Содержание
- ICM_HTTP_SSL_ERROR !!
- SAP PI: HTTP Response Code 401 Unauthorized & HTTP Client Code 407 Reason ICM_HTTP_SSL_Error
- ICM_HTTP_SSL_ERROR for plain HTTPS with RFC Destination type G
- ICM_HTTP_SSL_ERROR
- ICM_HTTP_SSL_ERROR
- Similar Messages
- Maybe you are looking for
ICM_HTTP_SSL_ERROR !!
Don’t know whether this is the right forum for this query. We are trying to execute the Fedex Web-Service with SOAMANAGER, when we create a Logical Port it creates a RFC connection automatically. When I am trying to test the connection it is ending up with the error «ICM_HTTP_SSL_ERROR», I have read many forums and followed the below Notes, which didn’t resolve the issue.
1094342 — ICM trace contains verification of the server’s certificate
1318906 — Trace analysis of SSL problems
I have imported and added the certificates from FEDEX in STRUST «SSL client SSL Client (Anonymous)», «SSL client SSL Client (Standard)». Surprisingly I tested by deleting the certificates and ending up the same error, even after adding the certificates the same error persists.
The RFC was working couple of days back, not able to make out why is it not working now.
Here is the ICM trace:
trc file: «dev_icm», trc level: 1, release: «701»
systemid 562 (PC with Windows NT)
make: multithreaded, Unicode, 64 bit, optimized
Thr 3552 Fri Mar 04 07:16:23 2011
Thr 3552 TRACE FILE TRUNCATED
Thr 5084 Fri Mar 04 07:17:07 2011
Thr 5084 *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
Thr 5084 session uses PSE file «C:usrsapIDSDVEBMGS02secSAPSSLA.pse»
Thr 5084 SecudeSSL_SessionStart: SSL_connect() failed
secude_error 9 (0x00000009) = «the verification of the server’s certificate chain failed»
Thr 5084 >> Begin of Secude-SSL Errorstack >>
Thr 5084 ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server’s certificate chain failed #
ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : «OU=Class 3 Public Primary Certification Auth
ERROR in get_path: (27/0x001b) Found root certificate of IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT http://icxxconn.c 2012
Please advice me how to catch the right error and rectify and resolve the issue.
Источник
It was initially very hard for me to understand the HTTP Failures when we are trained on SAP PI.I browsed many websites and ended up without success. I will try to simplify the two most common HTTP Errors by elucidating the concepts in the nutshell. Blog does not cover the HTTP Errors in detail but just gives the basic understanding for any new PI developers.
In this blog we are going to discuss about HTTP Errors while Non SAP system sending Sales Orders to SAP System:
Interface Description:
The PI implementation will broker the transaction and transform the Sales Order in the form of XML and send to SAP application. This is a an asynchronous interface to ECC. The following information describes the interface technically
1. Inbound Orders from Non SAP into SAP for both customers X and Y.
2. Non SAP will convert X Y EDIFACT format into ECC IDoc format
3. SAP PI to Receive via Secure Protcol (HTTPS) the Orders05 Idoc in XML
4. SAP PI to send this to SAP via Idoc adapter for Idoc Orders05
We have faced two HTTP Failures : HTTP response code 401 Unauthorized & HTTP client code 407 reason ICM_HTTP_SSL Error
Issue 1: HTTP response code 401 Unauthorized
• Business unable to send the file via HTTP and getting error message stating that “HTTP Error 401” while posting sales Orders
Step 1:
• Basis analyzed and found the below error message >> Informed to business.
Figure 2: SSL Error
Step 2:
• Business confirmed that there is inconsistency between files at OS level and database. They have synchronized those files and checked again the NON SAP certificate. Confirmed by business stating that’s it is already installed.
Resolution 1:
• Basis re-imported the SSL certificate to the system of Production DB. Informed business to check it.
• Still the issue persists, Basis restarted the ICM.
Issue 2: HTTP client code 407 reason ICM_HTTP_SSL Error
- There are two X_ORDRSP and Y_ORDRSP failures due to HTTP client code 407 reason ICM_HTTP_SSL failures. Informed to basis team to verify the SSL authentication.
Figure 3: ICM_HTTP_SSL_ERROR
Resolution 1 :
- Basis re-imported the certificate from OS level and restarted the ICM. Issue resolved.
We have also checked from PI perspective, all the Sales Orders posted successfully from Non SAP system to SAP ECC system. As well as, we have received Order Response from SAP ECC system to Non SAP system. Attached Screenshot below for your reference:
Figure 4: Processed IDOC
TIPS:
Error Codes:
An error that occurs when a function is executed can be recognized in the HTTP status code.
