HTTPS certificate errors

If the following errors occur it is in most cases because the certificates of the to-be-scanned satellite system are not trusted (not imported in transaction STRUST) in the system running Protect4S VM.



  • "ICF Error when creating object - Argument not found"

  • or other certificate related errors

To solve this please follow the below steps.

Get the certificate(s) from the Satellite system by downloading them for example from the browser

  1. Use your Internet browser to connect to the required satellite destination address 'https://...'

  2. As soon as the connection has been established, display the security details (usually, by double clicking the lock symbol)

  3. Display the certificate of the server

  4. Export the server certificate into a file (for example, in the format 'Base64')

  5. If necessary, open the certificate or the certificates of the certificate chain from the certificate hierarchy, and also export this certificate or these certificates

Import the certificates in STRUST

  1. In the Protect4S central system call transaction STRUST and double-click on SSL client (Standard) in the left tree view of PSEs (also called "SAPSSLC.pse")

  2. From Menu, choose Certificate->Import. In the File tab enter the filename of the downloaded cert into the field File path, or use the selection help at the end of that field for an Open File popup window of the OS

  3. When the proper certificate appears in the certificate details view in the lower right area of transaction STRUST, press the Add to Certificate List button on the bottom.

  4. Save the changes to the PSE with Save button

  5. Redo steps 1-4 for SSL client (Anonymous) PSE (also called "SAPSSLA.pse")

Newer Releases of SAP Netweaver (702 and 710+) will automatically reload the SSL PSE after saving the change. If the error PEER_CERT_UNTRUSTED persists, please try manually restarting the icman process. For old Netweaver Releases (6xx, 700 and 701) you will always have to manually restart the icman process for the PSE change to take effect. Use transaction SMICM and from Menu "Administration"->"ICM"->"Exit Soft"->"Global" to manually restart the icman process.

For specific "ICF Error when creating object - Argument not found":

Make sure the HTTPS service on the VM system is active in SMICM and that PSE keystore "SSL client SSL Client (Anonymous)" is activated in STRUST.

References with more information:

SAP Wiki: How to troubleshoot SSSLERR_PEER_CERT_UNTRUSTED SAP Note: 2461900 - SSSLERR_PEER_CERT_UNTRUSTED error in dev_icm trace SAP Note: 1094342 - ICM trace contains verification of the server's certificate SAP Note: 510007 - Setting up SSL on Web Application Server ABAP SAP Note: 2469949 - ICF Error when creating HTTP client object by Config for URL

Last updated