Hi All,
We are performing upgrade on NW 7.0 dual stack system to NW 7.31 SP16 and using SUM SP13 Patch5.
During step "Specify User credentials" SUM is giving error that it is not able to fetch instance properties using HTTPS -
sapcontrol -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList
sapparam: sapargv( argc, argv) has not been called.
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
15.09.2015 15:39:29
GetProcessList
FAIL: SSSLERR_SSL_CONNECT, SapSSLSessionStart failed in plugin_fopen()
We ran this command in debug mode also which is also giving error -
sapcontrol -debug -nr 1 -host camgsdp1 -prot NI_HTTPS -function GetProcessList
Tue Sep 15 14:39:03 2015
NiIInit: allocated nitab (2048 at 6000000000674150)
NiIHSBufInit: initialize hostname buffer (IPv4)
NiHLInit: alloc host buf (100 entries)
NiSrvLInit: alloc serv bufs (100 entries)
***LOG Q0I=> NiPGetServByName: 'sapctrls01' not found: getaddrinfo (9: Bad file number) [niuxi.c 1823]
NiSrvLGetServNo: service name 'sapctrls01' not found by operating system
<<- SapSSLSetTraceFile()==SAP_O_K
->> SapSSLInit(read_profile=0, &init_params=87ffffffffff1190, &return_reserved=0000000000000000)
=================================================
= SSL Initialization platform tag=(hpia64_11.23_64)
= (720_REL,Jul 5 2014,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
SapISSLComposeFilename(ssl_lib): using default "libsapcrypto.so"
DlLoadLib() success: dlopen("libsapcrypto.so"), hdl 0
DlLoadFunc (SSL_API_startup) from libsapcrypto.so
DlLoadFunc (SSL_API_cleanup) from libsapcrypto.so
DlLoadFunc (SSL_API_get_last_error) from libsapcrypto.so
DlLoadFunc (SSL_check_last_io) from libsapcrypto.so
DlLoadFunc (SSL_new) from libsapcrypto.so
DlLoadFunc (SSL_duplicate) from libsapcrypto.so
DlLoadFunc (SSL_set_session_by_ssl) from libsapcrypto.so
DlLoadFunc (SSL_clear) from libsapcrypto.so
DlLoadFunc (SSL_set_fd) from libsapcrypto.so
DlLoadFunc (SSL_accept) from libsapcrypto.so
DlLoadFunc (SSL_connect) from libsapcrypto.so
DlLoadFunc (SSL_set_verify_mode) from libsapcrypto.so
DlLoadFunc (SSL_set_options) from libsapcrypto.so
DlLoadFunc (SSL_get_state) from libsapcrypto.so
DlLoadFunc (SSL_read) from libsapcrypto.so
DlLoadFunc (SSL_write) from libsapcrypto.so
DlLoadFunc (SSL_peek) from libsapcrypto.so
DlLoadFunc (SSL_pending) from libsapcrypto.so
DlLoadFunc (SSL_set_shutdown_mode) from libsapcrypto.so
DlLoadFunc (SSL_shutdown) from libsapcrypto.so
DlLoadFunc (SSL_free) from libsapcrypto.so
DlLoadFunc (SSL_renegotiate) from libsapcrypto.so
DlLoadFunc (SSL_do_handshake) from libsapcrypto.so
DlLoadFunc (SSL_is_session_resumed) from libsapcrypto.so
DlLoadFunc (SSL_get_session) from libsapcrypto.so
DlLoadFunc (SSL_get_state_description_long) from libsapcrypto.so
DlLoadFunc (SSL_get_certificate_request_ca_dnames) from libsapcrypto.so
DlLoadFunc (SSL_CTX_new) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_default_pse_by_name) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_default_verify_mode) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_options) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_session_cache_mode) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_session_cache_max_items) from libsapcrypto.so
