SAP Knowledge Base Article - Preview

2359837 - Troubleshooting for "Support Hub Connectivity" in Solution Manager 7.2 up to SP04

Symptom

This KBA is valid for Solution Manager 7.2 SP03 and SP04.  For SP05 or higher, please refer to the KBA 2454045

Several problems and errors in SAP Solution Manager Configuration in Scenario System Preparation > Step 3.2 Support Hub Connectivity

This is an overview to understand several issues for the connectivity between the SAP Solution Manager and the SAP Support Portal

Functioning data communication between the SAP Solution Manager and the SAP Support Portal is the foundation of almost all SAP Solution Manager Services and applications. The SAP Solution Manager platform, architecture and
infrastructure is one of the core crucial components of the entire SAP support organization. The ability to connect remotely and exchange data worldwide between SAP Solution Manager and the SAP support backend environment
at any time in a secure, reliable and controlled way is one of the key differentiators of SAP to its competitors.

1.png

The new communication channels and its underlying infrastructure will be delivered with SAP Solution Manager Release 7.2. These new channels, indicated in the picture above, addresses architecture issues customers and SAP have been
facing in the past such as, but not limited to, the architecture of the proprietary RFC protocol and backend stability problems.

The new channels support:

-          asynchronous and synchronous processes to optimize local and remote resource consumption

-          the entire communication is based on the standard https protocol

-          use state-of-the-art end-to-end encryption methods

-          full support of Webproxy or SAPRouter connections when necessary

SAP will continue to develop and/or migrate new existing applications over to the new solution. Future SAP Solution Manager Support Packages will include incremental built-in functionalities based on the above. Functions will be migrated
to the new SAP Support Communication Channels, which will completely replace the current SAP OSS RFC communication model.

The new communication channels for asynchronous and synchronous processes will be created and configured during the SAP Solution Manager Setup

Prerequisites:

1.)    A clear understanding how the SAP Solution Manager application server can reach a server located outside the internal network – this information can be obtained from your Network Administrator. There are 3 options to choose from:

a.)    The SAP Solution Manager application server has direct access to the internet via https

b.)    The SAP Solution Manager application server has indirect access to the internet via https using a webproxy. In this case, your network administrator will provide you the hostname and port of the dedicated webproxy. If necessary
        the external URL’s apps.support.sap.com and servicepoint.sap.com must be added to the proxy whitelist to make sure the access is granted and won’t get blocked by your webproxy.

c.)    The SAP Solution Manager application server has indirect access to external networks via https and the SAP proprietary proxy called SAPRouter. In this case your network administrator will provide you the appropriate SAPRouter-String
        to access  apps.support.sap.com and servicepoint.sap.com

Example: /H/<saprouter@customer>/S/3299/H/<saprouter@sap>/S/3299/H/apps.support.sap.com or  /H/<saprouter@customer>/S/3299/H/<saprouter@sap>/S/3299/H/servicepoint.sap.com

Possible SAP Route entries for <saprouter@sap>
sapserv1 (194.117.106.129) Internet VPN connection
sapserv2 (194.39.131.34) Internet SNC connection
sapserv3 (147.204.2.5) for customers connected to Germany
sapserv4 (204.79.199.2) for customers in the United States
sapserv5 (194.39.138.2) for customers connected to Japan
sapserv7 (194.39.134.35) for customers in Asia Pacific Japan (APJ) including New Zealand and Australia
sapserv9 (169.145.197.110) for customers in APJ including New Zealand and Australia
sapserv10 (203.13.159.37) for customers in China

d.)    Access to  apps.service.sap.com requires the use of TLS protocol version TLSv1.1 and TLSv1.2, which is not enabled by default for outgoing SSL/TLS-protected communication from SAP Netweaver.
        Please see section 7 of SAP Note 510007 for the currently recommended value for profile parameter ssl/client_ciphersuites to enable TLSv1.1 and TLSv1.2 for outgoing SSL/TLS-protected communication.

e.)    Install the newest version of the CommonCryptoLib – for further information please see SAP note 2390726.

2.)    HTTPS/SSL has been configured and activated properly on SAP Solution Manager. This means that SAP Solution Manager Configuration in Scenario "System Preparation" > Step 2 Check Prerequisites > Manual Activities “Check Secure Web Browser Comm. (HTTPS)”  and Automatic Activities “Check ABAP System Profile Parameters” has been successfully performed

3.)  The necessary certificates to establish the trust with the SAP backend server have been installed and activated during the SAP Solution Manager in transaction solman_setup (SAP Solution Manager Configuration > Scenario "System
      Preparation" > Step 3.2 Support Hub Connectivity > Automatic Activities “Setup Configure SSL Store”)

NOTE: Only one option can be chosen.  An attempt to combine option B and option C, for example, will lead to error messages and the connection will fail.

In order to test either connection please do the following:

1. Go to transaction SM59
2. Press Create
3. Enter an RFC destination name: TEST_SAP_SUPPORT_HUB_ASYNC, and Connection Type: “H” a description TEST_SAP_SUPPORT_HUB_ASYNC
4. In tab “Technical Settings”:
    a. Target Name: This is the host you want to connect to - enter value “apps.support.sap.com” or “servicepoint.sap.com”
       Please note:
       In case your network administrator provided you a SAPRouter-String to be used to connect to those external servers please enter it here:
       Example:
       synchronous:  /H/<saprouter@customer>/S/3299/H/<saprouter@sap>/S/3299/H/apps.support.sap.com or
       asynchronous: /H/<saprouter@customer>/S/3299/H/<saprouter@sap>/S/3299/H/servicepoint.sap.com
    b. Service No.: Here you specify the port - enter value “443”
    c. Path Prefix: is only for test scenario
       synchronous:   /sap/bc/bsp/svt/sapping
       asynchronous: /sap/bc/bsp/svx/check_user
5. HTTP Proxy Options: Here you can configure a webproxy if your network setup requires a webproxy to be used for outgoing connections. Here you can specify the hostname and port as well as proxy user and proxy password to be used,
    if nececessary. 
6. In tab “Logon & Security”:
    a. In frame “Logon with User”
        synchronous: Select radio button “Do Not Use a User”
        asynchronous: Select radio button "Basic Authentication" and enter the technical user and password
    b. In frame “Security Options”
        i. In field “SSL” select radio button “Active”
        ii. In field “SSL Certificate” select the value “ANONYM SSL Client (Anonymous)

