Initialization of SSL library failed — NO SSL available in SAP Web Dispatcher – Part 1

Issue : Issue : Webdispatcher is up and running but unable to access webdispatcher URL.

As shown in the screenshot below, Webdispatcher instance was up and the status showed Green  as shown highlighted in red color.

However, when entering the url in the browser

“https://<hostname of webdispatcher:443xx/sap/wdisp/admin/” 　　　(where xx is the instance number)

Browser page not displayed as shown below.

In the log file, located in /usr/sap/<SID>/W80/work,

the error message appeared as shown below

“error related to SSL. *** ERROR => SapISSLAddCredential(): Error SSSLERR_SSLCTX_NEW trying

to create SERVER Credential for “/usr/sap/<SID>/W80/sec/SAPSSLS.pse” [ssslxxi.c 3553] [Thr

140353162630912] *** ERROR => Initialization of SSL library failed — NO SSL available   “

The error message says that starting webdispatcher instance, system tries to create  Server

credential for SAPSSLS.pse  based on the kernel profile parameters related to SSL.

However it failed to create Server credential for SAPSSLS.pse

 

As shown in the above, SAPSSLS.pse file exists in /usr/sap/<SID>/W80/sec folder.

Secondly , system tries to create SAPSSLS.PSE certificate  file and tries to add SSL credential during startup of instance

(sapcontrol -nr 80 -function Start) based  on SSL related parameters in the kernel profile

But unable to do so because existing SAPSSLS.PSE file was present  in  /usr/sap/<SID>/W80/.

When  executing the command ,

“sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse”  error occurred as shown in

the screenshot below.

Starting the web dispatcher instance  failed to generate certificate as well as

server credentials automatically for SAPSSLS.pse file.

Solution:

There are two methods to generate SAPSSLS.pse file .

First Method :

Generate  SAPSSLS.pse file automatically  during restart instance of web dispatcher  which is described here in this article.

Second Method :

Generate SAPSSLS.pse file manually and the add SSL credential to SAPSSLS.pse   . (Link for Procedure to generate SAPSSLS.pse file manually and add SSL credential

is given below .

https://blogs.sap.com/2019/03/10/step-to-generate-sapssls.pse-certificate-file-and-add-credential-to-pse-file-for-web-dispatcher-part-2

Procedure  : First  Method

Delete existing  or  rename  SAPSSLS.pse  file  in  /usr/sap/<SID>/W80/sec

example,

switch to <sid>adm  unix  account

# su – <sid>adm

$ cd /usr/sap/<SID>/W80/sec  (The folder should not contain file SAPSSLS.pse file)

$ mv SAPSSLS.pse　 SAPSSLS.pse_old

Set environment variable  SECUDIR that points to  the location  where SAPSSLS.pse file  will be

created in <sid>adm

$ setenv SECUDIR  /usr/sap/<SID>/W80/sec　　　(if <sid>adm is CShell) 　 ( path  for SAPSSLS.pse file )

Stop and Start web dispatcher instance on the same screen session that  where environment

variable was set.

Run the command

$ sapcontrol -nr 80 -function Stop

The status should show as “Gray Stopped” as shown in the figure below.

Run the command

$ sapcontrol -nr 80 -function Start

The status should show as “GREEN, Running” as shown in the fig below

After starting the webdispatcher instance, check the file SAPSSLS.pse file  generated automatically  or not.

Go to sec folder by typing the command

$ cd $SECUDIR       or   cd /usr/sap/<SID>/W80/sec

$ pwd

the output  of pwd should show the line

“/usr/sap/<SID>/W80/sec

Run the command to display the list of files

$  ls -lrt

as shown in the figure below, SAPSSLS.pse certificate  file was generated automatically by restarting the

webdispatcher instance (make sure environment variable SECUDIR was set to

“/usr/sap/<SID>/W80/sec”

To verify whether certificate was created and added  SSL credential  to SAPSSLS.pse file correctly or not

Execute the command as shown in the fig below

$ sapgenpse  get_my_name  -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse

As shown in the above, Server credential file was added automatically.

That means certificate file was successfully generated and then added credential file automatically after start instance .

CN= <virtual hostname or hostname.<fqdn> showed correctly.

Test whether the browser is able to display the web dispatcher admin page

Paste the url for  web dispatcher admin in the browser

https://<hostname>:44380/sap/wdisp/admin/public/default.html

where port number = 443xx  for https (xx is the instance number). You can use http port too.

In case if the issue  is not solved in the above procedure, 　You need to generate SAPSSLS.pse  certificate as well as credential file manually  in web dispatcher  i.e. Second Method

This is done using command

sapgenpse  get_pse  <additional_options>  -p <PSE_Name>  -r  <cert_req_file_name>  -x <PIN>  <Distinguished_Name>

URL Link for the procedure to generate SAPSSLS.pse  certificate and add SSL credential to SAPSSLS.pse file manually  in web dispatcher  is

https://blogs.sap.com/2019/03/10/step-to-generate-sapssls.pse-certificate-file-and-add-credential-to-pse-file-for-web-dispatcher-part-2

PS: The above procedure was tested in the SAP kernel version  7.73.