HTTP Status Code
Meaning
Used For
OK, information or component was delivered, transferred, changed, appended, or deleted
info, get, docGet, update, append, delete, putCert, search, attrSearch
OK, component(s) created (if create was used)
OK, all documents created (if mCreate was used)
250 (missing documents created)
OK, all missing documents were created
400 (bad request)
Unknown function or unknown parameter
info, get, docGet, create, update, append , delete, mCreate, search, attrSearch
Document or component already exists
Document, component, or content repository not found
info, get, docGet, update, append, delete, search, attrSearch
406 (not acceptable)
Certificate not recognized
Document, component, or administration data inaccessible
info, get, docGet, append, update, delete, search, attrSearch
500 (Internal Server Error)
Internal error on Content Server
If an error occurs, the content server must deliver an ASCII string describing the error. The error must be entered in the header field X-ErrorDescription .
Источник
ICM_HTTP_SSL_ERROR for plain HTTPS with RFC Destination type G
I try to set up a connection with an external partner using plain http and an RFC destination of type G.
Unfortunately I receive an ICM_HTTP_SSL_ERROR
Concerning the ICF log i get the following error:
[Thr 7] Tue May 30 16:39:17 2006
[Thr 7] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 7] session uses PSE file «/usr/sap/XIE/DVEBMGS17/sec/SAPSSLA.pse»
[Thr 7] SecudeSSL_SessionStart: SSL_connect() failed —
secude_error 9 (0x00000009) = «the verification of the server’s certificate chain failed»
Begin of Secude-SSL Errorstack —
[Thr 7] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server’s certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : «CN=HeslogRootCA, DC=heslog, DC=lan»
ERROR in get_path: (24/0x0018) Can’t get path because the chain of certificates is incomplete
End of Secude-SSL Errorstack —
[Thr 7] SSL_get_state() returned 0x00002131 «SSLv3 read server certificate B»
[Thr 7] SSL socket: local=10.5.41.120:58771 peer=10.4.21.180:8080
[Thr 7] IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 1822]
I searched the forum here an I discovered that I need to announce the certificate of the server. I did it using strust.
I guess I am right in the ABAP stack since I use an RFC Destination. (of course I also tried to do it with visual admin and this did not work neither)
Is it correct to upload the certificate from the server at the ssl-server node in strust?
Источник
ICM_HTTP_SSL_ERROR
When I check the RFC DUECLNT800-HTTP connection from backend system called IDE in tcode sm59 to the SCL, I get the ICM_HTTP_SSL_ERROR.
The RFC is created by the Wizard. Here are info from the RFC:
RFC Destination: DUECLNT800-HTTP
COnnect Type: G — HTTP Connection to External Serv
Description: HTTP Destination to SCL Server.
TAB: Technical Settings:
Target System Settings:
Target Host: NNNNNNNNNNNN.XXXXX.COM — Service No. 8011 => HTTP Port
Path Prefix: /sap/bc/srt/pm/iwcnt/actionitemvi_document/800/duet_enterprise_assertion/1/binding_t_http_a_http__-iwcnt_-actionitemvi_document_duet_enterprise_assertion
TAB: Logo & Security:
Logon Procedure: Basic Authentication (Yes) — Send SAP Logon Ticket (YES)
Status of Secure Protocol:
SSL Client Certificate: ANNONYM SSL CLIENT (ANONYMOUS)
Further analyses of the SMICM Log:
[Thr 5008] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 5008] session uses PSE file «E:usrsapIDEDVEBMGS01secSAPSSLA.pse»
[Thr 5008] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 536871970 (0x20000422) = «SSL record with the wrong SSLPlaintext.version received»
[Thr 5008] >> Begin of Secude-SSL Errorstack >>
[Thr 5008] ERROR in ssl3_get_record: (536871970/0x20000422) SSL record with the wrong SSLPlaintext.version received #
[Thr 5008] IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn.c 2031]
Источник
ICM_HTTP_SSL_ERROR
Hi experts..
i am getting the error ICM_HTTP_SSL_ERROR in sxmb_moni while executing the proxy to file scenario and the trace says «no interface found»
i came to know from our forum that this error will come if sm59 connections are not properly in place. is this will also applicable for my scenario also??
plz help me out with solution.
thanx in advance.
Hi
make SSL inactive in sm59. It should work.
regards
krishna
Similar Messages
Hi all,
we have configured an SM59 RFC destination of G type which pings to the external third party server. Before testing we have uploaded the external server certificate in PI system. it was working fine with * HTTP 200 OK* message. since 2 days we are facing the ICM_HTTP_SSL_ERROR while testing the connection. when we telnet from PI to the external system using the port no.443, its getting connected.
so any idea why it started giving the error.
We have check out this forums but of no help.
