I am trying to connect to an external server from SAP PI.
I have created an SSL client identity and imported the Server certificates to this PSE in STRUST. I have also added the other certificates in the entire server certificate chain to the PSE. When I try to test the connection, I get the following error:
[Thr 13] NiIBlockMode: set blockmode for hdl 12 TRUE
[Thr 13] SSL NI-sock: local=172.16.2.14:51986 peer=151.151.65.204:443
[Thr 13] <<- SapSSLSetNiHdl(sssl_hdl=0x6000000005de0030, ni_hdl=12)==SAP_O_K
[Thr 13] ->> SapSSLSetSessionCredential(sssl_hdl=0x6000000005de0030, &cred_name=0x6000000005b117d0)
[Thr 13] SapISSLComposeFilename(): Filename = "/usr/sap/XD1/DVEBMGS01/sec/SAPSSLJAYTES.pse"
[Thr 13] <<- SapSSLSetSessionCredential(sssl_hdl=0x6000000005de0030)==SAP_O_K
[Thr 13] in: cred_name = "/usr/sap/XD1/DVEBMGS01/sec/SAPSSLJAYTES.pse"
[Thr 13] IcmConnInitClientSSL: using pse /usr/sap/XD1/DVEBMGS01/sec/SAPSSLJAYTES.pse, show client certificate if available
[Thr 13] ->> SapSSLSetTargetHostname(sssl_hdl=0x6000000005de0030, &hostname=0x6000000005b0efe0)
[Thr 13] <<- SapSSLSetTargetHostname(sssl_hdl=0x6000000005de0030)==SAP_O_K
[Thr 13] in: hostname = "safetransvalidate.wellsfargo.com"
[Thr 13] ->> SapSSLSessionStart(sssl_hdl=0x6000000005de0030)
[Thr 13] SapISSLUseSessionCache(): Creating NEW session (1 cached)
[Thr 13] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
[Thr 13] session uses PSE file "/usr/sap/XD1/DVEBMGS01/sec/SAPSSLJAYTES.pse"
[Thr 13] No Secude Error present in trace stack!
[Thr 13] SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"
[Thr 13] Server's List of trusted CA DNames (from cert-request message):
[Thr 13] #1 "CN=vt9s7x4t, OU=Only for authorized use of Wells Fargo SAFE-T Transport., OU=TSS, O=Tumbleweed SFT, C=US"
[Thr 13] #2 "CN=PassPortCA, OU=R&D, O=Axway, L=Puteaux, C=FR"
[Thr 13] #3 "CN=WellsSecure Certificate Authority, OU=WellsSecure Certification Authorities, O=Wells Fargo, C=US"
[Thr 13] #4 "CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign
[Thr 13] #5 "CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US"
[Thr 13] #6 "CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS
[Thr 13] #7 "CN=ac4sap02.nmhg.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=Terms of use at www.verisign.com/rpa (
[Thr 13] #8 "CN=COMODO High-Assurance Secure Server CA, O=COMODO CA Limited, L=Salford, SP=Greater Manchester, C=GB"
[Thr 13] #9 "CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU=For
[Thr 13] #10 "CN=*.dawnfoods.com, OU=IT, O=Dawn Food Products Inc., L=Jackson, SP=Michigan, C=US"
[Thr 13] #11 "CN=Wells Fargo Root Certificate Authority, OU=Wells Fargo Certification Authority, O=Wells Fargo, C=US"
[Thr 13] #12 "CN=jsapqasxi1e, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=Jones Group MIS, O=Jones Group, L=Bri
[Thr 13] #13 "CN=WellsSecure Public Root Certification Authority 01 G2, OU=Wells Fargo Bank NA, O=Wells Fargo WellsSecure, C
[Thr 13] #14 "CN=localhost, OU=ssl-enabled-server, O=app-server"
[Thr 13] #15 "CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated
[Thr 13] #16 "CN=sappip.transmontaigne.com, O=TransMontaigne Inc., L=Denver, SP=Colorado, C=US"
[Thr 13] #17 "CN=Wells Fargo Enterprise CA 02, OU=Wells Fargo Certificate Authorities, O=Wells Fargo, C=US"
[Thr 13] Base64-Dump of peer certificate (len=1432 bytes)
[Thr 13]
BEGIN CERTIFICATE
MIIFlDCCBHygAwIBAgIKQFJiGgAAAASxMTANBgkqhkiG9w0BAQUFADCBgDELMAkG
A1UEBhMCVVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSwwKgYDVQQLEyNXZWxscyBG
YXJnbyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEtMCsGA1UEAxMkV2VsbHMgRmFy
Z28gQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDAxMB4XDTEyMTIyNjE2NTUwMFoXDTEz
MTAyNTEwNTEwM1owTzEUMBIGA1UEChMLV2VsbHMgRmFyZ28xDDAKBgNVBAsTA1RT
UzEpMCcGA1UEAxMgc2FmZXRyYW5zdmFsaWRhdGUud2VsbHNmYXJnby5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMP5p0kwFQoyIaggxtk00UTbl3
