Symptom
The SUM is failing reporting the following error:
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
[Error ]: The following problem has occurred during step execution: com.sap.sdt.util.diag.DiagException: SUM has detected that the SystemPKI is supported by your system. To continue, you have to configure it as described in SAP Note 2200230. |
Running the sapcontrol command triggered by SUM reports the following error:
sapcontrol -nr <NR> -host <host> -systempki /usr/sap/<SID>/SYS/profile/<profile> -function AccessCheck Stop Creating credential from instance PSE failed |
Using sapcontrol on debug mode something similar to following:
sapcontrol -nr <NR> -host <host> -systempki <profile path> -debug -function AccessCheck Stop
[Thr 139770004993824] *** ERROR => secussl_Create_SSL_CTX(): PSE "#_MemPSE_#498392645980839848367840": File not found! [ssslsecu.c 2413] |
[Thr 01] SSL_get_state()==0x2131 "TLS read server certificate B" |
[Thr 3608] *** ERROR => Exit ssfPkiCreateOnTheFlyInstancePSE: Could not get root PSE [ssfxxpki.c 1305] |
ERROR => ssfAuxCreateMemoryPSE: Could not open instance PSE F:\usr\sap\<SID\<instance>\sec\sap_system_pki_instance.pse [ssfxxpki.c 478] |
After simply trying to enable systemPKI following SAP Note 2040644, when starting the system there are messages like below on dev_* files (which in this example, for the dev_ms, means that the Message Server was unable to start)
[Thr 139842120222528] ssfPkiInitSAPCryptolib: SsfSupInitEx("/usr/sap/<SID>/ASCS<nr>/exe/libsapcrypto.so")==0 (SSF_SUP_OK) [Thr 139842120222528] found CommonCryptoLib 8.5.47 (Oct 5 2022) [AES-NI,CLMUL,SSE3,SSSE3] [Thr 139842120222528] *** ERROR => ssfAuxCreateMemoryPSE: Could not reset PIN for container #_MemPSE_#520450990069357600000001 [ssfxxpki.c 533] [Thr 139842120222528] *** ERROR => CRYPTOLIB Last Error: 0 - <none> [ssfxxpki.c 169] [Thr 139842120222528] *** ERROR => CRYPTOLIB Error Stack: <empty> [ssfxxpki.c 171] [Thr 139842120222528] *** ERROR => MsSGetSystemPKIName: ssfPkiGetInstancePSE failed (SSSLERR_INTERNAL_BUG) [msxxserv.c 32309] [Thr 139842120222528] *** ERROR => MsSInit: MsSCreateCredHdl failed [msxxserv.c 2805] [Thr 139842120222528] *** ERROR => MsSInit failed, see dev_ms for details [msxxserv.c 8286] [Thr 139842120222528] Server state SHUTDOWN [Thr 139842120222528] ***LOG Q02=> MsSHalt, MSStop (Msg Server 3401) [msxxserv.c 8445] [Thr 139842120222528] Good Bye ..... |
Read more...
Environment
- SAP NetWeaver
Product
Keywords
SystemPKI, 2200230, AccessCheck, Creating credential from instance PSE failed, Loading instance PSE failed, Failed to verify peer certificate, Peer not trusted, secussl_Create_SSL_CTX, SSL_CTX_set_default_pse_by_name, SapISSLAddCredential, SSSLERR_PSE_ERROR, SSSLERR_PSE_ERROR, ssfPkiCreateOnTheFlyInstancePSE, ssfPkiGetInstancePSE, ssfAuxCreateMemoryPSE, Could not open instance PSE, ssf/name, ssl/ssl_lib, ssf/ssfapi_lib, sec/libsapsecu, SECUDIR, UpdateSystemPKI, ssfPkiCreateRootPSE, RSecSSFsCreateDirectories, how-to, how to, system/secure_communication, Could not reset PIN for container , KBA , could not get pin from secstorefs , BC-CST-STS , Startup Service , BC-CST , Client/Server Technology , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.