Hi Ravi,

Thanks for your prompt reply.

I´ve done it, but it doesn´t appear on Keystore Entry list. Do you know the reason?

Do you have some example to develop a custom handler?

Thanks.

Bruno

Hi Bruno,

It is not clear to me what you want to do. If you are using the axis adapter, you don't need any custom handler to do a variety of authentication methods.

- http or https with basic authentication

- https with client certificate authentication

- http or https with ntlm authentication

- http or https with ws-security username token authentication

- ...

If you can call your web service using soapui with basic authentication, you can also call it over the axis receiver channel using basic authentication. In this case, you simply need to set the use/password fields at the channel configuration.

If you want to call your web service with a client certificate, you need to load it into one of the keystore views. Once your certificate is stored, you can use it (i.e., set the view/alias fields) at the channel configuration.

Regards, Yza

Hi yzanagi,

I imported the certificate as a trusted certificate on my server using the java class "InstallCert.java". Now, if I execute the WS from a Java class, using HTTPConnection and setting the authentication as Basic (username:password) it works fine.

So, I tried to call the web service by SOAP Adapter and Transport Protocol "HTTP", passing the username and password. When I executed the interface, this error comes up:

Message processing failed. Cause: com.sap.aii.af.ra.ms.api.RecoverableException: SOAP: response message contains an error XIAdapter/HTTP/ADAPTER.HTTP_EXCEPTION - HTTP 401 Obligatory proper basic authentication headers to access this resource!

I also configured the Transport Protocol as "HTTP (Axis)", but it can´t find the certificate on my keystore and I get this error after executing the interface:

Message processing failed. Cause: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Do you have some idea what is missing here?

Thanks.

Bruno

Hi Caio,

Thanks for your prompt reply.

I agree with you about importing the certificate, but I think it isn´t the problem related to the message:

Message processing failed. Cause: com.sap.aii.af.ra.ms.api.RecoverableException: SOAP: response message contains an error XIAdapter/HTTP/ADAPTER.HTTP_EXCEPTION - HTTP 401 Obligatory proper basic authentication headers to access this resource!

I think it´s missing some configuration on the adapter. Before I trusted the certificate using java class "InstallCert" when executing the CC, I got the error related to the certificate ("Peer certificate rejected by ChainVerifier"). But now I´m getting the error 401, even passing the right user and password.

I have checked and I saw you are brazilian. I´m trying to configure a calling t SPC WebService. Have you got it?

Thanks again.

Bruno

Hi Caio,

I will have a look on this SAP Notes and I will let you know about that.

Thanks.

Bruno

Hi yzanagi and Caio,

I have a doubt. Is there a way to access a web service that requires a certificate without this certificate?

We have one web service which our customer had to buy his certificate on a CA. We configured this certificate on KeyStorage in Visual Administrator and the CC is working fine.

However, this other certificate that I´m trying to access, our customer contracted the service and just a user and password was passed to them, as well as the endpoint to access it. As I said before, this WS uses SSL with cliente authentication and requires a certificate, but if I access the endpoint on InternetExploer, the certificate appears and I can trust on it.

The question is: Do we need to receive a certificate from the company´s web service? If not, what do I have to do to make this scenario work?

Thanks.

Bruno

Hi Bruno,

I am not sure if I understood your problem. So let me try to rephrase it differently.

You want to call some external web service that requires a client certificate based user authentication.

I suppose this service provides only an https based URL https://host:port/path, if this is the case.

In this case, it is strange that you can call this https URL without your client certificate, but simply using the basic authentication scheme (user/password).

If this is indeed the case, it means that the target web service can accept the basic authentication and you can definitely call this web service using the the normal SOAP adapter or the Axis adapter. Simply configure the target https URL and use the basic authentication.

If I misinterpret your description and the target service only accepts the certificate based authentication, either you need to give your public certificate to the service provider or they give you a certificate pair or its private part. In either case, you need to ask the provider exactly how you can authenticate your call. Once you have the private certificate, you can use either a SOAP or Axis receiver channel and use the certificate based authentication and select this certificate for authentication.

You said that you could call the service URL using your browser by choosing one of your stored certificates, I don't know if you were talking about "accepting the server's certificate" or "choosing your client certificate for authentication". For the latter case, you can export this certificate to the pkcs format and import it into the engine's keystore so that you can use it at your channel.

In any case, I suggest you to go through each step at a time. First, determine which authentication is required and which certificate you can use. If a client certificate is required, you can verify the certificate by importing it into your internet browser and open the service provider URL. Once if it works, you can configure a receiver channel using this certificate.

If you get some error, set the relevant components (refer to the FAQ notes of the adapter you are using) on DEBUG to find out which part of the processing is throwing the error. Instead of blindly guessing the problem like you do now, you have to determine which part of the processing is failing. The debug trace typically tells you enough information to determine the problem. Once the problem is determined, it should be easy to fix the configuration.

