SAP Knowledge Base Article - Preview

3738105 - sapstartsrv continues using SystemPKI self-signed certificate on HTTPS port despite CA-signed SAPSSLS.pse configured in STRUST

Symptom

  • After configuring a CA-signed certificate in STRUST for an ASCS instance and restarting sapstartsrv, the service continues to present the self-signed SystemPKI certificate on the HTTPS port (e.g., 50314)
  • The sapstartsrv trace confirms: Webservice SSL thread using system PKI credential

               Webservice named pipe thread started, listening on port \\.\pipe\sapcontrol_03
               Webservice SSL thread started, listening on port 50314
               Webservice SSL thread using system PKI credential

To see more detail, you need to increase the sapstartsrv log to level 3. Follow 2451419 - How to get level 3 trace of SAP Host Agent 

The following errors appear:

[Thr 9760] *** ERROR =>   secussl_Create_SSL_CTX():  PSE "<Server PSE file>": missing SSO credentials, PSE is protected with PIN/password! [ssslsecu.c   3922]
[Thr 9760] secussl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed  (1824/0x00000720)
[Thr 9760]    => "Wrong or missing PIN for PSE."
[Thr 9760] >> ===== SecuSSL ErrStack: =====
[Thr 9760] 0x00000720 | SAPCRYPTOLIB | SSL_CTX_set_default_pse_by_name
[Thr 9760] SAPCRYPTO API error
[Thr 9760] Wrong or missing PIN for PSE.
[Thr 9760] 0xa1d5012c | TOKEN_TOKPSE | SSL_CTX_set_default_pse_by_name
[Thr 9760] Wrong PIN
[Thr 9760] Cannot open PSE (PSE=<Server PSE file>, SECUDIR=<path>\sec, user=xxx)
[Thr 9760] 0xa1d5012c | TOKEN_TOKPSE | sec_SSL_CTX_set_asc
[Thr 9760] Wrong PIN
[Thr 9760] << =============================
[Thr 9760] SapISSLDeleteCTX(): deleting SSL_CTX (cred "<NULL>",refcount=0)
[Thr 9760] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_MISSING_PIN trying to create SERVER Credential
        for "<Server PSE file>" [ssslxxi.c    4781]
[Thr 9760] = SapISSLFlushClientCache(): Clearing out all SSL client cache sessions.
[Thr 9760] 
[Thr 9760] = SapISSLFlushClientCache(): 0 session(s) cleared from SSL client cache.
[Thr 9760] DlUnloadLib: successful FreeLibrary("<folder path>\exe\sapcrypto.dll") hdl 1
[Thr 9760] *** ERROR => Initialization of SSL library failed -- NO SSL available!


Read more...

Environment

  • SAP NetWeaver AS ABAP 7.51 or higher
  • ASCS instance
  • CommonCryptoLib 8
  • Windows or Unix/Linux
  • Database independent

Product

ABAP platform all versions ; SAP NetWeaver 7.5 ; SAP Web Application Server for SAP S/4HANA all versions

Keywords

Problems with use of system PKI, Wrong or missing PIN for PSE, SAPSSLS.pse, SystemPKI , KBA , BC-CST-STS , Startup Service , BC-CST , Client/Server Technology , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.