[ICM_HTTP_SSL_ERROR|ICM_HTTP_SSL_ERROR;
The trace file dev_icm says
[Thr 52] Thu Jan 20 14:34:00 2011
[Thr 52] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
[Thr 52] session uses PSE file «/usr/sap/XD1/DVEBMGS00/sec/SAPSSLDRV.pse»
[Thr 52] No Secude Error present in trace stack!
[Thr 52] SSL_get_state() returned 0x00002141 «SSLv3 read server key exchange B»
[Thr 52] SSL NI-sock: local=192.168.127.70:65243 peer=80.78.2.187:443
[Thr 52] IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT <00370a03>[icxxconn_mt.c 1957]
[Thr 81] Thu Jan 20 14:34:15 2011
[Thr 81] IcmWorkerThread: end worker thread 53
[Thr 80] Thu Jan 20 14:44:45 2011
[Thr 80] IcmWorkerThread: end worker thread 52
Thanks,
Asem
Hareen,
We checked the the note 1318906 and followed the steps but error persists.
Could you please advice more on this.
Rahul,
The note you mentioned is for different error «ICM_HTTP_INTERNAL_ERROR».
Br
Asem
Hi,
we are trying to sending data via HTTPS with the HTTP-Adapter. Therefor we create a RFC_Destination with SM59. For HTTP it works fine but after changing to HTTPS we receive a ICM_HTTP_SSL_ERROR.
The server on the other side expect authentification via User/Pwd on port. Also we added an entry in STRUST for CN=anonymous in STRUST.
Any idea whats wrong ?
Hi Sammer,
— authentification is username/pwd.
— SSL is active because of https
— Service is set to the https-port of the server.
I receive the following error in the log.
[Thr 10] >> ———- Begin of Secude-SSL Errorstack ———- >>
[Thr 10] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server’s certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : «OU=Class 3 Public Primary Certification Auth
ERROR in get_path: (24/0x0018) Can’t get path because the chain of certificates is incomplete
[Thr 10] IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT <00021653>[icxxconn_mt.c 1813]
when I delete in STRUST all the certificates under Client_certificate (standard/anonymus) I receive the same error msg. it also the same error when I am trying to connect to another server with https.
regards bernd
Hello experts,
I’m getting error while trying to replicate Business Partner from CRM to Cloud for Customer.
In SRTUTIL tcode i’m getting error message ICM_HTTP_SSL_ERROR for the outbound Idoc.
I have found description of the error — it means that SSL client certificate is not valid.
Can you please confirm, if all the certificates I have imported is ok?
I have created SLL environment in order to import SSL certificates and use it for RFC logon setup.
2 Certificates, taken from HCI (root and intermediate) were imported to this SSL Environment.
In the other side, I have imported certificate imported from
Message was edited by: Simuella Lapadratti
2 certificates imported to the STRUST SSL Environment:
— Cybertrust Sure Server Standard Validation CA
— GTE Cyber Trust Global Root
In the other side, I have imported client’s certificate, taken from SAP CRM system.
Can you please provide your feedback if something else should be added. Thank you!
Hello,
it could be a problem with the client certificate on CRM side. Could you please provide more details about this client certificate. Especially I would need the information from which CA it was signed. Only if the signing CA is trusted on HCI Loadbalancer, then it will work.
Best regards,
Berthold
Hello all,
can you pls suggest me smth for this:
I am running solman_setup and at phase 5.1 (Configure Web dispatcher) and I have errors:
SOAP:1.023 SRT: Processing error in Internet Communication Framework: («ICF Error when receiving the response: ICM_HTTP_SSL_ERROR»)
L3 — Failed to reach test WS through System Settings (ICM/HTTPURLLOC)
L2 — Failed to reach test WS through ICM
I choosed: No SAP Web Dispatcher used
What I did:
1. re-created users SM_EXTERN_WS and SM_INTERN_WS
2. added table HTTPURLLOC with the full hostname and the port
3. created SSL server standard certificate in STRUST and its green
4. instance profile>>add login/accept_sso2_ticket=1 and login/create_sso2_ticket=2
Thx for any suggestion
Chris
Hello,
I read note 1094342 — ICM trace contains verification of the server’s certificate
and I installed in the IE browser the PSE saved from /strust
Thx for any idea
[Thr 140736729089792] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL[Thr 140736729089792] session uses PSE file «/usr/sap/SID/DVEBMGS00/sec/SAPSSLA.pse»[Thr 140736729089792] SecudeSSL_SessionStart: SSL_connect() failed[Thr 140736729089792] secude_error 536872221 (0x2000051d) = «SSLAPI error»[Thr 140736731203328] NiIBlockMode: set blockmode for hdl 92 FALSE[Thr 140736729089792] >> Begin of Secude-SSL Errorstack >>[Thr 140736729089792] 0x2000051dSAPCRYPTOLIB SSL_connect[Thr 140736729089792] SSL API error[Thr 140736729089792] Failed to verify peer certificate. Peer not trusted.
