking at:These types of lines are a left-over from printed forms. There's no reason
to keep using them if your form is digital.
The best approach is to combine the fields to a single multiline field, and
get rid of the first line. Trying to link text fields together is very
tricky. I haven't yet to see it done properly. -
Issue in configuring the End to End Monitering.
Hi,
I was trying to configure the end to end monitering in RW, and it is askin for uid and password, on applying them , it is not opening , and giving a messege as
Unable to read the current configuration for the selected XI domain because the system was unable to estable a connection to the monitoring server (possibly due to incorrect logon data). Error message: Unable to log on to system isrxidev in language en with user PISUPER.
What should i do? I am a super user.I hav all authorisations!Is this my role, or a basis / administrator role, tell me the solution, i need to check full end to end status of a messge from source point to target point.
Also, how do I set up the PIPELINE configuration. Any settings required in SICF transaction to see the different stages of a messege in sxmb_moni. Mine is a file to idoc scenerio, and in sxmb_moni i can only see the
Inbound Messege
Receiver Grouping
and
Response.
I was expecting to see the status at Receiver determination and interface Determination!
Arnab MondalLogin with PIRWBUSER for end to end monitoring..
Follow these steps :
http://help.sap.com/saphelp_nw04s/helpdata/en/06/5d1741b393f26fe10000000a1550b0/frameset.htm
Still problem exists then go thru the below thread
End-to-End Monitoring
Check whether all CIF services were activated in Visual Admin -
Hi everybody,
Can any one of you please provide me with some document/ Blog which describes the end to end configuration steps for various scenarios like simple XML to file scenario. I am aware of various teminologies but have never tried hands on a complete configuration.
Thanks and best regards,
Kulwant SinghHi,
Please find the links for various scenarios:
/people/prateek.shah/blog/2005/06/08/introduction-to-idoc-xi-file-scenario-and-complete-walk-through-for-starters - IDoc to File
/people/ravikumar.allampallam/blog/2005/03/14/abap-proxies-in-xiclient-proxy - ABAP Proxy to File
/people/sap.user72/blog/2005/06/01/file-to-jdbc-adapter-using-sap-xi-30 - File to JDBC
/people/prateek.shah/blog/2005/06/14/file-to-r3-via-abap-proxy - File to ABAP Proxy
/people/venkat.donela/blog/2005/03/02/introduction-to-simplefile-xi-filescenario-and-complete-walk-through-for-starterspart1 - File to File Part 1
/people/venkat.donela/blog/2005/03/03/introduction-to-simple-file-xi-filescenario-and-complete-walk-through-for-starterspart2 - File to File Part 2
/people/ravikumar.allampallam/blog/2005/06/24/convert-any-flat-file-to-any-idoc-java-mapping - Any flat file to any Idoc
/people/arpit.seth/blog/2005/06/27/rfc-scenario-using-bpm--starter-kit - File to RFC
https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1685 [original link is broken] [original link is broken] [original link is broken] - File to Mail
/people/jayakrishnan.nair/blog/2005/06/20/dynamic-file-name-using-xi-30-sp12-part--i - Dynamic File Name Part 1
/people/jayakrishnan.nair/blog/2005/06/28/dynamic-file-namexslt-mapping-with-java-enhancement-using-xi-30-sp12-part-ii - Dynamic File Name Part 2
/people/michal.krawczyk2/blog/2005/03/07/mail-adapter-xi--how-to-implement-dynamic-mail-address - Dynamic Mail Address
/people/siva.maranani/blog/2005/05/25/understanding-message-flow-in-xi - Message Flow in XI
/people/krishna.moorthyp/blog/2005/06/09/walkthrough-with-bpm - Walk through BPM
/people/siva.maranani/blog/2005/05/22/schedule-your-bpm - Schedule BPM
/people/sriram.vasudevan3/blog/2005/01/11/demonstrating-use-of-synchronous-asynchronous-bridge-to-integrate-synchronous-and-asynchronous-systems-using-ccbpm-in-sap-xi - Use of Synch - Asynch bridge in ccBPM
