SUM SP13-14 – FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND
Hi All,
When we are running the SUM we are getting below errors
ERROR 1 : Specify Credential Phase
The following problem has occurred during step execution: com.sap.sdt.tools.sysinfo.InstanceDetectorException: The update tool was unable to connect to the SAPControl web service on any of the detected instance numbers. Check that the SAP Start Services are running for all instances in the cluster. See SAP Note 1401712 for further information.
The update tool is unable to detect the instances information for instance number: 0 on host: null via the SAPCONTROL web service API. Either the SAP Start Service associated with this instance is not running or a required functionality is not supported by the current version of the Kernel. See SAP Note 1401712 for further information.
Sapcontrol client could not perform action get instance properties on instance 0
Return code condition success evaluated to false for process sapcontrol for action get instance properties
ERROR 2 : Execution Phase
Could not start instance with number 5. Could not send the command to start the instance with number <$$> on host <hostname>. Detected the instance check started has an Gateway feature. It cannot be handled by SUM and will be ignored. Return code condition success evaluated to false for process sapcontrol for action check started.
You need to open the corresponding INPUT_USER_PASSWORD_01.log and RESTART-SYSTEM-JAVAONLY_XX.LOG.
Jan 22, 2016 11:07:17 AM [Info ]: Process ID 49, name sapcontrol has been started.
Jan 22, 2016 11:07:17 AM [Info ]: Command line: sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties
Jan 22, 2016 11:07:17 AM [Info ]: Standard out: F:\sum\SUM\sdt\tmp\SAPCONTROL_GETINSTANCEPROPERTIES_0_08.OUT
Jan 22, 2016 11:07:17 AM [Info ]: Process ID 49 has been started.
Jan 22, 2016 11:07:17 AM [Info ]: Waiting for process ID 49, name sapcontrol to finish.
Jan 22, 2016 11:07:17 AM [Info ]: Process ID 49, name sapcontrol has been finished, exit code 1.
Since the exit code value is 1 , it means the sapcontrol has gone into error. So you need copied the command from the corresponding log file and run it on command prompt or os level of unix/linux. Once you fired the command you will get a error SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND)
sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties
sapparam: sapargv(argc, argv) has not been called!
sapparam(1c): No Profile used.
sapparam: SAPSYSTEMNAME neither in Profile nor in Commandline
22.01.2016 11:45:16
GetInstanceProperties
FAIL: SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND: The specified class was no
t found.), SapSSLSessionStart failed in plugin_fopen()
You need to run the same command with an argument -debug
sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties -debug
You will get a trace of the problem with SSSLERR_PEER_CERT_UNTRUSTED (WSATYPE_NOT_FOUND)
Analyze the log. Now you need to copy the content from BEGIN CERTIFICATE to END CERTIFICATE in a notepad as below and save the notepad with .cer extension
Save the file with .cert extension.
Now you need to add this certificate in your SAPSSLC.PSE file by firing the below command.
sapgenpse maintain_pk -p SAPSSLC.PSE -a <Give the location of .cert file>
Once done , then you need to retry the step in SUM.
With Regards
Ashutosh Chaturvedi
Nicely explained issues & their solution.
Regards,
Subhash
Thank you Subhash sir!!!
Very Good.
thanks Chaturvedi .
Hi Ash,
I believe your suggestion will fix my issue, but I am stuck on the last part and have never run sapgenpse command before. I tried executing in the exe directory, here is my result.
$ sapgenpse maintain_pk -p SAPSSLC.PSE -a <file path>/new.cer
maintain_pk: Couldn't open PSE "/usr/sap/<SID>/DVEBMGS00/sec/SAPSSLC.PSE" (Token application not existing)
Any thoughts?
Thanks, and good timing on the blog! I have been stuck on this for two days, SAP message is not helping.
Dear Davis,
You need to have .pse file in your sec folder /usr/sap/<SID>/DVEBMGS00/sec
Just follow the steps and if possible please attach the trace
sapcontrol -nr 0 -host localhost -user <sid>adm <SecureField> -prot NI_HTTPS -function GetInstanceProperties -debug
SSL Client PSEs - System Security - SAP Library
Sorry for the late response!!!.
