Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Initialization of SSL library failed — NO SSL available in SAP Web Dispatcher - Part 1

former_member227281
Active Participant
‎03-10-2019 8:49 AM

Issue : Issue : Webdispatcher is up and running but unable to access webdispatcher URL.


As shown in the screenshot below, Webdispatcher instance was up and the status showed Green  as shown highlighted in red color.



However, when entering the url in the browser


"https://<hostname of webdispatcher:443xx/sap/wdisp/admin/"    (where xx is the instance number)


Browser page not displayed as shown below.



In the log file, located in /usr/sap/<SID>/W80/work,


the error message appeared as shown below


"error related to SSL. *** ERROR => SapISSLAddCredential(): Error SSSLERR_SSLCTX_NEW trying


to create SERVER Credential for "/usr/sap/<SID>/W80/sec/SAPSSLS.pse" [ssslxxi.c 3553] [Thr


140353162630912] *** ERROR => Initialization of SSL library failed -- NO SSL available   "


The error message says that starting webdispatcher instance, system tries to create  Server


credential for SAPSSLS.pse  based on the kernel profile parameters related to SSL.


However it failed to create Server credential for SAPSSLS.pse



 

As shown in the above, SAPSSLS.pse file exists in /usr/sap/<SID>/W80/sec folder.


Secondly , system tries to create SAPSSLS.PSE certificate  file and tries to add SSL credential during startup of instance


(sapcontrol -nr 80 -function Start) based  on SSL related parameters in the kernel profile



But unable to do so because existing SAPSSLS.PSE file was present  in  /usr/sap/<SID>/W80/.


When  executing the command ,


"sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse"  error occurred as shown in


the screenshot below.


Starting the web dispatcher instance  failed to generate certificate as well as


server credentials automatically for SAPSSLS.pse file.




Solution:


There are two methods to generate SAPSSLS.pse file .


First Method :


Generate  SAPSSLS.pse file automatically  during restart instance of web dispatcher  which is described here in this article.


Second Method :


Generate SAPSSLS.pse file manually and the add SSL credential to SAPSSLS.pse   . (Link for Procedure to generate SAPSSLS.pse file manually and add SSL credential


is given below .


https://blogs.sap.com/2019/03/10/step-to-generate-sapssls.pse-certificate-file-and-add-credential-to...

Procedure  : First  Method


Delete existing  or  rename  SAPSSLS.pse  file  in  /usr/sap/<SID>/W80/sec


example,


switch to <sid>adm  unix  account


# su - <sid>adm


$ cd /usr/sap/<SID>/W80/sec  (The folder should not contain file SAPSSLS.pse file)


$ mv SAPSSLS.pse  SAPSSLS.pse_old



Set environment variable  SECUDIR that points to  the location  where SAPSSLS.pse file  will be


created in <sid>adm


$ setenv SECUDIR  /usr/sap/<SID>/W80/sec   (if <sid>adm is CShell)   ( path  for SAPSSLS.pse file )



Stop and Start web dispatcher instance on the same screen session that  where environment


variable was set.


Run the command


$ sapcontrol -nr 80 -function Stop


The status should show as "Gray Stopped" as shown in the figure below.



Run the command


$ sapcontrol -nr 80 -function Start


The status should show as "GREEN, Running" as shown in the fig below



After starting the webdispatcher instance, check the file SAPSSLS.pse file  generated automatically  or not.


Go to sec folder by typing the command


$ cd $SECUDIR       or   cd /usr/sap/<SID>/W80/sec


$ pwd


the output  of pwd should show the line


"/usr/sap/<SID>/W80/sec


Run the command to display the list of files


$  ls -lrt


as shown in the figure below, SAPSSLS.pse certificate  file was generated automatically by restarting the


webdispatcher instance (make sure environment variable SECUDIR was set to


"/usr/sap/<SID>/W80/sec"



To verify whether certificate was created and added  SSL credential  to SAPSSLS.pse file correctly or not


Execute the command as shown in the fig below


$ sapgenpse  get_my_name  -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse



As shown in the above, Server credential file was added automatically.


That means certificate file was successfully generated and then added credential file automatically after start instance .


CN= <virtual hostname or hostname.<fqdn> showed correctly.


Test whether the browser is able to display the web dispatcher admin page


Paste the url for  web dispatcher admin in the browser


https://<hostname>:44380/sap/wdisp/admin/public/default.html


where port number = 443xx  for https (xx is the instance number). You can use http port too.



In case if the issue  is not solved in the above procedure,  You need to generate SAPSSLS.pse  certificate as well as credential file manually  in web dispatcher  i.e. Second Method


This is done using command


sapgenpse  get_pse  <additional_options>  -p <PSE_Name>  -r  <cert_req_file_name>  -x <PIN>  <Distinguished_Name>


URL Link for the procedure to generate SAPSSLS.pse  certificate and add SSL credential to SAPSSLS.pse file manually  in web dispatcher  is


https://blogs.sap.com/2019/03/10/step-to-generate-sapssls.pse-certificate-file-and-add-credential-to...


PS: The above procedure was tested in the SAP kernel version  7.73.


 
Labels in this area
Popular Blog Posts