SAP Knowledge Base Article - Preview

2629916 - sapcontrol returns: Creating credential from instance PSE failed, Loading instance PSE failed or Peer not trusted

Symptom

The SUM is failing reporting the following error:

[Error ]: The following problem has occurred during step execution: com.sap.sdt.util.diag.DiagException: SUM has detected that the SystemPKI is supported by your system. To continue, you have to configure it as described in SAP Note 2200230.

Running the sapcontrol command triggered by SUM reports the following error:

sapcontrol -nr <NR> -host <host> -systempki /usr/sap/<SID>/SYS/profile/<profile> -function AccessCheck Stop

Creating credential from instance PSE failed
or
Loading instance PSE failed
or
Failed to verify peer certificate. Peer not trusted.

Using sapcontrol on debug mode something similar to following:

sapcontrol -nr <NR> -host <host> -systempki <profile path> -debug -function AccessCheck Stop

1)

[Thr 139770004993824] *** ERROR => secussl_Create_SSL_CTX(): PSE "#_MemPSE_#498392645980839848367840": File not found! [ssslsecu.c 2413]
[Thr 139770004993824] secussl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed (4129/0x00001021)
[Thr 139770004993824] => "The PSE file does not exist."
[...]
[Thr 139770004993824] SapISSLDeleteCTX(): deleting SSL_CTX (cred "<NULL>",refcount=0)
[Thr 139770004993824] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create CLIENT Credential
for "#_MemPSE_#498392645980839848367840" [ssslxxi.c 3109]
[Thr 139770004993824] <<- ERROR: SapSSLCreateCredHdl()==SSSLERR_PSE_ERROR
[...]
Creating credential from instance PSE failed

2)

[Thr 01] SSL_get_state()==0x2131 "TLS read server certificate B"
[Thr 01] *** ERROR during SecuSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[...]
[Thr 01] SecuSSL_SessionStart: SSL_connect() failed (536872221/0x2000051d)
[Thr 01] => "Failed to verify peer certificate. Peer not trusted."

3)

[Thr 3608] *** ERROR => Exit ssfPkiCreateOnTheFlyInstancePSE: Could not get root PSE [ssfxxpki.c 1305]
[...]
[Thr 3608] *** ERROR => ssfPkiGetInstancePSE: Could not get instance PSE [ssfxxpki.c 591]
[...]
Loading instance PSE failed

4)

ERROR => ssfAuxCreateMemoryPSE: Could not open instance PSE F:\usr\sap\<SID\<instance>\sec\sap_system_pki_instance.pse [ssfxxpki.c 478]
[...]
Loading instance PSE failed

Read more...

Environment

Sapstartsrv with systemPKI support

Keywords

DETECT  input_credentials  input-credentials-dialog  check-sapcontrol-connection-for-ci  com.sap.sdt.j2ee.services.servicesimpl.CheckSapControlService  class com.sap.sdt.util.diag.DiagException UpdateInstancePSE UpdateSystemPKI , KBA , BC-CST-STS , Startup Service , BC-CST , Client/Server Technology , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.