Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Purpose

While securing a connection with SSL, it is required to import the Server's Certificate in the correct Peer/Client Personal Security Environment (PSE). Often, this procedure is not properly done, leading to SSL issues.

This document will guide you through the troubleshooting of this issue, from determining the exact missing certificate, to importing it in the correct PSE of your system.

Overview

When the ICM is in the client role and you try to set up a secure connection to a system, you must import the Peer (Server) certificate in the correct PSE of your system. In this scenario, the server sends its certificate to the client to be verified, however the client could be unable to verify the Peer certificate successufuly because the certificate from the Peer is unknown, thus is not maintained in the correct PSE of the system (in other words, the client does not trust them).

Common Scenarios

This issue could happen in many different scenarios. For example, when testing a WebService or a RFC connection (with SSL active), you face the error: "ICM_HTTP_SSL_ERROR". Then, in the ICM traces (dev_icm) you see the SSSLERR_PEER_CERT_UNTRUSTED (peer certificate (chain) is not trusted) error.

Troubleshooting

In order to gather more technical information about this issue, the start point is to check the ICM trace. By doing that, it is possible to determine which certificate is missing, and in which PSE this certificate should be imported.

ICM Trace

Capturing the issue in the trace

To properly collect the necessary information related to the issue in the ICM trace, follow the procedure as described below.

While in SMICM transaction:

  1. Raise ICM level to 2; (Goto -> Trace Level -> Set -> 2)
     
  2. Reproduce the issue. (e.g Perform the connection test in the RFC connection)

Analyzing the trace

After increasing the trace level to 2, and reproducing the issue, the next step is to access the trace in order to analyze the data collected.

While in  SMICM  transaction:

  1. Display the trace within the transaction; (Goto -> Trace File -> Display All (Shift+F5)). In addition, you can also display the trace file ("dev_icm") in transaction ST11. 

Searching for the issue in the trace

In the trace file you will find the following messages for this issue:

  1. SSSLERR_PEER_CERT_UNTRUSTED
  2. Failed to verify peer certificate. Peer not trusted.
  3. peer certificate (chain) is not trusted
  4. *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED

Issues in the SSL connections starts with "***ERROR".

For more detailed information, look in to the Secude-SSL Errorstack section of the trace:

>> ---------- Begin of Secude-SSL Errorstack ---------- >>

complete description of the issue

<< ---------- End of Secude-SSL Errorstack ----------

Identifying the relevant information in the Errorstack

After performing all the steps above, you probably have found the Errorstack of the issue:

Example: 

[Thr number] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr number]     session uses PSE file "/usr/sap/SID/HOST/sec/PSE_FILE_THAT_THE_CERTIFICATE_MUST_BE_IMPORTED_IN.pse" 
[Thr number] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr number]   secude_error 536872221 (0x2000051d) = "SSL API error"
[Thr number] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr number] 0x2000051d | SAPCRYPTOLIB | SSL_connect
[Thr number] SSL API error
[Thr number] Failed to verify peer certificate. Peer not trusted. 
[Thr number] 0xa0600203 | SSL | ssl_verify_peer_certificates
[Thr number] Peer not trusted 
[Thr number] 0xa0600297 | SSL | ssl_cert_checker_verify_certificates
[Thr number] peer certificate (chain) is not trusted 
[Thr number] Certificate:
[Thr number]   Certificate:
[Thr number]      Subject :CN= sap.com , OU=I00000000, OU=SAP AS, O=SAP CA, C=DE 
[Thr number]       Issuer :CN= sap.com , OU=I00000000, OU=SAP AS, O=SAP CA, C=DE 
[Thr number]       Serial number:0x20131208133655
[Thr number]       Validity:
[Thr number]           Not before :Sun Dec 8 08:36:55 2013
[Thr number]           Not after :Thu Dec 31 19:00:01 2037
[Thr number]       Key:
[Thr number]            Key type :rsaEncryption (1.2.840.113549.1.1.1)
[Thr number]            Key size :1024
[Thr number]         PK_Fingerprint_MD5:E2FF 2FE2 F27C 033D 3DE5 C53D 9010 5273
[Thr number]       Signature algorithm:sha1WithRsaEncryption (1.2.840.113549.1.1.5)
[Thr number]       Fingerprint_MD5:9F:55:EE:38:53:B6:19:B6:8A:4E:F1:B4:B3:9C:47:86
[Thr number]       Fingerprint_SHA1:D195 CBE3 DFCD 06D2 FE0C A517 22B6 1223 FF40 194E
[Thr number]    Verification result:
[Thr number]       Status :Not successful
[Thr number]       Profile :1.3.6.1.4.1.694.2.2.2.2
[Thr number]       DirectlyTrusted:Not successful
[Thr number] 
[Thr number] << ---------- End of Secude-SSL Errorstack ----------
[Thr number]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr number]   SSL NI-sock: unix domain socket="/tmp/.sapicm50001"
[Thr number] <<- ERROR: SapSSLSessionStart(sssl_hdl=1178ee5b0)==SSSLERR_PEER_CERT_UNTRUSTED 
[Thr number] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {00000001} [icxxconn_mt.c 1989]

Understanding the information collected and applying it to solve the issue

The part of dev_icm trace file above contains the Errorstack of a SSL call that failed due to a missing certificate that should have been imported in the correct PSE of the system.

Lines highlighted in bold are error messages.

The line highlighted in blue contains the full path to the PSE where the peer certificate should have been imported. Could be the SSL Client (Standard) PSE, SSL Client (Anonymous) PSE, SSL Server (Standard) PSE, and so on.

The line highlighted in red, contains the exact Peer's certificate that is missing in the certificate list of the PSE that is highlighted in blueIn order to solve the issue it is recommended that you import the Root CA of the missing certificate instead of the certificate itself.

Example:

 The PSE being shown in the trace file is session uses PSE file "/usr/sap/SID/HOST/sec/SAPSSLC.pse". This PSE file refers to the SSL Client (Standard) PSE.

The Certificate being shown in the trace file is "CN= sap.com , OU=I00000000, OU=SAP AS, O=SAP CA, C=DE".

This information is crucial to solve the issue, once these two points were figured out, the troubleshooting is over.

In this example, in order to solve the issue, the Root CA certificate of the end-entity server certificate "CN= sap.com , OU=I00000000, OU=SAP AS, O=SAP CA, C=DE" must be imported in the SSL Client (Standard) PSE. 


6 Comments

  1. really helpful and clear explanation!! thanks.

  2. Once done the trace level has to be setup to 0-1 or 3? Many thanks. Ondrej

    1. I've updated section "Capturing the issue in the trace" with the answer:

      "After the procedure is completed ICM Trace Level can be set to default (1) again"

       

  3. Great Job, a perfect article! Really easy to follow and very clear. I wish there were more like this out there.

  4. Excellent. The best walkthrough I could find! 

    The only open question for me is: where do I get the missing certificate? In my case the missing one is :CN=cf.us10.hana.ondemand.com Does anyone know where I can get this and/or the root certificate? Thank you very much.