][Thr 140736729089792] > Begin of Secude-SSL Errorstack >>[Thr 140736731203328] 0x20001046SAPCRYPTOLIB SSL_accept[Thr 140736731203328] SSL API error[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] 0xa0600263 SSL ssl23_accept[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] 0xa0600263 SSL ssl3_read_bytes[Thr 140736731203328] received a fatal SSLv3 certificate unknown alert message from the peer[Thr 140736731203328] IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn_mt. 1713][Thr 140736729089792] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED <000f3a6b>[icxxconn_mt.c 1989][Thr 140736731203328] 85#7 GetInbuf -1 21d220 1757 (1) -> MPI_EOS: End Of Stream
Dear Sayid,
The document which you had mentioned here is really helpful.
I’am working on Digital Signature for Form16 in SAP.I stucked up with the same issue.
I went through the document of
Enabling SSL and Client Certificates on the SAP J2EE Engine by Angel Dichev
in that document i went through one note
Note: Per default, the SAP J2EE Engine uses the u201Cssl-credentialsu201D entry for SSL, which contains a
public-key certificate that has been signed by a test CA. Although this certificate can be used for
testing purposes, a certificate that has been signed by a well-known, productive CA should be used
when in production mode.
right now i’am doing it for testing purpose, in the above note it is mentioned that we can use default credentials but when i see the expiry date of this default credentials in my server 1) SSL-Credentials 2)SSL-Credentials-cert it is given that these certificates are Valid Not After 2005 year.
So i got confused now whether to use the default credentials or not.
Please guide me with a solution.
With Regards,
Pradeep.B
Hi,
We have recently moved from XI 3.0 to PI 7.1. We have built an IDoc to file scenario that is resulting in error with information as below:
XIServer
CLIENT_RECEIVE_FAILED
407
ICM_HTTP_SSL_ERROR
(See attachment HTMLError for details)
Error while receiving by HTTP (error code: 407 , error text: ICM_HTTP_SSL_ERROR) (See attachment HTMLError for details)
HTML error is attached to Payload in the message with error information as below:
500 Native SSL error
Error: -14
Version: 7011
Component: ICM
Date/Time: Fri Aug 13 14:33:05 2010
Module: icxxconn_mt.c
Line: 1911
Server: v005_PIS_00
Error Tag:
Detail: IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH
Observations:
Idoc submitted by SAP system is well received by PI system, Mapping is successfully executed to produce the target message. Message has stopped in Inbound Queue with info «XI Error CLIENT_RECEIVE_FAILED.INTERNAL: Queue stopped».
Inference:
Now it should be the turn for Integration engine to submit the message to adapter engine, but I suspect internal communication between these two components have failed.
I think a parameter change should solve this problem. May be it is parameter in rz10 or exchange profile?
Please provide your inputs to resolve the issue.
Thanks,
Suraj
Thanks for the replies.
In the preliminary analysis, it is found that Integration Engine and Adapter Engine connectivity is not maintained correctly.
Instead of https:// :/sap/xi/engine?type=entry, it should be maintained as http:// :/sap/xi/engine?type=entry
We need to find the place where this setting can be done and hence restore the connection.
Inference is made based on SLDCHECK that shows the url as ‘http:// :/sap/xi/engine?type=entry’ and in the audit log of the monitoring it shows as https:// :/sap/xi/engine?type=entry
Best Regards,
Suraj
Error in Proxy
SSL_ERROR_CONNECTION_LOST
Performing the connection test by clicking the «Test Connection» in transaction SM59, I am getting ICM_HTTP_SSL_ERROR.
Hi,
Check the following threads:
ICM_HTTP_SSL_ERROR for plain HTTPS with RFC Destination type G
ICM_HTTP_SSL_ERROR
SSL_ERROR_CONNECTION_LOST
Error ‘Create failed : Argument not found’ in SM59
Thnx
Chirag
I am trying to send a XML message (an Invoice) from XI to an external Customer via HTTP Adapter.
The site I am posting the message to is SSL.
I have installed the Customer’s Certificate via STRUST under SSL Client (Standard) and can see it in the
certificate list.
Within the Communication Channel for HTTP Adapter I have tried Addressing Type of URL
and also with a HTTP (SM59) destination. Both do not work.
The setting used for both are
host : workflw.externalcustomer.xxx.com Service: 443
Path : /SubmitInvoiceUAT/SubmitInvoice.asmx/SubmitCXML
HTTP Proxy : internetproxy.mycompany.com
Proxy Servuce : 80
SSL Active : SSL Client Certificate ANONYM SSL Client(Anonymous). As no client cert is used for logon
I have attempted a connection test within SM59 for the HTTP Destination and I receive the error
ICM_HTTP_SSL_ERROR.
