When initializing the ERP Agent for SAP, this one cannot connect intermittently to the Policy Server. The Policy Server reports an error:
[2757/140476646450944][Tue Oct 12 2021 09:39:48][CServer.cpp:2121][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3154
[2757/140476646450944][Tue Oct 12 2021 09:39:48][CServer.cpp:2132][ERROR][sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client
[2757/140476646450944][Tue Oct 12 2021 09:39:48][CServer.cpp:2293][ERROR][sm-Server-01070] Failed handshake with 10.0.0.1:26386
- ERP Agent 12.51 on SAP 7.50 on RedHat 7;
(ca-erp-webas-12.51-rhas30-x86-64.bin);
SAP and ERP Agent IP 10.0.0.1;
smwebas.home = /mysaphome/siteminder/webagent/sapwebas/conf/
- Policy Server 12.8SP4 on RedHat 7;
Policy Server on 10.0.0.2 on RedHat;
JDK jdk8u265-b01;
It seems that the SAP engine doesn't take the CAPKIHOME config. The ERP Agent can't get a connection to the Policy Server, as it hasn't the configuration to reach the CAPKI libraries to handle encryption of the connection with the Policy Server.
Still, the CAPKIHOME environment variable is missing.
std_server0.out
started at : Tue Oct 19 11:12:58 2021
680.636: [GC (Allocation Failure) 680.645: [ParNew: 1178767K->174720K(1223040K), 2.5298077 secs] 1466367K->545712K(4019584K), 2.5382294 secs]
[Times: user=1.36 sys=0.18 real=2.54 secs]
Please check atleast one of the following conditions are met.
*) Set CAPKIHOME environment variable.
*) Pass valid second parameter to etpki_lib_init function. Ex:
if the second parameter is /a/b/c/[lib]cryptocme2.[dll][so][sl],
it is assumed that /a/b/c has all the required CAPKI shared libraries
But the SAP Server seems to overlook the configuration you brought. SECUDIR is seen instead of CAPKIHOME:
sapstart.log:
Starting at 2021/10/19 11:12:36
Startup Profile: "/{home_sap}/SERVER/SYS/profile/SAP_PROFILE"
Setup Environment Variables
---------------------------
(208126) SETENV DIR_LIBRARY=/{home_sap}/SERVER/J30/exe
(208126) SETENV LD_LIBRARY_PATH=/{home_sap}/SERVER/J30/exe:/{home_sap}/SERVER/J30/exe:/{home_sap}/SERVER/SYS/exe/run:/{home_sap}/SERVER/SYS/exe/uc/linuxx86_64
(208126) SETENV SHLIB_PATH=/{home_sap}/SERVER/J30/exe:
(208126) SETENV LIBPATH=/{home_sap}/SERVER/J30/exe:
(208126) SETENV PATH=/{home_sap}/SERVER/J30/exe:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/{home_sap}/SERVER/SYS/exe/uc/linuxx86_64:/{home_sap}/SERVER/SYS/exe/run
(208126) SETENV DB2_CLI_DRIVER_INSTALL_PATH=/{home_sap}/SERVER/J30/exe/db6_clidriver
(208126) SETENV SECUDIR=/{home_sap}/SERVER/J30/sec
SAP_PROFILE:
SETENV_00 = DIR_LIBRARY=$(DIR_LIBRARY)
SETENV_01 = LD_LIBRARY_PATH=$(DIR_LIBRARY):%(LD_LIBRARY_PATH)
SETENV_02 = SHLIB_PATH=$(DIR_LIBRARY):%(SHLIB_PATH)
SETENV_03 = LIBPATH=$(DIR_LIBRARY):%(LIBPATH)
SETENV_04 = PATH=$(DIR_EXECUTABLE):%(PATH)
SETENV_05 = DB2_CLI_DRIVER_INSTALL_PATH=$(DIR_EXECUTABLE)/db6_clidriver
SETENV_06 = CAPKIHOME=/{home_erp_agent}/sapwebas/CAPKI
So the ERP Agent reports it can't connect:
security_00.0.log:
#2.0#2021 10 19 11:25:23:958#+0200#Info#/System/Security#
##ca.com~SiteMinderLoginModule#C0000A0B4AAD002D0000000000032DBB#304935450000000004
#sap.com/irj#com.netegrity.siteminder.sap.webas.jaas.SiteMinderLoginModule#Guest#0
##CF3E107D30BC11EC9502506B8DF4C0A3#cf3e107d30bc11ec9502506b8df4c0a3##0
#Thread[HTTP Worker [@52971258],5,Dedicated_Application_Thread]#Plain##
Application Server:SiteMinder WebAS Agent
Product Version:12.51 ,
Product Label:211,
Product Update:0000 #
#2.0#2021 10 19 11:25:24:125#+0200#Fatal#/System/Security#
##ca.com~SiteMinderLoginModule#C0000A0B4AAD002D0000000100032DBB#304935450000000004