Regards, Yza

Hi yzanagi,

That´s really my problem. Thanks for your attention, I will active the DEBUG mode.

I have accessed this WS from a Java code and it works fine. As I said, I imported the certificate into my truststore and from a Java code and Soapui it works.

But, I have one thing that I haven´t mentioned, that is the certificate is expired. As from Java code and Soapui it worked and I could import it into WebAS from Visual Admin, I thought that it should work in WebAS. This certificate is to be used with non-productive environment.

Does SAP WebAS require a valid certificate in anyway?

Regards,

Bruno

Hi Bruno,

I hope you take my advice seriously and take each step precisely. And if you ask questions, I ask you to describe them precisely. I still don't know what authentication the server requires and which certificate you are talking about.

In your original post, you mentioned that your server requires a client certificate.

We developed an interface where the receiver adapter access a web service (https), which uses user and certificate authentication.

This statement contradicts with another statement of yours saying this service can be called with a user/password credential.

if we test the same webservice on soapui, we need just to configure the username and password and the request works fine. 

Now you are also saying that you stored this certificate in your truststore and your java program can call this service.

I have accessed this WS from a Java code and it works fine. As I said, I imported the certificate into my truststore and from a Java code and Soapui it works.

You don't put your client certificate in your truststore. Your client certificate must go into your keystore.

So I speculate either:

- you mistakenly put your client certificate in your truststore, or

- you are talking about the server certificate

In the former case, I suppose you provided a user/password credential to your java code. This will imply that the server is not requiring a client certificate (because it was not used, but it worked). It should even work if you remove your certificate from your truststore.

In the latter case, the server is also not requiring a client certificate. In this case, And if your client did not complain about the expired entry, I suppose you are using a client socket factory that does not verify the server certificate. In this case, I suppose you could also remove your certificate, as it is probably not used.

If you want to use a certificate for some purpose (validating the server or authenticating yourself), it needs to be valid.

I hope you can resolve your issue by following each process step at a time.

Regards, Yza

Hi Yza,

It was really helpful your tips. We made a contact with the company responsible by the WS and they sent to us a valid certificate assigned by a CA.

We configured it in the WebAS KeyStorage (TrustCAs) and the interface worked perfectly.

In summary, we invoked the WS on 3 ways:

1 - Soapui - it wasn´t necessary to import the certificate. Probably at runtime, it configures the certificate into an own truststore. After executing the WS we could see the certificate accessing the option "SSL Info".

2 - Java Code - it worked just after I imported the certificate, even being a expired certificate. I imported it running:

keytool -import -v -trustcacerts -alias xxxx_alias -keystore D:j2sdk1.4.2_11jrelibsecuritycacerts.jks 
* -keypass changeit -file xxxx.cer

And I coded this:

System.setProperty("javax.net.ssl.trustStore", "D:\j2sdk1.4.2_11\jre\lib\security\cacerts.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

URL url = null;
HttpURLConnection connection = null;

try {
	//Create connection
	url = new URL(properties.getProperty("endpoint"));
	connection = (HttpURLConnection) url.openConnection();
	connection.setRequestMethod("POST");
	connection.setRequestProperty("Content-Type", "text/xml;charset=UTF-8");
	connection.setRequestProperty("Authorization", "Basic " + credential);
	connection.setUseCaches(false);
	connection.setDoInput(true);
	connection.setDoOutput(true);

	String urlParameters = "<soapenv:Envelope xmlns:soapenv=...";

	//Send request
	OutputStream wr = connection.getOutputStream();
	wr.write(urlParameters.getBytes());
	wr.flush();
	wr.close();

	//Get Response
	InputStream is = null;
					
	try {
	 is = connection.getInputStream();					
	} catch (Exception e) {
	 is = connection.getErrorStream();
	}

	BufferedReader rd = new BufferedReader(new InputStreamReader(is));
	String line;
	StringBuffer response = new StringBuffer();
	while ((line = rd.readLine()) != null) {
	  response.append(line);
 	  response.append('
');
	}
	rd.close();

	} catch (Exception e) {				
		e.printStackTrace();
	} finally {
		if (connection != null) {
			connection.disconnect();
		}
	}

3 - PI - it worked just after I imported a valid certificate.

Until we got the valid certificate, I installed an Apache Tomcat and AXIS framework and published the above Java Class on it, creating a WS. So we were invoking the target WS calling this WS on Apache Tomcat to workaround our issue until we have a valid certificate. So our interface was working like this:

ABAP Proxy -> WS on Apache Tomcat -> WS Target

Maybe I got lost in some words during the explanations. I hope now it is clearer for you.

Thank you very much for your attention.

Regards,

Bruno

Hi Bruno,

good to hear that you solved the problem.

And it is also nice of you to give the details in your reply so that other people can benefit from your experience..

Regards, Yza.