1) If the SSL Client Certificate ONLY for logon then how does XI know what cert to encyrption with?.
2) Should Verisign/Thawte etc CA certs be also installed in STRUST ?
Does that «public» key for encryption need to be placed anywhere (eg STRUST) or will XI just do
3) this when it does the handshake with the external HTTPS site it is posting to ?
4) Also the transaction STRUST may (or may not depending on how the documentation is interpreted) need the installation of some certs into its PSE (Personal Security Environment). But exactly what they mean is a mystery. I have created what I thought was the servers cert but cannot see to create a dev.connector.boc.com named certificate. Perhaps that is not needed.
Here is the help SAPHelp on PI HTTPS Config
5) Also OSS note 510007 it advises to check a number of settings. I have had a look at what I can ..namely via transaction RZ10 and I can see one parameter and should that be changed to include a HTTPS ? .i,e currently it is set to icm/server_port_0 PROT=HTTP,PORT=80$$,PROCTIMEOUT=3600
Hello
As a process you have done well. I suspect the problem could be with » SSL Client Certificate «. Check weather the SSL Client Certificate is Valid version.
Best practice.
Alway when we are communicating with HTTP outbound. It is better to have a STANDALONE ftp location for both SENDER and RECEIVE xml DATA transfter files.
I hope I answered your question. It was nice answering your question. Feel free to reach SDN if you have any questions.
Regards
I am trying to send data from an SAP system to a non-SAP system using the HTTP adapter. The url is using port 9082 and am using a certificate for authentication. I have opened a hole in our firewall for the transmission.
I set up SM59 with the url/port/path, and specified the certificate installed in STRUST.
When I run a test, I get the following error in XI.
—
—
XIAdapter
ATTRIBUTE_CLIENT
407
ICM_HTTP_SSL_ERROR
HTTP client. Code 407 reason ICM_HTTP_SSL_ERROR
A
I’m not real sure what this means and can’t find anything in the forums about this. Can anyone offer any assistance?
Larry,
Ok so your using the HTTPS adapter, have you uploaded the certificate to the keystore in visual administrator?
Which version of XI/PI are you using? You may need to run the SSO2 Wizard (if PI/SP14 or above) otherwise kestore in VA should give you the necessary set up.
Make sure you set up HTTP and SSL correctly here is the link for the setup in NW04:
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
check the «Technically Enabling SSL» it describes the steps needed to run strust and J2EE Visual Adminstrators (utilitizing the keystore) here is a little snipet from the web page:
● Use the J2EE Visual Administrator to set up an SAP Web AS J2EE engine as HTTPS server. If not already done, you have to import a certificate generated by a CA identifying the SAP Web AS into the keystore named service_ssl in the Keystore service. In addition, you have to assign this certificate in the SSL Provider service.
● Use the J2EE Visual Administrator to set up an SAP Web AS J2EE engine as HTTPS client. If not already done, you have to import the certificate of the CA of the HTTPS serveru2019s certificate into the J2EE engineu2019s keystore view named TrustedCAs.
Good luck this should help you even a little.
Rocco
Hi guys,
I try to set up transport security for my ABAP web service. The service should be called via a ABAP Proxy.
These are my steps to create the ABAP web service:
1. Create function module (se80)
2. Create web service (web service definition) (service wizard)
2.1 Authentication = STRONG
2.2 Transport Guarantee = BOTH
3. Activate service (wsconfig)
4. Control service (wsadmin)
Afterwards I tried to create the proxy but when I add the WSDL URI I always get an
HTTP error (return code 407, message «ICM_HTTP_SSL_ERROR»)
I tried to find a «How to» but I was not successfull. Also the saphelp http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm was not helpful for me.
Hopfully you can help me! Every comment is appreciated!
Regards
I advise to have a look into the ICM trace file (dev_icm) — either by using ABAP transaction ST11 or SMICM.
There you should find error details. Most likely it’s about the «chain verifier» complaining that he’s unable to verify the certificate of the communication peer.
In that case [SAP Note 1094342|https://service.sap.com/sap/support/notes/1094342] might be helpful.
We are getting the following error in the SXMB_MONI Trace on any message using a receiver adapter residing on the adapter engine. They all previously worked. The error occurs on the Call Adapter step. In the URL below, the is NOT fully qualified, and I know this is the problem, but where is this defined? We are on PI 7.1. This same URL, without the fully qualified host, also shows on SXI_CACHE Goto->Adapter Engine Cache (Adapter Engine URL). Where is the URL defined or at least the host in the URL?