DlLoadFunc (SSL_CTX_get_session_cache_number) from libsapcrypto.so
DlLoadFunc (SSL_CTX_get_default_cipher_suites) from libsapcrypto.so
DlLoadFunc (SSL_CTX_set_default_cipher_suites) from libsapcrypto.so
DlLoadFunc (SSL_CTX_flush_session_cache) from libsapcrypto.so
DlLoadFunc (SSL_CTX_free) from libsapcrypto.so
DlLoadFunc: dlsym(SSL_CTX_set_protocol_version_flags)= dlsym: Unknown symbol SSL_CTX_set_protocol_version_flags -> DLENOACCESS
DlLoadFunc: dlsym(SSL_CTX_get_protocol_version_flags)= dlsym: Unknown symbol SSL_CTX_get_protocol_version_flags -> DLENOACCESS
DlLoadFunc: dlsym(SSL_get_protocol_version_numbers)= dlsym: Unknown symbol SSL_get_protocol_version_numbers -> DLENOACCESS
DlLoadFunc (SSL_get_peer_certificates) from libsapcrypto.so
DlLoadFunc (SSL_CIPHER_SUITE_get_name_info) from libsapcrypto.so
DlLoadFunc (SSL_CIPHER_SUITE_get_info) from libsapcrypto.so
DlLoadFunc (SSL_CIPHER_SUITE_get_sym_key_size) from libsapcrypto.so
DlLoadFunc (SSL_get_cipher_suite_used) from libsapcrypto.so
DlLoadFunc (SSL_get_cipher_suite_used_id) from libsapcrypto.so
DlLoadFunc (SSL_get_cipher_suites) from libsapcrypto.so
DlLoadFunc (SSL_get_cipher_suites_peer) from libsapcrypto.so
DlLoadFunc (SSL_SESSION_set_timeout) from libsapcrypto.so
DlLoadFunc (SSL_SESSION_get_session_id) from libsapcrypto.so
DlLoadFunc (aux_sprint_error) from libsapcrypto.so
DlLoadFunc (th_last_error) from libsapcrypto.so
DlLoadFunc (th_get_last_error_text) from libsapcrypto.so
DlLoadFunc (aux_free) from libsapcrypto.so
DlLoadFunc (aux_free_error) from libsapcrypto.so
DlLoadFunc (aux_get_Certificate_n_from_Certificates) from libsapcrypto.so
DlLoadFunc (aux_get_tbs_DERcode_of_Certificate) from libsapcrypto.so
DlLoadFunc (e_Certificate) from libsapcrypto.so
DlLoadFunc (aux_get_serialnumber_of_Certificate) from libsapcrypto.so
DlLoadFunc (aux_get_subject_of_Certificate) from libsapcrypto.so
DlLoadFunc (aux_get_issuer_of_Certificate) from libsapcrypto.so
DlLoadFunc (aux_cmp_DName) from libsapcrypto.so
DlLoadFunc (aux_sprint_DName) from libsapcrypto.so
DlLoadFunc (aux_free_String) from libsapcrypto.so
DlLoadFunc (aux_free_OctetString) from libsapcrypto.so
DlLoadFunc (aux_putenv) from libsapcrypto.so
DlLoadFunc (sapcr_init) from libsapcrypto.so
DlLoadFunc (sapcr_done) from libsapcrypto.so
DlLoadFunc (sapcr_get_version) from libsapcrypto.so
DlLoadFunc (sapcr_get_secudir) from libsapcrypto.so
DlLoadFunc (sapcr_set_secudir) from libsapcrypto.so
DlLoadFunc (sapcr_config) from libsapcrypto.so
DlLoadFunc: dlsym(sapsecu_create_CertEntryList)= dlsym: Unknown symbol sapsecu_create_CertEntryList -> DLENOACCESS
DlLoadFunc: dlsym(sapsecu_free_CertEntryList)= dlsym: Unknown symbol sapsecu_free_CertEntryList -> DLENOACCESS
DlLoadFunc: dlsym(sapsecu_sprint_CertEntryList)= dlsym: Unknown symbol sapsecu_sprint_CertEntryList -> DLENOACCESS
DlLoadFunc (sap_create_memory_PSE) from libsapcrypto.so
DlLoadFunc (sap_delete_memory_PSE) from libsapcrypto.so
DlLoadFunc (sap_load_memory_PSE) from libsapcrypto.so
= found SAPCRYPTOLIB 5.5.5C pl21 (May 7 2007) MT-safe
= current UserID: "ppxadm", env-var USER="ppxadm"
= found SECUDIR environment variable
= using SECUDIR=/usr/sap/PPX/DVEBMGS01/sec
sapparam: sapargv(argc, argv) has not been called!
