Hi,
I am stuk up with ADS SSL configuration between CRM ABAP and CRM Java
I am getting RFC error when I test the connection of RFC ADS_SSL in SM59
I followed below Steps for SSL configuration. As it is sandbox system I did not use CA certificates.(I am using test server certificate from SMP)
- Created ssl server standard PSE
- Exported the certificate request and got THE SSL TEST SERVER certificate response from SMP
- Imported it in SSL server standard PSE
- Created self-signed SSL client standard PSE
- Added SSL TEST SERVER certificate to the certificate list of SSL client standard PSE
- Download SSL test server CA certificate from SMP and imported it in SSL server standard PSE and added it to the certificate list of SSL server standard PSE and SSL client standard PSE
But still I am getting below error (dev_icm trace file attached)
[Thr 2828] in: hostname = "10.219.200.238"
[Thr 2828] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 2828] session uses PSE file "/usr/sap/CRX/DVEBMGS00/sec/SAPSSLC.pse"
[Thr 2828] SecudeSSL_SessionStart: SSL_connect() failed --
[Thr 2828] secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 2828] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
[Thr 2828] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
[Thr 2828] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=localhost, OU=ssl-enabled-server, O=app-server"
[Thr 2828] ERROR in get_path: (27/0x001b) Found root certificate of <CN=localhost, OU=ssl-enabled-server, O=app-server> which does not fit the given PKRoot
[Thr 2828] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=localhost, OU=ssl-enabled-server, O=app-server> which does not fit the given PKRoot
[Thr 2828] << ---------- End of Secude-SSL Errorstack ----------
[Thr 2828] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 2828] No certificate request received from Server
[Thr 2828] <<- ERROR: SapSSLSessionStart(sssl_hdl=111489670)==SSSLERR_SSL_CONNECT
[Thr 2828] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT
[Thr 2828] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00010011} [icxxconn_mt.c 1957]
[Thr 2828] <<- SapSSLSessionDone(sssl_hdl=111489670, ni_hdl=74)==SAP_O_K
------------------------------------------------------------------------------------------------------------------
As per SAP note 1318906: The solution is given below:
"...
Situation: The ICM is in the client role and the following entry is displayed in the trace:
ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of theserver's certificate chain failed
Reason:You try to set up a secure connection to a server, but the validity of the certificate cannot be verified because the required
certificates are not available.
Solution:The missing certificates are listed in the trace file. You mustuse transaction STRUST to insert these certificates in the Personal
Security Environment (PSE) that is used for the connection. The certificates are usually made available to you by the server
administrator. If the certificates are public Certification Authority (CA) certificates, you can also request the certificates there.
--------------------------------------------------------------------------------------------------------------------
I have no clue about where we can get the certificates.
Kindly help us to solve this issue.
Regards,
Sridharan R.