—
Channel for adapter engine: SFTP
—
return fresh values from cache
Get logon data for adapter engine (SAI_AE_DETAILS_GET):
URL = https:// :
/MessagingSystem/receive/AFW/XI
User = PIxxxISU
Cached = X
Creating HTTP-client
HTTP-client: creation finished
Security: Basic authentication
Serializing message object.
HTTP-client: sending http-request.
HTTP-client: request sent
HTTP-client: Receiving http-response.
HTTP-Client: exception during receive: HTTP_COMMUNICATION_FAILURE
Additional errors in the Trace:
IcmConnInitClientSSL: SapSSLSessionStart failed (-30): SSSLERR_SERVER_CERT_MISMATCH
Error while receiving by HTTP (error code: 407, error text: ICM_HTTP_SSL_ERROR)
Hi Susan,
Please check the links with the same issue:
Adapter URL — hostname vs FQDN
Error using HTTPS
Internal Server Error in PI 7.1
Regards,
Naveen
Hi,
I had some problem with my RFC connection on SM59.
I get this error ICM_HTTP_SSL_ERROR.
I get this error forn dev_icm file
= Success — SapCryptoLib SSL ready!
Thr 3964
Thr 3964 Started service 443 for protocol HTTPS on host «sapehd1.ssi.ad»(on all adapters) (processing timeout=60, keep_alive_timeout=30)
Thr 3964 Started service 25025 for protocol SMTP on host «sapehd1.ssi.ad»(on all adapters) (processing timeout=60, keep_alive_timeout=30)
Thr 3964 Tue Jun 15 00:00:02 2010
Thr 3964 *** WARNING => IcmNetCheck: NiHostToAddr(www.doesnotexist.qqq.nxst) took 5 seconds http://icxxman.c 4586
Thr 3964 Tue Jun 15 00:00:07 2010
Thr 3964 *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds http://icxxman.c 4606
Thr 3964 *** WARNING => IcmNetCheck: 2 possible network problems detected — please check the network/DNS settings http://icxxman.c 4662
Thr 5520 Tue Jun 15 00:01:07 2010
Thr 5520 *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
Thr 5520 session uses PSE file «D:usrsapEHDDVEBMGS00secSAPSSLDIBS.pse»
Thr 5520 SecudeSSL_SessionStart: SSL_connect() failed —
secude_error 9 (0x00000009) = «the verification of the server’s certificate chain failed»
Thr 5520
Begin of Secude-SSL Errorstack
Thr 5520 ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server’s certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : «OU=VeriSign Trust Network, OU=»(c) 1998 VeriSign, Inc. — For authorized use only», OU=Class 3 Public Primary Certification Authority — G2, O=»VeriSign, Inc.», C=US»
ERROR in get_path: (24/0x0018) Can’t get path because the chain of certificates is incomplete
Thr 5520 IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT http://icxxconn.c 2012
Any help
Thanks
Hi,
I had some problem with my RFC connection on SM59.
I get this error * ICM_HTTP_SSL_ERROR. I get this error forn dev_icm file *
= Success — SapCryptoLib SSL ready!
Thr 3964 ================================================= Any help Thanks
Thr 3964 Started service 443 for protocol HTTPS on host «sapehd1.ssi.ad»(on all adapters) (processing timeout=60, keep_alive_timeout=30)
Thr 3964 Started service 25025 for protocol SMTP on host «sapehd1.ssi.ad»(on all adapters) (processing timeout=60, keep_alive_timeout=30)
Thr 3964 Tue Jun 15 00:00:02 2010
Thr 3964 *** WARNING => IcmNetCheck: NiHostToAddr(www.doesnotexist.qqq.nxst) took 5 seconds http://icxxman.c 4586
Thr 3964 Tue Jun 15 00:00:07 2010
Thr 3964 *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds http://icxxman.c 4606
Thr 3964 *** WARNING => IcmNetCheck: 2 possible network problems detected — please check the network/DNS settings http://icxxman.c 4662
Thr 5520 Tue Jun 15 00:01:07 2010
Thr 5520 *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
Thr 5520 session uses PSE file «D:usrsapEHDDVEBMGS00secSAPSSLDIBS.pse»
Thr 5520 SecudeSSL_SessionStart: SSL_connect() failed —
secude_error 9 (0x00000009) = «the verification of the server’s certificate chain failed»
Thr 5520 >>
Begin of Secude-SSL Errorstack
>>
Thr 5520 ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server’s certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : «OU=VeriSign Trust Network, OU=»(c) 1998 VeriSign, Inc. — For authorized use only», OU=Class 3 Public Primary Certification Authority — G2, O=»VeriSign, Inc.», C=US»
ERROR in get_path: (24/0x0018) Can’t get path because the chain of certificates is incomplete
Thr 5520 IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT http://icxxconn.c 2012
Any help
Thanks
Hi,
I´m using an instance of the class CL_HTTP_CLIENT to make an HTTP request to a https server. as long as it requires an SSL authentication, it returns an ICM_HTTP_SSL_ERROR error message.
