Search
Search

# SUM SP13-14 – FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND

Hi All,

When we are running the SUM we are getting below errors

ERROR 1 :  Specify Credential Phase

The following problem has occurred during step execution: com.sap.sdt.tools.sysinfo.InstanceDetectorException: The update tool was unable to connect to the SAPControl web service on any of the detected instance numbers. Check that the SAP Start Services are running for all instances in the cluster. See SAP Note 1401712 for further information.

The update tool is unable to detect the instances information for instance number: 0 on host: null via the SAPCONTROL web service API. Either the SAP Start Service associated with this instance is not running or a required functionality is not supported by the current version of the Kernel. See SAP Note 1401712 for further information.

Sapcontrol client could not perform action get instance properties on instance 0

Return code condition success evaluated to false for process sapcontrol for action get instance properties

ERROR 2 : Execution Phase

Could not start instance with number 5. Could not send the command to start the instance with number <> on host <hostname>. Detected the instance check started has an Gateway feature. It cannot be handled by SUM and will be ignored.  Return code condition success evaluated to false for process sapcontrol for action check started.

You need to open the corresponding INPUT_USER_PASSWORD_01.log and RESTART-SYSTEM-JAVAONLY_XX.LOG.

Jan 22, 2016 11:07:17 AM [Info  ]: Process ID 49, name sapcontrol has been started.

Jan 22, 2016 11:07:17 AM [Info  ]:   Command line: sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties

Jan 22, 2016 11:07:17 AM [Info  ]:   Standard out: F:\sum\SUM\sdt\tmp\SAPCONTROL_GETINSTANCEPROPERTIES_0_08.OUT

Jan 22, 2016 11:07:17 AM [Info  ]: Process ID 49 has been started.

Jan 22, 2016 11:07:17 AM [Info  ]: Waiting for process ID 49, name sapcontrol to finish.

Jan 22, 2016 11:07:17 AM [Info  ]: Process ID 49, name sapcontrol has been finished, exit code 1.

Since the exit code value is 1 , it means the sapcontrol has gone into error. So you need copied the command from the corresponding log file and run it on command prompt or os level of unix/linux. Once you fired the command you will get a error SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND)

sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties

sapparam: sapargv(argc, argv) has not been called!

sapparam(1c): No Profile used.

sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline

22.01.2016 11:45:16

GetInstanceProperties

FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND: The specified class was no

t found.), SapSSLSessionStart failed in plugin_fopen()

You need to run the same command with an argument -debug

sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties -debug

You will get a trace of the problem with SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND)

Analyze the log. Now you need to copy the content from BEGIN CERTIFICATE to END CERTIFICATE in a notepad as below and save the notepad with .cer extension

Save the file with .cert extension.

Now you need to add this certificate in your SAPSSLC.PSE file by firing the below command.

sapgenpse maintain_pk -p SAPSSLC.PSE -a <Give the location of .cert file>

Once done , then you need to retry the step in SUM.

With Regards

Ashutosh Chaturvedi

You must be Logged on to comment or reply to a post.
• Nicely explained issues & their solution.

Regards,

Subhash

• Very Good.

• thanks Chaturvedi .

• Hi Ash,

I believe your suggestion will fix my issue, but I am stuck on the last part and have never run sapgenpse command before. I tried executing in the exe directory, here is my result.

\$ sapgenpse maintain_pk -p SAPSSLC.PSE -a <file path>/new.cer

maintain_pk: Couldn’t open PSE “/usr/sap/<SID>/DVEBMGS00/sec/SAPSSLC.PSE” (Token application not existing)

Any thoughts?

Thanks, and good timing on the blog! I have been stuck on this for two days, SAP message is not helping.

• Former Member Post author

Dear Davis,

You need to have .pse file in your sec folder /usr/sap/<SID>/DVEBMGS00/sec

sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties -debug

SSL Client PSEs – System Security – SAP Library

Sorry for the late response!!!.

