SAP Knowledge Base Article - Preview

2629916 - sapcontrol returns: Creating credential from instance PSE failed, Loading instance PSE failed or Peer not trusted


The SUM is failing reporting the following error:

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

[Error ]: The following problem has occurred during step execution: SUM has detected that the SystemPKI is supported by your system. To continue, you have to configure it as described in SAP Note 2200230.

Running the sapcontrol command triggered by SUM reports the following error:

sapcontrol -nr <NR> -host <host> -systempki /usr/sap/<SID>/SYS/profile/<profile> -function AccessCheck Stop

Creating credential from instance PSE failed
Loading instance PSE failed
Failed to verify peer certificate. Peer not trusted.

Using sapcontrol on debug mode something similar to following:

sapcontrol -nr <NR> -host <host> -systempki <profile path> -debug -function AccessCheck Stop

[Thr 139770004993824] *** ERROR => secussl_Create_SSL_CTX(): PSE "#_MemPSE_#498392645980839848367840": File not found! [ssslsecu.c 2413]
[Thr 139770004993824] secussl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed (4129/0x00001021)
[Thr 139770004993824] => "The PSE file does not exist."
[Thr 139770004993824] SapISSLDeleteCTX(): deleting SSL_CTX (cred "<NULL>",refcount=0)
[Thr 139770004993824] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create CLIENT Credential
for "#_MemPSE_#498392645980839848367840" [ssslxxi.c 3109]
[Thr 139770004993824] <<- ERROR: SapSSLCreateCredHdl()==SSSLERR_PSE_ERROR
Creating credential from instance PSE failed


[Thr 01] SSL_get_state()==0x2131 "TLS read server certificate B"
[Thr 01] *** ERROR during SecuSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 01] SecuSSL_SessionStart: SSL_connect() failed (536872221/0x2000051d)
[Thr 01] => "Failed to verify peer certificate. Peer not trusted."
[Thr 3608] *** ERROR => Exit ssfPkiCreateOnTheFlyInstancePSE: Could not get root PSE [ssfxxpki.c 1305]
[Thr 3608] *** ERROR => ssfPkiGetInstancePSE: Could not get instance PSE [ssfxxpki.c 591]
Loading instance PSE failed
ERROR => ssfAuxCreateMemoryPSE: Could not open instance PSE F:\usr\sap\<SID\<instance>\sec\sap_system_pki_instance.pse [ssfxxpki.c 478]
Loading instance PSE failed

After simply trying to enable systemPKI following SAP Note 2040644, when starting the system there are messages like below on dev_* files (which in this example, for the dev_ms, means that the Message Server was unable to start)

[Thr 139842120222528] ssfPkiInitSAPCryptolib: SsfSupInitEx("/usr/sap/<SID>/ASCS<nr>/exe/")==0 (SSF_SUP_OK)
 [Thr 139842120222528]     found CommonCryptoLib 8.5.47 (Oct  5 2022) [AES-NI,CLMUL,SSE3,SSSE3]
 [Thr 139842120222528] *** ERROR => ssfAuxCreateMemoryPSE: Could not reset PIN for container #_MemPSE_#520450990069357600000001 [ssfxxpki.c   533]
 [Thr 139842120222528] *** ERROR => CRYPTOLIB Last Error: 0 - <none> [ssfxxpki.c   169]
 [Thr 139842120222528] *** ERROR => CRYPTOLIB Error Stack: <empty> [ssfxxpki.c   171]
 [Thr 139842120222528] *** ERROR => MsSGetSystemPKIName: ssfPkiGetInstancePSE failed (SSSLERR_INTERNAL_BUG) [msxxserv.c   32309]
 [Thr 139842120222528] *** ERROR => MsSInit: MsSCreateCredHdl failed [msxxserv.c   2805]
 [Thr 139842120222528] *** ERROR => MsSInit failed, see dev_ms for details [msxxserv.c   8286]
 [Thr 139842120222528] Server state SHUTDOWN
 [Thr 139842120222528] ***LOG Q02=> MsSHalt, MSStop (Msg Server 3401) [msxxserv.c   8445]
 [Thr 139842120222528] Good Bye .....



  • SAP NetWeaver


SAP NetWeaver all versions


SystemPKI, 2200230, AccessCheck, Creating credential from instance PSE failed, Loading instance PSE failed, Failed to verify peer certificate, Peer not trusted, secussl_Create_SSL_CTX, SSL_CTX_set_default_pse_by_name, SapISSLAddCredential, SSSLERR_PSE_ERROR, SSSLERR_PSE_ERROR, ssfPkiCreateOnTheFlyInstancePSE, ssfPkiGetInstancePSE, ssfAuxCreateMemoryPSE, Could not open instance PSE, ssf/name, ssl/ssl_lib, ssf/ssfapi_lib, sec/libsapsecu, SECUDIR, UpdateSystemPKI, ssfPkiCreateRootPSE, RSecSSFsCreateDirectories, how-to, how to, system/secure_communication, Could not reset PIN for container , KBA , could not get pin from secstorefs , BC-CST-STS , Startup Service , BC-CST , Client/Server Technology , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.