With Regards
Ashutosh Chaturvedi
Hi Ash,
You're correct, I resolved this by moving the file into /usr/sap/<SID>/DV*/sec and it worked, I am passed my issue now. Thanks for the assistance on this.
Also, there is an unreleased note for these same instructions: 2177490. I was told it is unreleased because it is used as a emergency fix during upgrade.
Thanks,
Zach
Hi Davis,
But i think sap has not released any sapnote for this issue as yet. There is only one sapnote which is related SSSLERR_PEER_CERT_UNTRUSTED where they asking to update the sap cryptolib package.
But still happy that it has resolve your issue. I think SAP should give me a credit for this 😛 .
With Regards
Ashutosh Chaturvedi
Really Very Helpful Info Ashutosh Sir. Keep it up.
Hi Ashutosh!
Perfect and elegant solution that works!
Regards,
Artem
Thx,
The problem exist in SP16 too.
BR
and exists in SUM SP17 as well. Thanks Ashutosh for a simple yet elegant solution.
Hi Ashutosh,
It worked perfectly with SUM SP16 aslo.
Thanks for your helpful blog.
Regards,
Rupesh
Thank you rupesh shivathare , Manohar Vinapamula , REMY DETREZ and Artem Ivashkin for your valuable comments.
I will update the name of the blog
With Regards
Ashutosh Chaturvedi
Thank you.
Still works for the current SP 17 PL 10 , too.
Thank you so much, Ashutosh, your solution worked for me in SUM 17 as well.
Hi,
This worked for me as well. Thanks.
Great! This works!! Thanks a lot
Hi Ashutsosh
I don't have SAPSSLC.PSE in sec directory and having the same issue, can you pleas help ?
<<- ERROR: SapSSLSessionStart(sssl_hdl=110954690)==SSSLERR_PEER_CERT_UNTRUSTED
NiICloseHandle: shutdown and close hdl 1/sock 3
->> SapSSLSessionDone(&sssl_hdl=fffffffffff0978)
<<- SapSSLSessionDone()==SAP_O_K
in: sssl_hdl = 110954690
... ni_hdl = 1
->> SapSSLErrorName(rc=-102)
<<- SapSSLErrorName()==SSSLERR_PEER_CERT_UNTRUSTEDGetInstanceProperties
FAIL: SSSLERR_PEER_CERT_UNTRUSTED, SapSSLSessionStart failed in plugin_fopen()
Hi Ashutosh,
Thank you very much for the solution. I know the following may sound like I'm criticizing your solution. Please let me assure you, I'm not. It was EXTREMELY helpful.
I must admit, that even though the solution worked, I was a bit skeptical. I wanted to understand why it worked. Even more so, I wanted to understand what we did wrong in setting up our system, if this step was really required, and/or what SAP did that broke this and why there is no SAP note on this. Admittedly, I still don't understand this well, but I think I understand it better.
I believe the root cause of this issue is that in newer releases, the file SAPSSLC.pse is being generated, does not contain any credentials, and sapcontrol is using it.
I think problem occurs because of 2 changes:
Another thing I found is that if you use NWA instead of sapgenpse to do what you suggested, NWA will not allow it. If you export only the Certificate from ICM_SSL_<instance_ID> , NWA will not allow you to "Export View to PSE" (update SAPSSLC.pse) after importing only the Certificate to CLIENT_ICM_SSL_<instance_ID>. NWA requires you to have both a PRIVATE KEY and a CERTIFICATE entry in order to "Export View to PSE" (update SAPSSLC.pse).
I plan to open a message with SAP on this. Hopefully they'll put a note out on this and tell us what really needs to be done because a lot of people have been reporting this issue.
Thank you very much,you saved my day.
Thank you very much.. it helped us and saved a lot of time.
Works for SP24 as well, thanks a lot. This blog was a saviour.
Saved my production upgrade, did not get this error on either sandbox or development. Many thanks!