#sap.com/irj#com.netegrity.siteminder.sap.webas.jaas.AgentConnectionHandler.initialize()
#Guest#0##CF3E107D30BC11EC9502506B8DF4C0A3#cf3e107d30bc11ec9502506b8df4c0a3##0
#Thread[HTTP Worker [@52971258],5,Dedicated_Application_Thread]#Plain##
GetConfig method returned error. Check agentName & SmHost.conf file path is correct#
#2.0#2021 10 19 11:25:24:128#+0200#Info#/System/Security#
##ca.com~SiteMinderLoginModule#C0000A0B4AAD002D0000000300032DBB#304935450000000004
#sap.com/irj#com.netegrity.siteminder.sap.webas.jaas.AgentConnectionHandler.initialize()
#Guest#0##CF3E107D30BC11EC9502506B8DF4C0A3#cf3e107d30bc11ec9502506b8df4c0a3##0
#Thread[HTTP Worker [@52971258],5,Dedicated_Application_Thread]#Plain##
Return code from init(): -1#
#2.0#2021 10 19 11:25:24:128#+0200#Fatal#/System/Security#
##ca.com~SiteMinderLoginModule#C0000A0B4AAD002D0000000400032DBB#304935450000000004
#sap.com/irj#com.netegrity.siteminder.sap.webas.jaas.AgentConnectionHandler.initialize()
#Guest#0##CF3E107D30BC11EC9502506B8DF4C0A3#cf3e107d30bc11ec9502506b8df4c0a3##0
#Thread[HTTP Worker [@52971258],5,Dedicated_Application_Thread]#Plain##
Agent initialization failed#
The Policy Server receives the connection requests, but there's a problem with the shared secret, so the connection can't complete:
smps.log:
[2233/139891304294144][Tue Oct 19 2021 11:25:24][CServer.cpp:2121][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3154
[2233/139891304294144][Tue Oct 19 2021 11:25:24][CServer.cpp:2132][ERROR][sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client
[2233/139891304294144][Tue Oct 19 2021 11:25:24][CServer.cpp:2293][ERROR][sm-Server-01070] Failed handshake with 10.0.0.1:14330
smtracedefault.log:
[10/19/2021][11:25:24.124][11:25:24][][][CServer.cpp:1956][CAgentMessageHandler::HandleInput][][][][][][][][][][][][][][][10.0.0.1][14330][][][][][Enqueuing a High Priority Message, from IP 10.0.0.1 with Port No 14330. Current count is 1]
[10/19/2021][11:25:24.124][11:25:24][][][CServer.cpp:1514][ThreadPool::Run][][][][][][][][][][][][][][][10.0.0.1][14330][][][][][Dequeuing a High Priority message, from IP 10.0.0.1 with Port No 14330. Current count is 0]
[10/19/2021][11:25:24.124][11:25:24][][][CServer.cpp:2231][CAgentMessageHandler::DoWork][][][][][][][][][][][][][][][10.0.0.1][14330][][][][][New connection attempt from client host]
[10/19/2021][11:25:24.124][11:25:24][][][CServer.cpp:1997][GetSecretFunc][][][][][][][][][][][][][][][][][][][][][Getting current secret for the Agent <agent>]
[10/19/2021][11:25:24.124][11:25:24][][][CServer.cpp:2072][GetSecretFunc][][][][][][][][][][][][][][][][][][][][][Getting previous secret for the Agent <agent>]
[10/19/2021][11:25:24.124][11:25:24][][][CServer.cpp:2078][GetSecretFunc][][][][][][][][][][][][][][][][][][][][][Error while fetching previous secret for the Agent <agent>]
[10/19/2021][11:25:24.129][11:25:24][][][CServer.cpp:2121][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3154]
[10/19/2021][11:25:24.129][11:25:24][][][CServer.cpp:2132][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client]
[10/19/2021][11:25:24.129][11:25:24][][][CServer.cpp:2293][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Server-01070] Failed handshake with 10.0.0.1:14330]
[10/19/2021][11:25:24.129][11:25:24][][][CServer.cpp:2299][CAgentMessageHandler::DoWork][][][][][][][][][][][][][][][10.0.0.1][14330][][][][][Handshake error with trusted host <agent> with IP 10.0.0.1 on Port No 14330]
Get in touch with SAP vendor support to understand the reason why the configuration brought for the CAPKIHOME is not taken by the SAP server at the start time.