How do I tell my program to ask for user´s certificate, and use it in the http request?
I´m supossed to have hundreds of users online running this application (it´s over SRM 5.0). How can I reach this?
Thanks you very much.
Federico.
Hello Frederico,
>1. By creating a new client, you mean go to «Environment->SSL Client Identitites» in STRUST, right? >Can I use a previously existing one?
I meant to create a new client SSL PSE. By default in a new Netweaver abap system, you have 3 of them : ANONYM, DFAULT and WSSE.
If you need more of them, you can create them with the menu «Go to—>Environment->SSL Client Identitites».
>2. I need this PSE client to have several ‘identitites’, I mean, to include several certificates from all my >users. Is it possible? If it´s not; how should I do so?
It seems that you want a different certificate per user. These client certificates in STRUST are designes to identify a SAP abap system, not human users. If you have 1000 users, you will not create 1000 certificates in STRUST !
Usually, you use only 2 entries here, one for anonymous HTTPS access and one authenticated HTTPS access. It is unusual to have several different identities for the same abap server. But it might be possible : for exemple, one identity on the intranet and an other one on the Internet.
>3. When I had my new PSE client, and my HTTP RFC destination of type ‘G’ configured to use that >PSE client, and when in abap I instantiate my http client (using CREATE_BY_DESTINATION method, >from CL_HTTP_CLIENT class): How does SAP knows which certificate to use? Because there will be >several users (hundreds) running this code to retrieve their specific data from a third party server.
>How does SAP knows whom certificate must use?
The certificate used will be the one defined in the HTTP destination.
You still seem to make the confusion between server client certificates and users client certificates.
a users client certificate is stored in the user’s PC (or smartcard) and is used for HTTPS connections from the user’s browser to the SSL server, not for an HTTPS connection from the ABAP server to another server.
Regards,
Olivier
Hi experts,
we are conerning an problem with our PI. Until last week our whole system works fine. Now we are getting an ICM_HTTP_SSL_ERROR when we are uploading a file to a PI directory.
There is an process implemented that makes an RFC-call from PI to ERP. It seems we can’t receive the result from the RFC-call.
It seems like the Adapter Engine is not avaiable.
Can anyone help pls?
Thx in advance for all answers.
Hello Shabarish,
that seems to be the problem.
Thx for your fast answer.
Maybe you are looking for
I just purchased a new ipod nano and have my itunes on Windows 8. I’ve connected it with the supplied cable to USB 2 and 3 and every time I receive a message a new ipod has been connected but it is not recognized by itunes. How can I make this ipod w
I was trying to set up a very restrictive drop box for users to leave and take files from. I set up a special USER and then thought I could use the ACL’s to deny access to the system except for the home directory. From reading the documentation I tri
In this video we’ll explore how you can configure a Dreamweaver CS 5.5 site to build a native mobile application using the popular PhoneGap framework — and deliver rich native applications to iOS and Android without needing to learn new languages or
Hey all, I’m having some problems when I export an image that has no background and antialiased text. No matter what format I save it in or in what way I save it (Save for web and devices, Save as), this white outline always comes up. However, in pho
Hi All, I have used the AS2 ComboBox component in a AS2 nav screen SWF for Flash Player set in the range of 7 (and tested up to 9). The combobox does not have scrolled selections at this time. I am scaling the whole nav screen from a 668×500 up to ov
Источник
NW 7.31 SP12
AIX
ST-PI 2008_1_710 SP24
ST-A/PI 01U_731 SP1
нота 510007 настроена
Result: SSF_API_OK
Информация по версии: 136
SSFLIB Version 1.850.40 ; CommonCryptoLib (SAPCRYPTOLIB)
Version 8.5.22 (+MT) #Copyright (c) SAP, 2011-2018#compiled for aix-6.1-ppc-64#
выше, чем необходимо 8.4.48
в профиль инстанции добавлено:
ssf/name = SAPSECULIB
ssf/ssfapi_lib =$(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
sec/libsapsecu =$(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
ssl/ssl_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
sec/rsakeylengthdefault = 2048
icm/HTTPS/verify_client = 1
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
icm/server_port_2 = PROT=HTTPS,PORT=8001,SSLCONFIG=ssl_config_2,VCLIENT=1,ACLFILE=/sapmnt/SID/profile/ACL/ms_http.acl
icm/ssl_config_2 = CRED=SAPSSLC.pse,VCLIENT=1,CIPHERS=150:PFS:HIGH::EC_P256:EC_HIGH
в DEFAULT.PFL
SETENV_28 = SAPSSL_CLIENT_SNI_ENABLED=TRUE
SETENV_27 = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_26 = SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
ssl/client_sni_enabled = TRUE
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
————————————————————————————————————————————
вот ссылка на картинки настроек соединений в SM59:
https://www.mediafire.com/folder/bx6y636dc6rrz/Photos
———————————————————————
пробовал:
создал новую среду — SSL-мандант идентичности
SAPSUP — SAP Passport for Technical User
алгоритм SHA-256, длина на 2048
сертификат запрошен на данного S-user
SSL-клиент for SAP Passport for Technical User
в профиле инстанции менял на:
icm/ssl_config_2 = CRED=SAPSSLSAPSUP.pse,VCLIENT=1,CIPHERS=150:PFS:HIGH::EC_P256:EC_HIGH
т.е. не проходит ни
Standart Default Client SSL-мандант
ни
SSL-клиент for SAP Passport for Technical User
———————————————————————-
ошибки HTTP 403, 404, либо ICM_HTTP_SSL_ERROR
кто-нибудь может помочь?
