SAP HANA Cloud Connector - no connection due to SSL issue

Hi @all,

I have a strange issue after initially setting up a Cloud Connector when trying to initially establish the connection to the HCP account.

The CC is installed on a SLES 11. As it is a Sandbox environment with an SAP Java system on it, the JAVA_HOME path points to the SAP JVM delivered with this system.

After I started the CC daemon (with root user), the CC runs and I can connect to the admin UI. After entering the data to my account at hanatrial.ondemand.com and my logon data, the CC tries to connect - and fails.

The Connector State shows that the required URLs can be reached from the SLES host.

The logs show an issue with the SSL communication between the CC and the HANA-Trial instance.

The log shows that the CC is not able to connect to HCP with issues verifying the SSL connection:

2014-10-13 17:02:01,698#ERROR#com.sap.scc.rt#http-bio-8443-exec-8#          #Tunnel Connect Failed

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:485)

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:753)

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:721)

    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)

    at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1282)

    at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:917)

    at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)

    at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:310)

    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)

    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)

    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318)

    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

    at org.jboss.netty.handler.execution.MemoryAwareThreadPoolExecutor$MemoryAwareRunnable.run(MemoryAwareThreadPoolExecutor.java:622)

    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

    at java.lang.Thread.run(Thread.java:722)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1528)

    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:243)

    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)

    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)

    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)

    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)

    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)

    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:533)

    at java.security.AccessController.doPrivileged(Native Method)

    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:952)

    at org.jboss.netty.handler.ssl.ImmediateExecutor.execute(ImmediateExecutor.java:31)

    at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1450)

    at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1323)

    ... 14 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)

    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)

    at sun.security.validator.Validator.validate(Validator.java:218)

    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)

    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)

    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)

    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)

    ... 22 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)

    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)

    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)

    ... 28 more|

The certificate of hanatrial.ondemand.com was imported into the (initially) not existing keystore of both user "root" and "sccadmin"; OS permissions on the files should also not be an issue.

Any idea what I should look for to further analyze and solve the issue?

Thnx and best regards,

Timo