NOTE: During the Solution Manager setup (Activity: Configure SSL Store), the necessary certificates to establish the trust between your SAP Solution Manager and the target SAP server will be performed. This activity imports the certificates
into the Client SSL (anonymous) PSE store and activates them on the SAP Solution Manager application servers. If this mandatory step was not performed successfully before the connection check is executed, an SSL handshake error will
occur and the corresponding connection will fail.

Example:

KBA_TEST_01.png

KBA_TEST_002.png

After all necessary data has been populated correctly please click on the button “Connection Test” to perform a connectivity check for the outgoing connection:
If you receive the following result for both URL’s apps.support.sap.com and servicepoint.sap.com, the new SAP Solution Manager Communication channels are working correctly.

KBA_TEST_003.png

In the following sections (the SAP Solution Manager 7.2 configuration in transaction Solman_Setup > System Preparation > Step 3. “Set Up Connections to SAP”) you will find the most common error messages
that may occur if you have connectivity problems along with an explanation and its solution.

If you are unable to find a resolution for your problem or if you have a connectivity related question regarding these new communication channels please feel free to open an incident under component XX-SER-NET-HTL:

Error #1: RFC Destination to SAP Support Portal (SAPOSS) has the status "red"

  5.png

Error #2: SSL handshake failed with apps.support.sap.com:443 failed: SSSLERR_SSL_READ

a)  "received a fatal TLS handshake failure alert message from the peer"

 6.png

b) "Internal error"

21.png

Relevant for server / scenario:
apps.support.sap.com – synchronous scenario only

Error in ICM Trace File (in transaction SMICM > Goto > Trace File > Display All):

a)  "received a fatal TLS handshake failure alert message from the peer"

 7.png

b) "Internal error"

22.png

Error #3: SSL handshake failed with servicepoint.sap.com:443 failed: SSSLERR_PEER_CERT_UNTRUSTED

8.png

Relevant for server / scenario:
servicepoint.sap.com    – asynchronous scenario
apps.support.sap.com – synchronous scenario

Error in ICM Trace File (in transaction SMICM > Goto > Trace File > Display All):

 9.png

Error #4: IcmConnInitClientSSL: Proxy connection failed (Proxy returned 400 Bad Request)

 10.png

Relevant for server / scenario:
servicepoint.sap.com    – asynchronous scenario
apps.support.sap.com – synchronous scenario

Error #5: Connection to the webproxy server running on IP address 10.10.10.10 port 8080 failed:

 11.png

Relevant for server / scenario:
servicepoint.sap.com    – asynchronous scenario
apps.support.sap.com – synchronous scenario

Error #6: IcmConnInitClientSSL: Proxy connection failed (proxy returned 403 Forbidden)

 12.png

Relevant for server / scenario:
servicepoint.sap.com    – asynchronous scenario
apps.support.sap.com – synchronous scenario

Error #7: During the execution of automatic activity “Check Asynchronous Channel” in SAP Solution Manager Configuration, the following error messages appear:
                Name: "Errors occurred while checking"
                Value: Error while testing call to:[MI_O_S_SHB_REMOVE]
                SOAP:1007 SRT: Unsupported xstream found: ("HTTP Code 401 : Unauthorized")

20.png

Relevant for server / scenario:
servicepoint.sap.com    – asynchronous scenario
apps.support.sap.com – synchronous scenario

Error #8: IcmConnInitClientSSL: Proxy connection failed (proxy returned 404 Not Found)

23.jpg

Relevant for server / scenario:
servicepoint.sap.com    – asynchronous scenario
apps.support.sap.com – synchronous scenario

Error #9: During the execution of automatic activity "Configure Asynchronous Channel" in step 3.2 Support Hub Connectivity, the following error message appear:
                Web service ping failed for logical port LP_SISE_SUPPORTHUB, proxy ...
                In SOAMANAGER, 'Ping web service' failed with error below:
                SRT Framework exception: Service Ping ERROR: Error when calling SOAP Runtime functions: 
                SRT: Processing error in Internet Communication Framework: ("Connect to servicepoint.sap.com:443 failed: NIECONN_REFUSED(-10)")


Read more...

Environment

  • SAP Solution Manager 7.2 SP03 and SP04

Product

SAP Solution Manager 7.2

Keywords

System Preparation, Step 3. Set Up Connections to SAP, Step 3.1 RFC Connectivity, Step 3.2 Support Hub Connectivity, Configure SOAP Runtime, Create User for Support Hub Communication, Specify Configuration Parameters, Specify Configuration Parameters, Configure Synchronous Communication Channel, Configure SSL Store, Configure Asynchronous Channel, SAP-SUPPORT_PORTAL, IcmConnInitClientSSL, ssl/client_ciphersuites, LP_SISE_SUPPORTHUB, SSL handshake failed with apps.support.sap.com, Tech-User, Technical user, apps.service.sap.com, servicepoint.sap.com , KBA , servicepoint.sap.com , apps.support.sap.com , SV-SMG-INS-CFG-SYP , System Preparation , SV-SMG-SVC , Administration of Service Connections with Solution Manager , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.