SAP Knowledge Base Article - Preview

3634264 - Import of ASCS Profile in transaction RZ10 does not work

Symptom

  • ASCS profile could not be read. The import is therefore not possible. Despite the steps in the KBA 3195404 have been successfully followed.
  • The dev_icm file is updated by the program SAPLSPFL at the same time stamp the import of profile occurred.

Upon reviewing the dev_icm trace, it is clear that the ICM is attempting to access the HTTPS port 5<system_number>14. This occurs because the latest SAP Kernel releases use this port for secure authentication.

Additionally, the sapstartsrv.log trace reveals that the parameters ssl/ssl_lib and ssf/ssfapi_lib have been set with custom values, disrupting secure internal server communication.

dev_icm:
[Thr 139715531957952] *** ERROR => IcmConnInitClientSSL: SapSSLCreateCredHdl failed for cred sap_system_pki_instance.pse: SSSLERR_PSE_NOT_EXISTING(-83) \{00516194\} {root-id=005056BEC5A11FE098E25CDF24B62D70} [icxxconn.c 2269]
[Thr 139715531957952]              GUI T277_U31051_M0, 000, <Username>, <Machine>, time=13:46:16, W73, program=SAPLSPFL, high priority, memory=0, tasks=1, appl info=, tcode=RZ10
[Thr 139715531957952]              role: Client, protocol: HTTPS, local: IP_ADDREESS:PORT, peer: IP_ADDREESS:5<system_number>14
[Thr 139715530901184] *** ERROR =>   secussl_Create_SSL_CTX():  PSE "#_MemPSE_#030300760985106700000001": PSE does not exist or File not found! [ssslsecu.c   3483]
[Thr 139715530901184] secussl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed  (4129/0x00001021)
[Thr 139715530901184]    => "The PSE file does not exist."
[Thr 139715530901184] >> ===== SecuSSL ErrStack: =====
[Thr 139715530901184] The PSE file does not exist.
[Thr 139715530901184] 0xa1d50108     TOKEN_TOKPSE     SSL_CTX_set_default_pse_by_name
[Thr 139715530901184] Token application not existing
[Thr 139715530901184] Cannot open PSE (PSE=#_MemPSE_#030300760985106700000001, SECUDIR=/usr/sap/<SID>/D10/sec, user=c1padm c1padm c1padm)
[Thr 139715530901184] 0xa1d50108     TOKEN_TOKPSE     sec_SSL_CTX_set_asc
[Thr 139715530901184] Token application not existing
[Thr 139715530901184] << =============================
[Thr 139715530901184] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_NOT_EXISTING trying to create CLIENT Credential
        for "#_MemPSE_#030300760985106700000001" [ssslxxi.c    3829]
[Thr 139715530901184] <<- ERROR: SapSSLCreateCredHdl()==SSSLERR_PSE_NOT_EXISTING
[Thr 139715530901184]      in: cred_name      = "#_MemPSE_#030300760985106700000001"
[Thr 139715530901184]      in: cache_size     = -1
[Thr 139715530901184]      in: cache_lifetime = -1
[Thr 139715530901184] *** ERROR => IcmConnInitClientSSL: SapSSLCreateCredHdl failed for cred sap_system_pki_instance.pse: SSSLERR_PSE_NOT_EXISTING(-83) \{00516195\} {root-id=005056BEC5A11FE098E25CDF24B62D70} [icxxconn.c 2269]
[Thr 139715530901184]              GUI T277_U31051_M0, 000, <Username>, <Machine>, time=13:46:16, W73, program=SAPLSPFL, high priority, memory=0, tasks=1, appl info=, tcode=RZ10
[Thr 139715530901184]              role: Client, protocol: HTTPS, local: IP_ADDREESS:PORT, peer: IP_ADDREESS:5<system_number>14

The sapstartsrv.log contains the following error messages:
trc file: "sapstartsrv.log", trc level: 0, release: "<kernel release>"
[Thr 139791476885440] Sun Jul 13 06:54:54 2025
[Thr 139791476885440] ***************************************************************************************
[Thr 139791476885440] **            SAPCRYPTOLIB=/usr/sap/<SID>/D10/exe/libsapcrypto.so
[Thr 139791476885440] ** WARNING:    ssl/ssl_lib=/usr/sap/<SID>/SYS/exe/run/libsapcrypto.so
[Thr 139791476885440] ** WARNING:  custom value ssl/ssl_lib != $(SAPCRYPTOLIB) *breaks* "Secure Internal Server Communication"!
[Thr 139791476885440] **
[Thr 139791476885440] ** ADMIN TASK:  *REMOVE* below custom value for ssl/ssl_lib    *OR* use ssl/ssl_lib=$(SAPCRYPTOLIB)
[Thr 139791476885440] **     ssl/ssl_lib=/usr/sap/<SID>/SYS/exe/run/libsapcrypto.so
[Thr 139791476885440] ** ADMIN TASK:  *REMOVE* below custom value for ssf/ssfapi_lib *OR* use ssf/ssfapi_lib=$(SAPCRYPTOLIB)
[Thr 139791476885440] **     ssf/ssfapi_lib=/usr/sap/<SID>/SYS/exe/run/libsapcrypto.so
[Thr 139791476885440] ***************************************************************************************
(...)
Webservice SSL thread started, listening on port 51014
Webservice SSL thread using default SAP SSL credential
Trusted https connect via Unix domain socket '/tmp/.sapstream51014' enabled.
Webservice thread started, listening on port 51013
Trusted http connect via Unix domain socket '/tmp/.sapstream51013' enabled.


Read more...

Environment

SAP NetWeaver
SAP NetWeaver Application Server for ABAP

Product

ABAP platform 1809 ; ABAP platform 1909 ; ABAP platform 2020 ; ABAP platform 2021 ; ABAP platform 2022 ; ABAP platform 2023 ; SAP NetWeaver 7.4 ; SAP NetWeaver 7.5 ; SAP NetWeaver Application Server for ABAP all versions

Keywords

MOD_SELROADMAP, BEGIN, SAP upgrade, NIECONN_REFUSED, plugin_fopen, ASCS profile, RZ10, system secure communication, DEFAULT.PFL, import profile, SSSLERR_PSE_NOT_EXISTING, ssf/ssfapi_lib, ssl/ssl_lib, FT_DLL_PREFIX, sap_system_pki_instance, sapstream51014, sapstream51013, SAPCRYPTOLIB , KBA , BC-CCM-CNF-PFL , Profile Maintenance , BC-CST-STS , Startup Service , BC-SEC-SSL , Secure Sockets Layer Protocol , Known Error

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.