cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NFE setup with PI 70 HTTPS configuration and SOAP adapter

Former Member

on ‎11-13-2009 5:57 AM

0 Kudos

Hi every one,

I am trying to configure the PI 7.0 with the HTTPS configuration. I went over the steps which are explain in the help.sap.com regarding SSL but I still have some confusion and need some clarification.

I am trying to configure a SOAP adapter with HTTPS in PI 7.0.This is what I have followed.

1. I tried installing the SAP JAVA cryptographic toolkit through SDM but I am getting the warning that I already have the newer version of that. I was able to check that from Visual Admin =>Dispatcher=> Libraries => Core_lib and looking under the window JARs Contained, I can see iaik_jce.jar is present.

Q. Do I still need to install SAP java cryptographic?

2. I have the .pfx certificate that I have uploaded in the Visual Admin key storage by creating a new view with the name NFE under VIEWS.

Q. Is it necessary to upload certificate under TrustedCAs or under new view NFE is ok?

3. As explain in the HTTP and SSL section of SAP help library, I have defined the below parameter in the exchange profile

com.sap.aii.connect.secure_connections = messaging

Q. Are there any more parameters need to be define any other places?

4. Do https have to be defined in any other place like in RFC (between ERP and PI) or any of the scenario in PI ?

5. How can I get the .cer files of the certificate chain of the SEFAZ webserver soI can load them in the TrustedCAs view

Any help will be appreciated

Thanks and regards

Basit Shaikh

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎11-28-2009 6:23 AM
0 Kudos

Thanks Henrique,

It may sound dumb but I am just stuck here. I really need some help.

You mentioned that I need to install the client certificate ( .pfx) that I got from Government in the NFE view. I already did that. Thanks

You also mentioned about the the server (SEFAZ) root certificate (.cer) in the TrustedCAs view. Can you please kindly tell me with little procedure how can I get the server (SEFAZ) root certificate. I am just stuck here.

Thanks and regards

Basit Shaikh

Edited by: Shaikh Basit on Nov 28, 2009 1:25 AM

Show replies
Show replies
henrique_pinto
Active Contributor
‎12-01-2009 1:07 PM
0 Kudos

Notice this step may be unecessary, depending on whether SEFAZ uses an actual valid certificate or not.

Anyway, in order to download the SEFAZ certs, you need to open the SEFAZ URL in your local browser.

Then, in the status bar of the browser, you'll see a little lock icon.

Double click the lock and you'll be able to see the server certificate and even save it locally (save as .cer).

Best,

Henrique.

henrique_pinto
Active Contributor
‎11-23-2009 6:57 PM
0 Kudos

Shaikh,

1. no, only for SAP XI 3.0 that it is just necessary to install SAP Java Cryptographic Toolkit separately.

SAP PI 7.0 already includes it.

2. you need to install your client certificate (.pfx) in the NFE view, and the server (SEFAZ) root certificate (.cer) in the TrustedCAs view. In the communication channel, you refer to your .pfx certificate in the NFE view;

3. these parameters are for XI working as server. For XI as a client (which is the case for NFExSEFAZ communications), it is not necessary.

4. It is just mandatory on the NFE x SEFAZ communication. All other communications are internal and should follow your company's policy.

5. You'll need to install the .pfx certificate locally on your machine for this.

Open the web service URL in your browser (e.g. Internet Explorer).

Click 2x on the little lock icon in the status bar, it will open the server certificate information.

If you click on View Certificate, it will show the certificate details. You can go to the mid tab and click on the "Export to File" or "Save to file" button (something like that).

Best,

Henrique.

Show replies
Show replies
Former Member
‎11-24-2009 9:06 PM
0 Kudos

Hello Henrique,

Thanks for your reply.

This is what I have updated so far and I think I have progress a little bit. But i am still getting some errors.

1. The certificate xyz.pfx that I received from Brazilian authority. I have uploaded that into Vis.Admi-> keystorage ->TrustedCAs.

I have also defined the key storage view TrustedCAs and keystorage element "xyz" into "NF-e CNPJ Settings" & as well as under Int. Dir -> comm.channel -> SRVSC_SOAP_RCV =>in Connection Parameters (keystore Entry and Keystore View)

2. Under Vis.Adm Keystorage view -> service_ssl : I have created a new entry abc.cert by creating with RSA algorithm......Then I Generate the CSR request which exported the file.csr I copied the content of that file and paste it into "http://service.sap.com/tcs" to get the test.crt. which I imported back into key sorage view -> service_ssl.

When I try to manually put the URL into IE it works fine https://homologacao.............gov.br//nfestatusservico.asmx

The error I am getting is as follows with the log

2009-11-24 15:54:48 Success SOAP: Web Services Security applied.

2009-11-24 15:54:50 Error SOAP: call failed: java.io.IOException: invalid content type for SOAP: TEXT/HTML; HTTP 403 Forbidden

2009-11-24 15:54:50 Error SOAP: error occured: com.sap.aii.af.ra.ms.api.RecoverableException: invalid content type for SOAP: TEXT/HTML; HTTP 403 Forbidden: java.io.IOException: invalid content type for SOAP: TEXT/HTML; HTTP 403 Forbidden

Edited by: Shaikh Basit on Nov 24, 2009 4:17 PM

henrique_pinto
Active Contributor
‎11-27-2009 9:52 AM
0 Kudos

Step 2 is totally unecessary.

Also, you should get the .cer from SEFAZ into TrustedCAs and the .pfx into your custom view (e.g. NFE).

Not that it wont work otherwise, but it would be more organized.

Regarding your error, it means the server is not accepting your certificate (which you dont get from the government, but from the CA). Try to import this certificate locally in your windows system and export it again, with the following options: export complete certificate chain, export the private key, do not use strong encryption.

Best,

Henrique.

Ask a Question