SAP ABAP Message Class SCLNT_HTTP (Messages for HTTP Client for Respective Error Code)
Basic Data
Hierarchy
Hierarchy ☛
SAP_BASIS (Software Component) SAP Basis Component
⤷
BC-MID-ICF (Application Component) Internet Communication Framework
⤷
SHTTP (Package) Development Class for HTTP Communication
Attributes
Attributes | Message class |  |
SCLNT_HTTP |
| Short Description |  |
Messages for HTTP Client for Respective Error Code |
| Changed On |  |
20140121 |
| Last Changed At |  |
103753 |
Messages
Messages | # | Message | Message Short Text | Documentation status | Authorization check |
|---|---|---|---|---|
| 1 |  400 |
Connection to server failed (ICM_HTTP_CONNECTION_FAILED) | Space: object requires documentation | |
| 2 | 401 |
Connection to server broken (ICM_HTTP_CONNECTION_BROKEN) | Space: object requires documentation | |
| 3 | 402 |
Timeout error (ICM_HTTP_TIMEOUT) | Space: object requires documentation | |
| 4 | 403 |
Service not available (ICM_HTTP_SERVICE_UNAVAILABLE) | Space: object requires documentation | |
| 5 | 404 |
ICM memory request failed (ICM_HTTP_NO_MORE_MEMORY) | Space: object requires documentation | |
| 6 | 405 |
Internal ICM error (ICM_HTTP_INTERNAL_ERROR) | Space: object requires documentation | |
| 7 | 406 |
ICM authorization error (ICM_HTTP_NO_PERMISSION) | Space: object requires documentation | |
| 8 | 407 |
SSL error (ICM_HTTP_SSL_ERROR) | Space: object requires documentation | |
| 9 | 408 |
SSL proxy error (ICM_HTTP_SSL_PROXY_ERROR) | Space: object requires documentation | |
| 10 | 409 |
ICM_HTTP_NOT_FOUND | The short text describes the object sufficiently | |
| 11 | 410 |
Logon failed (ICM_HTTP_UNAUTHORIZED) | Space: object requires documentation | |
| 12 | 411 |
Connection refused by server (ICM_HTTP_CONNECTION_REFUSED) | Space: object requires documentation | |
| 13 | 412 |
Connection refused by proxy server (ICM_HTTP_PROXY_CONN_REFUSED) | Space: object requires documentation | |
| 14 | 413 |
Unknown proxy host name (ICM_HTTP_PROXY_HOST_UNKNOWN) | Space: object requires documentation | |
| 15 | 414 |
SSL PSE file not found (ICM_HTTP_SSL_CRED_NOT_FOUND) | Space: object requires documentation | |
| 16 | 415 |
Invalid host name in SSL server certificate (ICM_HTTP_SSL_CERT_MISMATCH) | Space: object requires documentation | |
| 17 | 416 |
Logon at proxy failed (ICM_HTTP_PROXY_UNAUTHORIZED) | Space: object requires documentation | |
| 18 | 417 |
Unknown host name (ICM_HTTP_HOST_UNKNOWN) | Space: object requires documentation | |
| 19 | 418 |
No suitable ICM service active (ICM_HTTP_NO_ICM_SERVICE) | Space: object requires documentation | |
| 20 | 419 |
SSL is not initialized (ICM_HTTP_SSL_NOT_INITIALIZED) | Space: object requires documentation | |
| 21 | 420 |
SSL Server Certificate has expired (ICM_HTTP_SSL_PEER_CERT_EXPIRED) | Space: object requires documentation | |
| 22 | 421 |
SSL certificate not trusted (ICM_HTTP_SSL_PEER_CERT_UNTRUSTED) | Space: object requires documentation |
History
History | Last changed on/by | |
20140121 | SAP |
| SAP Release Created in | 740 |