7Wy5RS8FkiVCiL/7Jyj9VKBIK8kSWLE5QbbvKhDN3O7Lpp7yOaKWCfsv65At1EDh
w/0zao85thFYHfQtpq1DbPG7rF5HOs7qpTNhAeRA9BhWOjQyad3t0HC8l898oxph
5Gn5DvdhKVwSSqZgkWtinI/MMR9gNgKzw3xUPjELSNs4sUASfRs4P0kseIMxEyKs
v9QghdDDGS9EiaArBtvdGwXCtafEzH5FEjZbN6dyELcnQj2corQ10KmOmMoR7S8R
qTGdSjZu+XVuaMOMoqsard+3rl4+CR2IpYKmHb6JrcBPSbfKYgh73oT8/i6vAgMB
AAGjggI+MIICOjAdBgNVHQ4EFgQUbTd6EBBBukJAqZv+WjKAteFaA+4wHwYDVR0j
BBgwFoAU/ju0BEIfiVLaCpI5pula3TZUU4UwNgYDVR0fBC8wLTAroCmgJ4YlaHR0
cDovL2NybC5wa2kud2VsbHNmYXJnby5jb20vZXh0LmNybDB4BggrBgEFBQcBAQRs
MGowNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcmwucGtpLndlbGxzZmFyZ28uY29tL3dm
X2V4dF8wMS5jcnQwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLWV4dC5wa2kud2Vs
bHNmYXJnby5jb20vME0GA1UdEQRGMESCIHNhZmV0cmFuc3ZhbGlkYXRlLndlbGxz
ZmFyZ28uY29tgiBzYWZldHJhbnN2YWxpZGF0ZS53ZWxsc2ZhcmdvLmNvbTAMBgNV
HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDATAKBggrBgEFBQcD
AjCBkAYDVR0gBIGIMIGFMEEGC2CGSAGG+3uDdAAAMDIwMAYIKwYBBQUHAgEWJGh0
dHA6Ly93d3cud2VsbHNmYXJnby5jb20vcmVwb3NpdG9yeTBABgpghkgBhvt7g3QG
dG9yeTANBgkqhkiG9w0BAQUFAAOCAQEAHXop5GMqGgyY0e/6TdEuv7oJpUzobeQq
rkPX2aeaMnlR+b+gPcXQc/JgX/YRQrq+MaBt2s9FchU4AlzU1Sx+pam8DUmZyesO
s+SlxKPLCWhrqF2WJivzBL9mTWjUk8VJA6acr4YBQ1WjJCkuNWLQXcu5YmKDrKYa
/9mKV6cNZfcitTLU24yIkwakuxzJyP4cY8ka3gd5QA18sd8OEPGKC/YVc9PPC74p
wE/uImSv9QNo0svfQ10mhP7rkgdQ9ehmeotJxh0uWU3zI/QEJc9h8d2YWF07zrkT
CpvjlU+P8/xovPofDr9GYDWCUILVtEeFfxMZd9c+2myJ+K/Ixxpczw==
END CERTIFICATE
[Thr 13] Subject DN: CN=HIDDENURL.wellsfargo.com, OU=TSS, O=Wells Fargo
[Thr 13] Issuer DN: CN=Wells Fargo Certificate Authority 01, OU=Wells Fargo Certification Authority, O=Wells Fargo, C=US
[Thr 13] Current Cipher: SSL_RSA_WITH_3DES_EDE_CBC_SHA
[Thr 13] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x6000000005de0030)==SSSLERR_SSL_CONNECT
[Thr 13] ->> SapSSLErrorName(rc=-57)
[Thr 13] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT
[Thr 13] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000100a5} [icxxconn_mt.c 2032]
[Thr 13] ->> SapSSLSessionDone(&sssl_hdl=0x60000000005e89e0)
[Thr 13] <<- SapSSLSessionDone(sssl_hdl=0x6000000005de0030, ni_hdl=12)==SAP_O_K
[Thr 13] IcmConnConnect(id=1/165): free MPI request blocks
[Thr 13] MPI<43d41>5#7 GetInbuf -1 196c60 197 (1) -> 6
[Thr 13] MPI<43d40>4#4 GetOutbuf -1 1b6ce0 65536 (0) -> 0xc0000000d91b6d00 0
[Thr 13] NiIGetServNo: servicename '8001' = port 1F.41/8001
[Thr 13] MPI<43d40>4#5 FlushOutbuf l-1 1 1 1b6ce0 2201 6 -> 0xc0000000d91b6ce0 0
[Thr 13] NiICloseHandle: shutdown and close hdl 12 / sock 32
[Thr 13] IcmConnFreeContext: context 1 released
[Thr 13] IcmServDecrRefCount: XD1DEV01.dunn-edwards.net:8043 - serv_ref_count: 1
[Thr 13] IcmWorkerThread: Thread 9: Waiting for event
When I view the Server certificate through the browser, the Certificate Hierarchy is as follows:
GTE CyberTrust Global Root
-->Wells Fargo Certificate Authority 01
------->safetransvalidate.wellsfargo.com
I have copied the certificates of both the 1st level GTE CyberTrust Global Root and the 2nd level Well Fargo Certificate Authority 01 and imported both of these files into the PSE which I am using in SM59 for the RFC destination. I also exported these certificates to the database so these entries are in the Table VSTRUSTCERT:
NAME CAT DESCRIPT
-------------------------------------------
ZZGTE CA GTE CyberTrust Global Root
ZZSTV SERV SafeTransValidate Server
ZZWF01 CA Wells Fargo Certificate Authority 01
ZZWF01 ICA Wells Fargo Certificate Authority 01
ZZWF02 CA Wells Fargo Enterprise CA 02
ZZWFROOT CA Wells Fargo Root Certificate Authority
ZZWFSTV SERV safetransvalidate.wellsfargo.com
I am not sure if I needed to add all of these entries... but I was trying the different combinations to see if that would work.
I am not sure why Wells Fargo Certificate Authority 01 is not appearing in the list - [Thr 13] Server's List of trusted CA DNames (from cert-request message) above.
Any help in resolving this will be appreciated.
Regards,
Jay