Skip to Content
Author's profile photo Ashutosh Chaturvedi

SUM SP13-14 – FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND

Hi All,

When we are running the SUM we are getting below errors

ERROR 1 :  Specify Credential Phase

The following problem has occurred during step execution: com.sap.sdt.tools.sysinfo.InstanceDetectorException: The update tool was unable to connect to the SAPControl web service on any of the detected instance numbers. Check that the SAP Start Services are running for all instances in the cluster. See SAP Note 1401712 for further information.

The update tool is unable to detect the instances information for instance number: 0 on host: null via the SAPCONTROL web service API. Either the SAP Start Service associated with this instance is not running or a required functionality is not supported by the current version of the Kernel. See SAP Note 1401712 for further information.

Sapcontrol client could not perform action get instance properties on instance 0

Return code condition success evaluated to false for process sapcontrol for action get instance properties

ERROR 2 : Execution Phase

Could not start instance with number 5. Could not send the command to start the instance with number <$$> on host <hostname>. Detected the instance check started has an Gateway feature. It cannot be handled by SUM and will be ignored.  Return code condition success evaluated to false for process sapcontrol for action check started.

You need to open the corresponding INPUT_USER_PASSWORD_01.log and RESTART-SYSTEM-JAVAONLY_XX.LOG.

Jan 22, 2016 11:07:17 AM [Info  ]: Process ID 49, name sapcontrol has been started.

Jan 22, 2016 11:07:17 AM [Info  ]:   Command line: sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties

Jan 22, 2016 11:07:17 AM [Info  ]:   Standard out: F:\sum\SUM\sdt\tmp\SAPCONTROL_GETINSTANCEPROPERTIES_0_08.OUT

Jan 22, 2016 11:07:17 AM [Info  ]: Process ID 49 has been started.

Jan 22, 2016 11:07:17 AM [Info  ]: Waiting for process ID 49, name sapcontrol to finish.

Jan 22, 2016 11:07:17 AM [Info  ]: Process ID 49, name sapcontrol has been finished, exit code 1.

Since the exit code value is 1 , it means the sapcontrol has gone into error. So you need copied the command from the corresponding log file and run it on command prompt or os level of unix/linux. Once you fired the command you will get a error SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND)

sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties

sapparam: sapargv(argc, argv) has not been called!

sapparam(1c): No Profile used.

sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline

22.01.2016 11:45:16

GetInstanceProperties

FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND: The specified class was no

t found.), SapSSLSessionStart failed in plugin_fopen()

You need to run the same command with an argument -debug

sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties -debug

You will get a trace of the problem with SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND)

SSL.PNG

Analyze the log. Now you need to copy the content from BEGIN CERTIFICATE to END CERTIFICATE in a notepad as below and save the notepad with .cer extension

cert.PNG

Save the file with .cert extension.

Now you need to add this certificate in your SAPSSLC.PSE file by firing the below command.

sapgenpse maintain_pk -p SAPSSLC.PSE -a <Give the location of .cert file>

Once done , then you need to retry the step in SUM.

With Regards

Ashutosh Chaturvedi

Assigned Tags

      24 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Subhash Chandra
      Subhash Chandra

      Nicely explained issues & their solution.

      Regards,

      Subhash

      Author's profile photo Ashutosh Chaturvedi
      Ashutosh Chaturvedi
      Blog Post Author

      Thank you Subhash sir!!!

      Author's profile photo SK. Nurujjaman
      SK. Nurujjaman

      Very Good.

      Author's profile photo Former Member
      Former Member

      thanks Chaturvedi .

      Author's profile photo Former Member
      Former Member

      Hi Ash,

      I believe your suggestion will fix my issue, but I am stuck on the last part and have never run sapgenpse command before. I tried executing in the exe directory, here is my result.

      $ sapgenpse maintain_pk -p SAPSSLC.PSE -a <file path>/new.cer

      maintain_pk: Couldn't open PSE "/usr/sap/<SID>/DVEBMGS00/sec/SAPSSLC.PSE" (Token application not existing)

      Any thoughts?

      Thanks, and good timing on the blog! I have been stuck on this for two days, SAP message is not helping.

      Author's profile photo Ashutosh Chaturvedi
      Ashutosh Chaturvedi
      Blog Post Author

      Dear Davis,

      You need to have .pse file in your sec folder /usr/sap/<SID>/DVEBMGS00/sec

      Just follow the steps and if possible please attach the trace


      sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties -debug



      SSL Client PSEs - System Security - SAP Library


      Sorry for the late response!!!.


      With Regards

      Ashutosh Chaturvedi

      Author's profile photo Former Member
      Former Member

      Hi Ash,

      You're correct, I resolved this by moving the file into /usr/sap/<SID>/DV*/sec and it worked, I am passed my issue now. Thanks for the assistance on this.

      Also, there is an unreleased note for these same instructions: 2177490. I was told it is unreleased because it is used as a emergency fix during upgrade.

      Thanks,
      Zach

      Author's profile photo Ashutosh Chaturvedi
      Ashutosh Chaturvedi
      Blog Post Author

      Hi Davis,

      But i think sap has not released any sapnote for this issue as yet. There is only one sapnote which is related SSSLERR_PEER_CERT_UNTRUSTED where they asking to update the sap cryptolib package.


