Verification of own certificate failed (A2210210)
In case you get the message, that the verification of own certificate failed, then you should check, whether the first certificate of Simplifiers PSE Keystore has been correctly imported into the SNC SAPCryptolib Keystore of the desired SAP system.
In Simplifier you could simply navigate to “Settings” -> “SAP Security” -> “PSE File” and download the first certificate in the list. Then proceed with importing this certificate into the SNC SAPCryptolib Keystore of the desired SAP system.
In the end, the situation should look like in the screenshots below. SAP’s own certificate (in the screenshot e.g. CN=ID4) should be a foreign certificate in Simplifiers PSE File and vice versa Simplifiers’s own certificate (here for example CN=SimplifierCn) should be a foreign certificate in SAP’s SNC SAPCryptolib Keystore.
Peer certificate verification failed (A2200210)
If you encounter the error “peer certificate validation failed”, then check, that you have imported the ‘own certificate’ of the partner SAP system (of the SNC SAPCryptolib Keystore) into the PSE Keystore of your Simplifier instance.
Logon to the SAP system and navigate to the transaction “STRUST”. On the left, the second entry from the top is usually the SNC SAPCryptolib Keystore. Select this keystore, then the first certificate in the list should match one of the foreign certificates, that you can find in Simplifier when navigating to “Settings” -> “SAP Security” -> “PSE File”.
If it is missing there, then dowlload the first certificate from SAP (encoded as Base64) and add it to Simplifiers PSE File using the “+” symbol on the top right.
In the end, the situation should look like in the screenshots above.
Actual server name differs (A2200202)
If you encounter the error “Actual server name differs”, then you should check, that the field ‘SNC Partner’ in the SAP System of the Login Method is correct.
In case the Common Name of the first certificate in your SAPs SNC SAPCryptolib Keystore is “SAP_PROD”, then the ‘SNC Partner’ should be filled with “CN=SAP_PROD”.
No External Authentication Data provided
Probably the Secret User attribute was not filled. Make sure, that you have logged in with the same Authentication, that is used in the Login Method of the connector and that the Authentication has a User Secret.
No suitable SAP user found
If you encounter the error that no suitable SAP user was found for external user identity, then no user could be mapped in SAP’s VUSREXTID table.
Make sure, that the ExtID type is correct on both, on Simplifier side (it is configured in the Login Method) and on SAP side (e.g. in the screenshots it is “LD” for LDAP) and that the value of the ExtID in the User Secret of your Authentication is as expected and matches a left side value in VUSREXTID.
SNC name of the partner system not in ACL
The SCN connection could not be established. Make sure, that you have an entry in SAP’s ACL for ‘p:CN=<CN_OF_CERT_OF_YOUR_SIMPLIFIER_INSTANCE>’ and that RFC, CPIC and ext. ID are activated in that entry.
See description of the SNC0 transaction in the documentation.
No credentials were supplied
If you encounter this message: The SCN connection could not be established. Please ensure, that you have set the sap.cryptoLib.user and password in your settings (e.g. in include.conf). Simplifier ships with preconfigured values there – and especially the user value (“root”) needs not to be changed.
The user must be the user, which runs the Simplifier process.
In case you change the sap.cryptoLib.password, you will need to recreate Simplifiers PSE Keystore and do the procedure of making each side’s (SAP and Simplifier) certificates known to each other again.
Please also ensure, that the SECUDIR environment variable is set correctly; typically it is set to ‘/opt/simplifier/data/SapSecurity/SECUDIR’ when running Simplifier in a docker environment. In case you run Simplifier as provided, there should be no changes needed.
The environment variable SECUDIR is not set
The SCN connection could not be established because the environment variable SECUDIR is not set. Make sure, that you are running Simplifier with the correct run.sh, then the SECUDIR environment variable should be set to ‘/opt/simplifier/data/SapSecurity/SECUDIR’. This is the place, where a cred_v2 file is placed. This file is created during creation of the keystore and it defines, which process user can access Simplifier’s PSE Keystore.
Leave A Comment
You must be logged in to post a comment.