Verification of own certificate failed (A2210210)
In case you get the message, that the verification of own certificate failed, then you should check, whether the first certificate of Simplifiers PSE Keystore has been correctly imported into the SNC SAPCryptolib Keystore of the desired SAP system.
In Simplifier you could simply navigate to “Settings” -> “SAP Security” -> “PSE File” and download the first certificate in the list. Then proceed with importing this certificate into the SNC SAPCryptolib Keystore of the desired SAP system.
In the end, the situation should look like in the screenshots below. SAP’s own certificate (in the screenshot e.g. CN=ID4) should be a foreign certificate in Simplifiers PSE File and vice versa Simplifiers’s own certificate (here for example CN=SimplifierCn) should be a foreign certificate in SAP’s SNC SAPCryptolib Keystore.
Peer certificate verification failed (A2200210)
If you encounter the error “peer certificate validation failed”, then check, that you have imported the ‘own certificate’ of the partner SAP system (of the SNC SAPCryptolib Keystore) into the PSE Keystore of your Simplifier instance.
Logon to the SAP system and navigate to the transaction “STRUST”. On the left, the second entry from the top is usually the SNC SAPCryptolib Keystore. Select this keystore, then the first certificate in the list should match one of the foreign certificates, that you can find in Simplifier when navigating to “Settings” -> “SAP Security” -> “PSE File”.
If it is missing there, then dowlload the first certificate from SAP (encoded as Base64) and add it to Simplifiers PSE File using the “+” symbol on the top right.
In the end, the situation should look like in the screenshots above.
Actual server name differs (A2200202)
If you encounter the error “Actual server name differs”, then you should check, that the field ‘SNC Partner’ in the SAP System of the Login Method is correct.
In case the Common Name of the first certificate in your SAPs SNC SAPCryptolib Keystore is “SAP_PROD”, then the ‘SNC Partner’ should be filled with “CN=SAP_PROD”.
No suitable SAP user found
If you encounter the error that no suitable SAP user was found for external user identity, then no user could be mapped in SAP’s VUSREXTID table.
Make sure, that the ExtID type is correct on both, on Simplifier side (it is configured in the Login Method) and on SAP side (e.g. in the screenshots it is “LD” for LDAP) and that the value of the ExtID in the User Secret of your Authentication is as expected and matches a left side value in VUSREXTID.
SNC name of the partner system not in ACL
The SCN connection could not be established. Make sure, that you have an entry in SAP’s ACL for ‘p:CN=<CN_OF_CERT_OF_YOUR_SIMPLIFIER_INSTANCE>’ and that RFC, CPIC and ext. ID are activated in that entry.
See description of the SNC0 transaction in the documentation.
No credentials were supplied
If you encounter this message: The SCN connection could not be established. Please ensure, that you have set the sap.cryptoLib.user and password in your settings (e.g. in include.conf). Simplifier ships with preconfigured values there – and especially the user value (“root”) needs not to be changed.
The user must be the user, which runs the Simplifier process.
In case you change the sap.cryptoLib.password, you will need to recreate Simplifiers PSE Keystore and do the procedure of making each side’s (SAP and Simplifier) certificates known to each other again.
Please also ensure, that the SECUDIR environment variable is set correctly; typically it is set to ‘/opt/simplifier/data/SapSecurity/SECUDIR’ when running Simplifier in a docker environment. In case you run Simplifier as provided, there should be no changes needed.
Other possible problems
The following paragraphs will list possible problems and their solutions. One has to check manually (Access to the Host-System is REQUIRED)
Existence (OS/HOST SYSTEM)
- The cred_v2 file in the SECUDIR must exist on the OS.
- The PSE file for the provided OWN NAME must exist on the OS.
Access(JAVA/DOCKER)
- The SAP Cryptographic Library operates with ABSOLUTE file paths NOT RELATIVE file paths. Please make sure that the JAVA-Process can access the path provided in the cred_v2 file
Permissions (OS/DOCKER)
- The cred_v2 file in the SECUDIR directory requires READ-Permissions for the current running user.
- Every part of the path to the cred_v2 file also requires READ-Permissions for the current running user.
- The PSE file that is used for the provided OWN NAME requires READ-Permissions for the current running user.
Own Name (Provided Common Name of the PSE-File) (OS/SIMPLIFIER ADMIN UI)
The contents of the cred_v2 file can viewed in the SIMPLIFIER ADMIN UI in the PSE File subtab under the SAP Security tab with the button Show Credentials.
- The provided OWN NAME must have an entry in the credential file.
- Please look for typos, a space is a VALID character after the CN= part of the own name
- Please make sure that the correct cred_v2 file was used (correct value for the environment variable SECUDIR)
- The provided OWN NAME must be readable for the current running user
- The provided OWN NAME must not have more than one entry in the credential file (multiple different PSE-Files CAN be referenced in the cred_v2 file)
The environment variable SECUDIR is not set
The SCN connection could not be established because the environment variable SECUDIR is not set. Make sure, that you are running Simplifier with the correct run.sh, then the SECUDIR environment variable should be set to ‘/opt/simplifier/data/SapSecurity/SECUDIR’. This is the place, where a cred_v2 file is placed. This file is created during creation of the keystore and it defines, which process user can access Simplifier’s PSE Keystore.