https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1403 [original link is broken] [original link is broken] [original link is broken] - Use of Synch - Asynch bridge in ccBPM
/people/michal.krawczyk2/blog/2005/08/22/xi-maintain-rfc-destinations-centrally - Maintain RFC destination centrally
/people/sravya.talanki2/blog/2005/08/18/triggering-e-mails-to-shared-folders-of-sap-is-u - Triggering Email from folder
/people/sravya.talanki2/blog/2005/08/17/outbound-idocs--work-around-using-party - Handling different partners for IDoc
/people/siva.maranani/blog/2005/08/27/modeling-integration-scenario146s-in-xi - Modeling Integration Scenario in XI
/people/michal.krawczyk2/blog/2005/08/25/xi-sending-a-message-without-the-use-of-an-adapter-not-possible - Testing of integration process
/people/michal.krawczyk2/blog/2005/05/25/xi-how-to-add-authorizations-to-repository-objects - Authorization in XI
http://help.sap.com/saphelp_nw04/helpdata/en/58/d22940cbf2195de10000000a1550b0/content.htm - Authorization in XI
/people/michal.krawczyk2/blog/2005/09/09/xi-alerts--step-by-step - Alert Configuration
/people/michal.krawczyk2/blog/2005/09/09/xi-alerts--troubleshooting-guide - Trouble shoot alert config
/people/sameer.shadab/blog/2005/09/21/executing-unix-shell-script-using-operating-system-command-in-xi - Call UNIX Shell Script
/people/sravya.talanki2/blog/2005/11/02/overview-of-transition-from-dev-to-qa-in-xi - Transport in XI
/people/r.eijpe/blog/2005/11/04/using-abap-xslt-extensions-for-xi-mapping - Using ABAP XSLT Extensions for XI Mapping
/people/prasad.ulagappan2/blog/2005/06/07/mail-adapter-scenarios-150-sap-exchange-infrastructure - Mail Adaptor options
/people/pooja.pandey/blog/2005/07/27/idocs-multiple-types-collection-in-bpm - Collection of IDoc to Single File
/people/sap.user72/blog/2005/11/17/xi-controlling-access-to-sensitive-interfaces - Controlling access to Sensitive Interfaces
/people/michal.krawczyk2/blog/2005/11/10/xi-the-same-filename-from-a-sender-to-a-receiver-file-adapter--sp14 - The same filename from a sender to a receiver file adapter - SP14
/people/prasad.illapani/blog/2005/11/14/payload-based-message-search-in-xi30-using-trex-engine - Payload Based Message Search in XI30 using Trex Engine
/people/sap.user72/blog/2005/11/24/xi-configuring-ccms-monitoring-for-xi-part-i - XI : Configuring CCMS Monitoring for XI- Part I
/people/michal.krawczyk2/blog/2005/11/23/xi-html-e-mails-from-the-receiver-mail-adapter - XI: HTML e-mails from the receiver mail adapter
/people/sap.user72/blog/2005/11/22/xi-faqs-provided-by-sap-updated - XI : FAQ's Provided by SAP
Regards,
Nithiyanandam
Maybe you are looking for
-
I'm trying to set up a formula similiar to an If then statement with the PLD, and not having any luck. I need to create a formula on a sales order that says if there is no frieght on the order display "0.00". Thanks. Eric
-
I bought €40 worth of ITunes cards from France but when I go to redeem it, it says that I have to use the French storefront I don't know what to do and will it change into pounds if I change it over to the French storefront so can you please help me
-
Email functions jacked-up upon activating iPhone 4 and updating to 4.0.1
While I was activating my iPhone 4, I was asked if I wanted to update to 4.0.1. I clicked "yes" and proceeded. Unfortunately, everyone else had the same idea and the download froze, and I had to restart the computer to get rid of the "spinning rainbo
-
Photoshop Touch on XYBOARD Tablet
I just downloaded Photoshop Touch and was excited to start using it and all I can get it to do is flicker my screen and freeze the program. I am able to exit the program and use other things on the tablet without a problem. I have the 10.1 16GB Mo
-
IPhone 3GS music crash and won't open up
One morning, I was listening to my iPhone 3GS then all of a sudden the music app itself crash. From then on I can't seem to open my music anymore and I have restored about 4 times now and I really want to listen to my music. What can I do to fix it??