      But still happy that it has resolve your issue. I think SAP should give me a credit for this 😛 .

      With Regards

      Ashutosh Chaturvedi

      Author's profile photo Anurag Das
      Anurag Das

      Really Very Helpful Info Ashutosh Sir. Keep it up.

      Author's profile photo Artem Ivashkin
      Artem Ivashkin

      Hi Ashutosh!

      Perfect and elegant solution that works!

      Regards,

      Artem

      Author's profile photo REMY DETREZ
      REMY DETREZ

      Thx,

      The problem exist in SP16 too.

      BR

      Author's profile photo Former Member
      Former Member

      and exists in SUM SP17 as well. Thanks Ashutosh for a simple yet elegant solution.

      Author's profile photo Rupesh Shivathare
      Rupesh Shivathare

      Hi Ashutosh,

      It worked perfectly with SUM SP16 aslo.

      Thanks for your helpful blog.

      Regards,

      Rupesh

      Author's profile photo Ashutosh Chaturvedi
      Ashutosh Chaturvedi
      Blog Post Author

      Thank you rupesh shivathare , Manohar Vinapamula , REMY DETREZ and Artem Ivashkin for your valuable comments.

      I will update the name of the blog

      With Regards

      Ashutosh Chaturvedi

      Author's profile photo Andreas Klenk
      Andreas Klenk

      Thank you.

      Still works for the current SP 17 PL 10 , too.

      Author's profile photo Former Member
      Former Member

      Thank you so much, Ashutosh, your solution worked for me in SUM 17 as well.

      Author's profile photo Kevin Vira
      Kevin Vira

      Hi,
      This worked for me as well. Thanks.

      Author's profile photo Former Member
      Former Member

      Great! This works!! Thanks a lot

      Author's profile photo Former Member
      Former Member

      Hi Ashutsosh

      I don't have SAPSSLC.PSE in sec directory and having the same issue, can you pleas help ?

      <<- ERROR: SapSSLSessionStart(sssl_hdl=110954690)==SSSLERR_PEER_CERT_UNTRUSTED
      NiICloseHandle: shutdown and close hdl 1/sock 3
      ->> SapSSLSessionDone(&sssl_hdl=fffffffffff0978)
      <<- SapSSLSessionDone()==SAP_O_K
      in: sssl_hdl = 110954690
      ... ni_hdl = 1
      ->> SapSSLErrorName(rc=-102)
      <<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTEDGetInstanceProperties
      FAIL: SSSLERR_PEER_CERT_UNTRUSTED, SapSSLSessionStart failed in plugin_fopen()

      Author's profile photo Former Member
      Former Member

      Hi Ashutosh,

      Thank you very much for the solution.  I know the following may sound like I'm criticizing your solution.  Please let me assure you, I'm not.   It was EXTREMELY helpful.

      I must admit, that even though the solution worked, I was a bit skeptical.   I wanted to understand why it worked.  Even more so, I wanted to understand what we did wrong in setting up our system, if this step was really required, and/or what SAP did that broke this and why there is no SAP note on this.   Admittedly, I still don't understand this well, but I think I understand it better.

      I believe the root cause of this issue is that in newer releases, the file SAPSSLC.pse is being generated, does not contain any credentials, and sapcontrol is using it.

      I think problem occurs because of 2 changes:

      • The SAPSSLC.pse file was not created in the past  (Re: Note 2442966 - Do not generate SAPSSLC.pse and SAPSSLA.pse in ICM)  The note says it is only applicable to ABAP, but SAPSSLC.pse was automatically created on our Java only system and caused this issue.   The note says to delete the SAPSSLC.pse file.   Although I didn't test this, I think it would work also (see my next point)
      • sapcontrol did not use the file in the past (Re: 1642340 - sapcontrol SSL usage).   According to this note, sapcontrol will use SAPSSLC.pse if it exists, but if it doesn't sapcontrol will use SAPSSLS.pse (which has valid entries)

       

      Another thing I found is that if you use NWA instead of sapgenpse to do what you suggested, NWA will not allow it.  If you export only the Certificate from ICM_SSL_<instance_ID> , NWA will not allow you to "Export View to PSE" (update SAPSSLC.pse) after importing only the Certificate to CLIENT_ICM_SSL_<instance_ID>.   NWA requires you to have both a PRIVATE KEY and a CERTIFICATE entry in order to "Export View to PSE" (update SAPSSLC.pse).

      I plan to open a message with SAP on this.  Hopefully they'll put a note out on this and tell us what really needs to be done because a lot of people have been reporting this issue.

      Author's profile photo Former Member
      Former Member

      Thank you very much,you saved my day.

      Author's profile photo Former Member
      Former Member

      Thank you very much.. it helped us and saved a lot of time.

      Author's profile photo Vijish An
      Vijish An

      Works for SP24 as well, thanks a lot. This blog was a saviour.

      Author's profile photo Sindri Onundarsson
      Sindri Onundarsson

      Saved my production upgrade, did not get this error on either sandbox or development. Many thanks!