Certificate file content disappeared from the ICM trace in ABAP 7.58

sandraros commented 5 months ago

The tool doesn't work in ABAP 7.58.

I see different content in the ICM trace level 3 (transaction code SMICM) concerning the certificates:

With ABAP 7.52, I could see the certificate contents (below in base 64, between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----),
With ABAP 7.58, I can't see them.

No SAP note found.

No profile parameter found.

[EDIT] Question posted here: https://community.sap.com/t5/technology-q-a/certificate-file-content-disappeared-from-the-icm-trace-level-3-in-abap-7/qaq-p/13684323

ABAP 7.52:

[Thr 139675634906880] CCL[VERIFY]: Cli-00000011: Verification result of SSL server certificate (failed)
[Thr 139675634906880]  Verification result header:
[Thr 139675634906880]   Verification errors
[Thr 139675634906880]    The chain of certificates is incomplete or untrusted, missing certificate of
[Thr 139675634906880]     CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[Thr 139675634906880]   Verified certificate:
[Thr 139675634906880]    Subject:                              CN=github.com, O="GitHub, Inc.", L=San Francisco, SP=California, C=US
[Thr 139675634906880]    Issuer:                               CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1, O=DigiCert Inc, C=US
[Thr 139675634906880]    Serial Number:                        0C:D0:A8:BE:C6:32:CF:E6:45:EC:A0:A9:B0:84:FB:1C
[Thr 139675634906880]    -----BEGIN CERTIFICATE-----
[Thr 139675634906880]    MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw
...
[Thr 139675634906880]    3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ
[Thr 139675634906880]    vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw==
[Thr 139675634906880]    -----END CERTIFICATE-----
[Thr 139675634906880]   Used signer certificate:
[Thr 139675634906880]    Subject:                              CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1, O=DigiCert Inc, C=US
[Thr 139675634906880]    Issuer:                               CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[Thr 139675634906880]    Serial Number:                        07:F2:F3:5C:87:A8:77:AF:7A:EF:E9:47:99:35:25:BD
[Thr 139675634906880]    -----BEGIN CERTIFICATE-----
[Thr 139675634906880]    MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh
...
[Thr 139675634906880]    xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA==
[Thr 139675634906880]    -----END CERTIFICATE-----
[Thr 139675634906880]  Certificate verification result:
[Thr 139675634906880]   Certificate:
[Thr 139675634906880]    Subject:                              CN=github.com, O="GitHub, Inc.", L=San Francisco, SP=California, C=US
[Thr 139675634906880]   Verification result:
[Thr 139675634906880]    Status:                              Not successful
[Thr 139675634906880]    SignerStatus:                        Not successful

ABAP 7.58:

[Thr 139843524822784] CCL[VERIFY]: Certificate verification result (failed)
[Thr 139843524822784]    BEGIN VERIFICATION RESULT  
[Thr 139843524822784]  #     Messages   
[Thr 139843524822784]  INFO: Verification time - Tue Apr  2 12:53:02 2024
[Thr 139843524822784]  ERROR: The chain of certificates is incomplete or untrusted, missing certificate of [A6:CF:64:DB] CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=J
[Thr 139843524822784]  #     Summary    
[Thr 139843524822784]  #01 Certificate (End Entity): VALID
[Thr 139843524822784]   Subject:                      CN=github.com
[Thr 139843524822784]   Issuer:                       CN=Sectigo ECC Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, SP=Greater Manchester, C=GB
[Thr 139843524822784]   Fingerprint (SHA256):         FD:6E:9B:0E:F3:98:BC:D9:04:C3:B2:EC:16:7A:7B:0F:DA:72:01:C9:03:C5:3A:6A:6A:E5:D0:41:43:63:EF:65
[Thr 139843524822784]   Validity:                     Thu Mar  7 00:00:00 2024 / Fri Mar  7 23:59:59 2025
[Thr 139843524822784]   PKI validation:               FAILED: Validation of dependents - Issuer Certificate (Issuer - Only Invalid Certificates Found)
[Thr 139843524822784]  #02 Certificate (Issuer):     VALID
[Thr 139843524822784]   Subject:                      CN=Sectigo ECC Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, SP=Greater Manchester, C=GB
[Thr 139843524822784]   Issuer:                       CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, SP=New Jersey, C=US
[Thr 139843524822784]   Fingerprint (SHA256):         61:E9:73:75:E9:F6:DA:98:2F:F5:C1:9E:2F:94:E6:6C:4E:35:B6:83:7C:E3:B9:14:D2:24:5C:7F:5F:65:82:5F
[Thr 139843524822784]   Validity:                     Fri Nov  2 00:00:00 2018 / Tue Dec 31 23:59:59 2030
[Thr 139843524822784]   PKI validation:               FAILED: Validation of dependents - Issuer Certificate (Issuer - Only Invalid Certificates Found)
[Thr 139843524822784]  #03 Certificate (Issuer):     VALID
[Thr 139843524822784]   Subject:                      CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, SP=New Jersey, C=US
[Thr 139843524822784]   Issuer:                       CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, SP=Greater Manchester, C=GB
[Thr 139843524822784]   Fingerprint (SHA256):         A6:CF:64:DB:B4:C8:D5:FD:19:CE:48:89:60:68:DB:03:B5:33:A8:D1:33:6C:62:56:A8:7D:00:CB:B3:DE:F3:EA
[Thr 139843524822784]   Validity:                     Tue Mar 12 00:00:00 2019 / Sun Dec 31 23:59:59 2028
[Thr 139843524822784]   PKI validation:               FAILED: Validation of dependents - Issuer Certificate (ERROR: Issuer - No Certificates Found)
[Thr 139843524822784]  #     Results    
[Thr 139843524822784]  Certificate Result #01:       FAILED
[Thr 139843524822784]   Certificate (End Entity):     [FD:6E:9B:0E] CN=github.com
[Thr 139843524822784]   Trusted:                      -
[Thr 139843524822784]   Policy:                       -
[Thr 139843524822784]   Revocation:                   Untested
[Thr 139843524822784]   OCSP:                         Untested
[Thr 139843524822784]   Issuer:                       ERROR: Issuer - Only Invalid Certificates Found
[Thr 139843524822784]    Issuer Result:                FAILED
[Thr 139843524822784]     Signature:                    Succeeded
[Thr 139843524822784]     KeyUsage:                     Untested
[Thr 139843524822784]     BasicConstraints:             Untested
[Thr 139843524822784]     Validity:                     Untested
[Thr 139843524822784]     Certificate:                  ERROR: Issuer Certificate Failed

mbtools commented 5 months ago

Proof that SAP developers have way too much time "making traces of level 3 better for the customer". Why @SAP? 🤷

sandraros commented 1 month ago

A non-ABAP solution is to extract the certificates by running .\openssl.exe s_client -servername github.com -connect github.com:443 -showcerts > C:\temp\output_openssl_showcerts.txt via your laptop Windows Powershell console (NB: the OpenSSL Library can be installed on Windows by default via Git Bash https://git-scm.com/download/win, openssl.exe will be stored in the subfolder \usr\bin of your OpenSSL installation folder), or install OpenSSL on your SAP server, define the command via the transaction code sm69 and call it from your ABAP program (call to the function module SXPG_COMMAND_EXECUTE).

For information, output file of the command above: output_openssl_showcerts.txt

mbtools commented 1 month ago

That could work but sm69 is a big no-no for many.

I spent a little while and created a serverless function. You can get the certificates as JSON by calling https://tools.abappm.com/api/v1/certificates?domain=github.com 😄

Easy to test with https://tools.abappm.com

PS: Free until someone abuses it 🤷

sandraros / zcerti

Certificate file content disappeared from the ICM trace in ABAP 7.58 #6