Technical Articles
Initialization of SSL library failed — NO SSL available in SAP Web Dispatcher – Part 1
Issue : Issue : Webdispatcher is up and running but unable to access webdispatcher URL.
As shown in the screenshot below, Webdispatcher instance was up and the status showed Green as shown highlighted in red color.
However, when entering the url in the browser
“https://<hostname of webdispatcher:443xx/sap/wdisp/admin/” (where xx is the instance number)
Browser page not displayed as shown below.
In the log file, located in /usr/sap/<SID>/W80/work,
the error message appeared as shown below
“error related to SSL. *** ERROR => SapISSLAddCredential(): Error SSSLERR_SSLCTX_NEW trying
to create SERVER Credential for “/usr/sap/<SID>/W80/sec/SAPSSLS.pse” [ssslxxi.c 3553] [Thr
140353162630912] *** ERROR => Initialization of SSL library failed — NO SSL available “
The error message says that starting webdispatcher instance, system tries to create Server
credential for SAPSSLS.pse based on the kernel profile parameters related to SSL.
However it failed to create Server credential for SAPSSLS.pse
As shown in the above, SAPSSLS.pse file exists in /usr/sap/<SID>/W80/sec folder.
Secondly , system tries to create SAPSSLS.PSE certificate file and tries to add SSL credential during startup of instance
(sapcontrol -nr 80 -function Start) based on SSL related parameters in the kernel profile
But unable to do so because existing SAPSSLS.PSE file was present in /usr/sap/<SID>/W80/.
When executing the command ,
“sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse” error occurred as shown in
the screenshot below.
Starting the web dispatcher instance failed to generate certificate as well as
server credentials automatically for SAPSSLS.pse file.
Solution:
There are two methods to generate SAPSSLS.pse file .
First Method :
Generate SAPSSLS.pse file automatically during restart instance of web dispatcher which is described here in this article.
Second Method :
Generate SAPSSLS.pse file manually and the add SSL credential to SAPSSLS.pse . (Link for Procedure to generate SAPSSLS.pse file manually and add SSL credential
is given below .
https://blogs.sap.com/2019/03/10/step-to-generate-sapssls.pse-certificate-file-and-add-credential-to-pse-file-for-web-dispatcher-part-2
Procedure : First Method
Delete existing or rename SAPSSLS.pse file in /usr/sap/<SID>/W80/sec
example,
switch to <sid>adm unix account
# su – <sid>adm
$ cd /usr/sap/<SID>/W80/sec (The folder should not contain file SAPSSLS.pse file)
$ mv SAPSSLS.pse SAPSSLS.pse_old
Set environment variable SECUDIR that points to the location where SAPSSLS.pse file will be
created in <sid>adm
$ setenv SECUDIR /usr/sap/<SID>/W80/sec (if <sid>adm is CShell) ( path for SAPSSLS.pse file )
Stop and Start web dispatcher instance on the same screen session that where environment
variable was set.
Run the command
$ sapcontrol -nr 80 -function Stop
The status should show as “Gray Stopped” as shown in the figure below.
Run the command
$ sapcontrol -nr 80 -function Start
The status should show as “GREEN, Running” as shown in the fig below
After starting the webdispatcher instance, check the file SAPSSLS.pse file generated automatically or not.
Go to sec folder by typing the command
$ cd $SECUDIR or cd /usr/sap/<SID>/W80/sec
$ pwd
the output of pwd should show the line
“/usr/sap/<SID>/W80/sec
Run the command to display the list of files
$ ls -lrt
as shown in the figure below, SAPSSLS.pse certificate file was generated automatically by restarting the
webdispatcher instance (make sure environment variable SECUDIR was set to
“/usr/sap/<SID>/W80/sec”
To verify whether certificate was created and added SSL credential to SAPSSLS.pse file correctly or not
Execute the command as shown in the fig below
$ sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse
As shown in the above, Server credential file was added automatically.
That means certificate file was successfully generated and then added credential file automatically after start instance .
CN= <virtual hostname or hostname.<fqdn> showed correctly.
Test whether the browser is able to display the web dispatcher admin page
Paste the url for web dispatcher admin in the browser
https://<hostname>:44380/sap/wdisp/admin/public/default.html
where port number = 443xx for https (xx is the instance number). You can use http port too.
In case if the issue is not solved in the above procedure, You need to generate SAPSSLS.pse certificate as well as credential file manually in web dispatcher i.e. Second Method
This is done using command
sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_file_name> -x <PIN> <Distinguished_Name>
URL Link for the procedure to generate SAPSSLS.pse certificate and add SSL credential to SAPSSLS.pse file manually in web dispatcher is
https://blogs.sap.com/2019/03/10/step-to-generate-sapssls.pse-certificate-file-and-add-credential-to-pse-file-for-web-dispatcher-part-2
PS: The above procedure was tested in the SAP kernel version 7.73.