| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SNC Configuration on SAPRequest and SAPInput nodes |
« View previous topic :: View next topic » |
| Author |
Message
|
| skydoor |
 Posted: Tue Nov 22, 2011 3:51 am Post subject: SNC Configuration on SAPRequest and SAPInput nodes |
 |
|
Apprentice
Joined: 24 Jul 2007
Posts: 43
Location: Cape Town
|
Hi,
My environment.
dspmqver
Name: WebSphere MQ
Version: 7.0.1.3
CMVC level: p701-103-100813
BuildType: IKAP - (Production)
. ./mqsiprofile
MQSI 7.0.0.1
/integration/mqsi/7.0
OS information:
Linux [our machine name] 2.6.32.46-0.3-default #1 SMP 2011-09-29 17:49:31 +0200 x86_64 x86_64 GNU/Linux
I am having a problem configuring SNC for the SAPRequest and SAPInput nodes connecting to RFC's on a SAP gateway. If I connect without SNC, it connects properly. If I select SNC on, it fails.
I have configured the following on the SAP Outbound Resource Adapter
Under Additional connection info
Partner character set: UTF-8
Gateway host: [our gateway host]
Gateway service: sapgw01
Ticked the "Enable the adapter to start an ABAP debug session on SAP GUI
Under Secure Connection (SNC) Configuration
Secure Network Connection (SNC) name: p:[details as per our certificate] for example p:CN=bla, OU=bla, O=bla, C=ZA
Secure Network Connection (SNC) partner: p:[as per sap certificate] for example p:CN = bla, OU = bla, O = bla, C=ZA
Secure Network connection (SNC) security level: 3
Secure Network connection library path: path to libsapcrypto.so (64bit)
X509 Certificate: [left empty for now]
I get the following error.
Error: >Tue Nov 22 12:17:18,600< RfcException: [null]
message: Connect to SAP gateway failed
Connection parameters: TYPE=A DEST=100[USERNAME].999696 ASHOST=[Our gateway host] SYSNR=01 GWHOST=[our gateway host] GWSERV=sapgw01 SNC_MODE=1 SNC_QOP=3 SNC_MYNAME="p:CN=bla, OU=bla, O=bla, C=ZA" SNC_PARTNERNAME="p:CN=bla, OU=bla, O=bla, C=ZA" PCS=1 COMM_CP=1100
LOCATION CPIC (TCP/IP) on local host with Unicode
ERROR GSS-API(maj): No credentials were supplied
GSS-API(min): File is not existing
name="p:CN=bla, OU=bla, O=bla, C=ZA"
TIME Tue Nov 22 12:17:18 2011
RELEASE 720
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -4
MODULE sncxxall_mt.c
LINE 1439
DETAIL SncPAcquireCred
SYSTEM CALL gss_acquire_cred
COUNTER 12
Return code: RFC_FAILURE(1)
error group: 102
key: RFC_ERROR_COMMUNICATION
I reasoned that the flow required a keystore/truststore to get the credentials to send to the SAP system. I therefore configured the following.
Our Linux administrator imported the certificate supplied by SAP.
keytool -importkeystore -srckeystore /usr/lib64/jvm/jre/lib/security/ourcerts
./mqsichangeproperties OURBROKER -o BrokerRegistry -n brokerKeystoreFile -v /var/mqm/.ourkeystore
./mqsichangeproperties OURBROKER -o BrokerRegistry -n brokerTruststoreFile -v /var/mqm/.ourkeystore
I also gave the flows access to the keystore
mqsichangeproperties OURBROKER -e SAP -o ComIbmJVMManager -n brokerKeystoreFile -v /var/mqm/.ourkeystore
And yet, I am still experiencing the problem
LOCATION CPIC (TCP/IP) on local host with Unicode
ERROR GSS-API(maj): No credentials were supplied
GSS-API(min): File is not existing
name="p:CN=bla, OU=bla, O=bla, C=ZA"
I have had a look on the SAP Gateway for errors and all it reports is the following.
044: Error in the SNC layer (Secure Network Communication)
Please let me know if you can help.
_________________
The answer to the question is 42 |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Nov 22, 2011 4:34 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Mods, please move this to the broker forum, as it is really a broker question.
Skydoor - you are probably reasonably correct that you need to provide a keystore. You appear to have maybe supplied the one that is in use by the Broker's queue manager, and that doesn't seem like the right one.
You probably need to open a PMR to find out how to properly configure this - it might be as simple as merely configuring the keystore at the EG level rather than the broker level...
You should also apply FixPack 3 so you're at 7.0.0.3 rather than 7.0.0.1. You're much more likely to have success. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Nov 22, 2011 4:50 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
| Mods, please move this to the broker forum, as it is really a broker question. |
Done as requested...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| skydoor |
| Posted: Tue Nov 22, 2011 5:00 am Post subject: SNC Failure on SAPRequest and SAPInput |
|
|
Apprentice
Joined: 24 Jul 2007
Posts: 43
Location: Cape Town
|
Hi mqjeff,
I have configured both the broker and the EG, are you saying that there might be a conflict between the reference to the keystore of the broker and the reference to the keystore of the EG?
_________________
The answer to the question is 42 |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Nov 22, 2011 6:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
All that I am saying is that if you configured it at the broker level, and it wasn't found, then you might need to configure it at the EG level.
Since I hadn't noticed that you mentioned that you had already configured it at the EG level. 
Again, I think you need to open a PMR. You also might discuss with your SAP team exactly what information they would provide, including information about keystores and what keys are in them and etc, for a standalone java application that wanted to connect to SAP using SNC.
That is, you might have to configure a keystore such that the libsapcrypto can find it, regardless of whether or not libsapcrypto is being invoked from Broker. |
|
| Back to top |
|
|
| skydoor |
| Posted: Tue Nov 22, 2011 6:23 am Post subject: SAP SNC problem |
|
|
Apprentice
Joined: 24 Jul 2007
Posts: 43
Location: Cape Town
|
@mqjeff: I see what you mean with the keystore specific to SAP. There is only one teeny tiny problem... The SAP BASIS guys on our side is [rant removed, feeling better now...]
I will raise a PMR with IBM.
Thanks jeff.
_________________
The answer to the question is 42 |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