With Regards

Ashutosh Chaturvedi

• Hi Ash,

You’re correct, I resolved this by moving the file into /usr/sap/<SID>/DV*/sec and it worked, I am passed my issue now. Thanks for the assistance on this.

Also, there is an unreleased note for these same instructions: 2177490. I was told it is unreleased because it is used as a emergency fix during upgrade.

Thanks,
Zach

• Former Member Post author

Hi Davis,

But i think sap has not released any sapnote for this issue as yet. There is only one sapnote which is related SSSLERR_PEER_CERT_UNTRUSTED where they asking to update the sap cryptolib package.

But still happy that it has resolve your issue. I think SAP should give me a credit for this 😛 .

With Regards

Ashutosh Chaturvedi

• Really Very Helpful Info Ashutosh Sir. Keep it up.

• Hi Ashutosh!

Perfect and elegant solution that works!

Regards,

Artem

• Thx,

The problem exist in SP16 too.

BR

• and exists in SUM SP17 as well. Thanks Ashutosh for a simple yet elegant solution.

• It worked perfectly with SUM SP16 aslo.

Regards,

Rupesh

• Thank you.

Still works for the current SP 17 PL 10 , too.

• Thank you so much, Ashutosh, your solution worked for me in SUM 17 as well.

• Hi,
This worked for me as well. Thanks.

• Great! This works!! Thanks a lot

• Hi Ashutsosh

I don’t have SAPSSLC.PSE in sec directory and having the same issue, can you pleas help ?

<<- ERROR: SapSSLSessionStart(sssl_hdl=110954690)==SSSLERR_PEER_CERT_UNTRUSTED
NiICloseHandle: shutdown and close hdl 1/sock 3
->> SapSSLSessionDone(&sssl_hdl=fffffffffff0978)
<<- SapSSLSessionDone()==SAP_O_K
in: sssl_hdl = 110954690
… ni_hdl = 1
->> SapSSLErrorName(rc=-102)
<<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTEDGetInstanceProperties
FAIL: SSSLERR_PEER_CERT_UNTRUSTED, SapSSLSessionStart failed in plugin_fopen()

• Hi Ashutosh,

Thank you very much for the solution.  I know the following may sound like I’m criticizing your solution.  Please let me assure you, I’m not.   It was EXTREMELY helpful.

I must admit, that even though the solution worked, I was a bit skeptical.   I wanted to understand why it worked.  Even more so, I wanted to understand what we did wrong in setting up our system, if this step was really required, and/or what SAP did that broke this and why there is no SAP note on this.   Admittedly, I still don’t understand this well, but I think I understand it better.

I believe the root cause of this issue is that in newer releases, the file SAPSSLC.pse is being generated, does not contain any credentials, and sapcontrol is using it.

I think problem occurs because of 2 changes:

• The SAPSSLC.pse file was not created in the past  (Re: Note 2442966 – Do not generate SAPSSLC.pse and SAPSSLA.pse in ICM)  The note says it is only applicable to ABAP, but SAPSSLC.pse was automatically created on our Java only system and caused this issue.   The note says to delete the SAPSSLC.pse file.   Although I didn’t test this, I think it would work also (see my next point)
• sapcontrol did not use the file in the past (Re: 1642340 – sapcontrol SSL usage).   According to this note, sapcontrol will use SAPSSLC.pse if it exists, but if it doesn’t sapcontrol will use SAPSSLS.pse (which has valid entries)

Another thing I found is that if you use NWA instead of sapgenpse to do what you suggested, NWA will not allow it.  If you export only the Certificate from ICM_SSL_<instance_ID> , NWA will not allow you to “Export View to PSE” (update SAPSSLC.pse) after importing only the Certificate to CLIENT_ICM_SSL_<instance_ID>.   NWA requires you to have both a PRIVATE KEY and a CERTIFICATE entry in order to “Export View to PSE” (update SAPSSLC.pse).

I plan to open a message with SAP on this.  Hopefully they’ll put a note out on this and tell us what really needs to be done because a lot of people have been reporting this issue.

• Thank you very much,you saved my day.

• Thank you very much.. it helped us and saved a lot of time.