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
SapISSLComposeFilename(client_pse): using default "/usr/sap/PPX/DVEBMGS01/sec/SAPSSLC.pse"
= The Client SSL_CTX
= provides this ordered list of 7 ciphersuites:
= 1. SSL_RSA_WITH_RC4_128_SHA
= 2. SSL_RSA_WITH_RC4_128_MD5
= 3. SSL_RSA_WITH_3DES_EDE_CBC_SHA
= 4. SSL_RSA_WITH_DES_CBC_SHA
= 5. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
= 6. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
= 7. SSL_RSA_EXPORT_WITH_RC4_40_MD5
= Success -- SapCryptoLib SSL ready!
=================================================
<<- SapSSLInit(read_profile=0)==SAP_O_K
NiInit3: NI already initializes (init=1;cur=2048)
addrinfo of 'camgsdp1 ':
0: 10.199.128.8:0 'camgsdp1 .nike.com' RAW (0-2-3-0-16)
NiHLGetNodeAddr: got hostname 'camgsdp1 ' from operating system
NiIGetNodeAddr: hostname 'camgsdp1 ' = addr 10.199.128.8
NiIGetServNo: servicename '50114' = port 50114
NiICreateHandle: hdl 1 state NI_INITIAL_CON
NiIInitSocket: set default settings for new hdl 1/sock 4 (UD; ST)
NiIBlockMode: set blockmode for hdl 1 FALSE
NiITraceByteOrder: CPU byte order: big endian, network, high val..low val
NiIConnectSocket: hdl 1 is connecting to /tmp/.sapstream50114 (timeout=-1)
NiIConnectSocket: connection of hdl 1 established to /tmp/.sapstream50114
NiIConnect: state of hdl 1 NI_CONNECTED
NiIBlockMode: set blockmode for hdl 1 TRUE
->> SapSSLSessionInit(&sssl_hdl=87fffffffffed508, role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT))
<<- SapSSLSessionInit()==SAP_O_K
in: args = "role=1 (CLIENT), auth_type=3 (USE_CLIENT_CERT)"
out: sssl_hdl = 60000000007a5e70
->> SapSSLSetNiHdl(sssl_hdl=60000000007a5e70, ni_hdl=1)
NiIBlockMode: leave blockmode for hdl 1 TRUE
SSL NI-sock: unix domain socket="/tmp/.sapstream50114"
<<- SapSSLSetNiHdl(sssl_hdl=60000000007a5e70, ni_hdl=1)==SAP_O_K
->> SapSSLSetTargetHostname(sssl_hdl=60000000007a5e70, &hostname=87fffffffffed530)
<<- SapSSLSetTargetHostname(sssl_hdl=60000000007a5e70)==SAP_O_K
in: hostname = "camgsdp1 "
->> SapSSLSessionStart(sssl_hdl=60000000007a5e70)
SapISSLUseSessionCache(): Creating NEW session (0 cached)
Tue Sep 15 14:39:04 2015
*** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
session uses PSE file "/usr/sap/PPX/DVEBMGS01/sec/SAPSSLC.pse"
SecudeSSL_SessionStart: SSL_connect() failed --
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
>> ---------- Begin of Secude-SSL Errorstack ---------- >>
ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (101/0x0065) Certificate expired (notbefore=050829203734Z, notafter=060829203734Z, now=150915213904Z)
ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (notbefore=050829203734Z, notafter=060829203734Z, now=150915213904Z)
<< ---------- End of Secude-SSL Errorstack ----------
SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
No certificate request received from Server
<<- ERROR: SapSSLSessionStart(sssl_hdl=60000000007a5e70)==SSSLERR_SSL_CONNECT
NiICloseHandle: shutdown and close hdl 1/sock 4
->> SapSSLSessionDone(&sssl_hdl=87fffffffffed508)
<<- SapSSLSessionDone()==SAP_O_K
in: sssl_hdl = 60000000007a5e70
... ni_hdl = 1
->> SapSSLErrorName(rc=-57)
<<- SapSSLErrorName()==SSSLERR_SSL_CONNECT
15.09.2015 14:39:04
GetProcessList
FAIL: SSSLERR_SSL_CONNECT (Bad file number), SapSSLSessionStart failed in plugin_fopen()
Debug shows some certificate expired while I checked at ABAP Level and Java Level and do not see any certificate which is expired on 29 Aug 2006.
We have also recently refreshed also this system.
Even SSL is not configured in our system and not sure why SUM is forcing to use SSL.
SMICM also does not have any HTTPS port active.
Please suggest how can we solve this problem, Which expired certificate SUM is checking and what is the way to not use SSL during SUM instance check.
Regards,
Shivam