cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring PI SSL for communicating with third-party web services

Former Member

on ‎06-23-2010 2:31 PM

0 Kudos

Hi,

I'm trying to load a COMODO certificate into a J2EE environment running in NetWeaver 7 (no enhancement packs), in order to connect to an external web service using SSL

I have been looking at this reference:

http://help.sap.com/saphelp_nw70/helpdata/en/a0/a5d13f83a14d21e10000000a1550b0/frameset.htm

and in this document (and many others i've read) it talks about requiring a server key pair to support SSL.

http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm

My question is - is there a way to use the self-signed root CA certificates instead of having to generate CSRs and sign certs? I ask this because it seems completely impractical to have to generate key pairs for each SAP installation that is required to access a third-party web service.

Furthermore, the SSL connection may only be for the web service and I'd rather not have to ask that the entire J2EE server is switched to SSL in order to make this secure connection. I've recently discovered the AXIS framework for the SOAP adaptor however I'm not familiar with it and can't identify whether you could use this for the SSL handshake and avoid having to a) generate certificate key pairs and b) switch your J2EE server to SSL

Does anyone have experience connecting to a third-party service using VeriSign, COMODO or Thawte certificates and can clear this up for me?

Regards,

John

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎11-23-2010 8:59 PM
0 Kudos

Did you resolve your issue?

I´m posting some comments that maybe can help newer administrators facing similar doubts.

I´m using NW PI 7.1 EHP1 also and some interfaces were developed for using an external site providing web services through SSL (HTTPS) connection.

As in browser navigation, secure sites protected with SSL has a certificate emited by a international CA. We didn´t perceive the "handshake" in the most of cases because normally the web browser has a group of trusted CAs loaded on its certificate store.

With SAP PI and its WAS Java a similar procedure occurs with a small difference. The WAS Java didn´t have the trusted CAs loaded on KeyStorage. So, when the adapter tries to establishing a connection with an HTTPS site (it is a background process) a "handshake" is required to accepting the certificate and produces a error.

We completes the handshake importing the entire certificate chain (you can upload the site´s certificate to your browser and export it as file) on Keytore under the Trusted CAs view.

Hope this can help someone. It´s an "easy" part of SSL communication.

Now I´m trying to configure the inverse: Some third party consuming the PI web services using SSL. I have an additional component on inbound/ incoming connections that is the SAP Web Dispatcher.

The Help.sap.com is the reference but as always its a little difficult to find the (sequential) path following the links (go ahead, go ahead, go ahead, go back, go back, go ahead)...

Regards,

Rodrigo Aoki

Show replies
Show replies
former_member4985
Employee
Employee
‎06-24-2010 7:03 PM
0 Kudos

Hello!

Have you checked the XI Security Guide already? Go to: http://service.sap.com/securityguide

Also there's the parameter "com.sap.aii.connect.secure_connections" that you

could check in order to grant access through secure connections.

Hope it helps!

Regards,

Caio Cagnani

Show replies
Show replies
Ask a Question