Solution Manager Configuration – SSL handshake failed

In this blog I describe the error message “SSL handshake failed – SSSLERR_SERVER_CERT_MISMATCH” (see Figure 1) and give step-by-step instructions how to fix it.

Where does this error message appear?
You will encounter this error message when you want to access another client/host from one client/host to transfer data. In my case I am connecting from a SolMan ABAP client to a SolMan Java client.

Why does this error message appear?
The SSSLERR_SERVER_CERT_MISMATCH error indicates that the server is using a certificate where the CN part does not match the host name of the URL server that the client is trying to access.
For a proper setup, the certificate CN and the host being accessed must match.

Figure 1: SSL handshake error message

In my case the CN part within the ssl certificate of the Java client points to localhost and not to the hostname of the URL server (see Figure 2). Therefore it is not possible to use this certificate to establish a connection between the ABAP client and the Java client.

Figure 2: Java Client – CN part points to localhost

In the following I will describe how to configure the certificate correctly and how to integrate it into the client you want to use to access the URL server.

The first step is to go to your SolMan JAVA client and create a new certificate:
https://[hostname]:50001/nwa

In my case I created the certificate under the name “ssl-credentials-hec” (see Figure 3). But this is only an example and you can name your certificate according to your project or system.

Go to:
Configuration → Certificates and Keys → search for ICM_SSL_xxxxxx_<PortNumber> mostly 50001 → Create

Figure 3: Java Client – Create a new Certificate

The certificate will now be automatically transferred to your SSL configuration for port:50001.

In the next step you have to delete the old certificate, restart the ICM and restart the browser. With this, the new certificate takes effect:

Go to:
Configuration → SSL → pick 50001 → delete “ssl-credentials-cert” → restart ICM
→ restart Browser

Now only the new certificate for port:50001 should be displayed in the SSL Configuration (see Figure 4).

Figure 4: Java Client – SSL Configuration

To integrate the new certificate into the client you want to use to access the URL server, the next step is to generate the new certificate from the current browser:

Go to:
Not secure (URL-Field) → Certificate → Details → Copy to File…

The Certificate Export Wizard will pop up. There you choose the format “Base-64 encoded X.509 (.CER)” (see Figure 5).

Figure 5: Java Client – Certificate Export Wizard

In the last step you have to import the certificate into your ABAP client:

In SolMan ABAP:
Transaction: STRUST → import Certificate to SSL client SSL Client (Anonymous) and SSL client SSL Client (Standard)

Figure 6: ABAP Client – TA STRUST

If you have successfully completed all of the above steps, your SSL handshake error message should no longer occur and you will be able to access the URL server.

Thank you for reading my blog post and also feel free to share feedback or thoughts in a comment.

Also check out the links below. There you will find interesting articles about Solution Manager and Application Lifecycle Management.

Application Lifecycle Management Topic Page
(https://community.sap.com/topics/application-lifecycle-management)
Ask questions about SAP Solution Manager and follow
(https://answers.sap.com/tags/01200615320800000636)
Read other SAP Solution Manager blog posts and follow
(https://blogs.sap.com/tags/01200615320800000636/)

Please follow my profile profile for future posts.