Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL configuration and auth on Dual Stack version of PI 7.0

Former Member
0 Kudos

Dear ALL Experts:

Have few queries as below on the Network and Transport layer security on the PI 7.0 Dual stack.

1> Do we need to configure the SSL on Both the stack ?

2> For the SSL handshake is client required servers trusted Public CA certificate ?

3> Is the security will in place if the Web service security component of the integration server is not green.

( While transporting the messages using the SOAP adapter.

4> Is it mandatory to generate the Servers Key paire as below to Use for SSL in the dual stack installation

"In a dual-stack system both the ABAP server and the J2EE Engine reside on the same host and therefore use the same fully-qualified host name for access. In this case, create the key pair on the ABAP server, export it, and then upload it on the J2EE Engine."

What is the impact if we generate the servers private kay using the Key store view of the Java in the dual stack installation ?

As per observation in the current testing Message is transporting successfully on the HTTPS URL even servers certificate are removed from the Key store.

Clarifications on the above listed points will help to close the same.

Thanks in advance for your guidence.

Regards

Machindra Patade

1 ACCEPTED SOLUTION

martin_voros
Active Contributor
0 Kudos

Hi,

1) it depends on what services you want to use. As far as I remember HTTP adapter is part of ABAP stack (this not true anymore for newer release) hence HTTPS works without proper keys in Key Store.

2) Client just needs to trust to that certificate. It does not have to be certificate from public CA. How to establish that trust is a different thing.

3) I am not sure about the question

4) That should be OK. It's just a certificate.

Cheers

8 REPLIES 8

martin_voros
Active Contributor
0 Kudos

Hi,

1) it depends on what services you want to use. As far as I remember HTTP adapter is part of ABAP stack (this not true anymore for newer release) hence HTTPS works without proper keys in Key Store.

2) Client just needs to trust to that certificate. It does not have to be certificate from public CA. How to establish that trust is a different thing.

3) I am not sure about the question

4) That should be OK. It's just a certificate.

Cheers

0 Kudos

Dear Martin,

Thanks for your given info.

Not clear on one point.

1> If the server do not have certificate installed on J2ee stack where Client's HTTPs request is being sent on J2ee port ( 50001) with the HTTPs URL, is that connection should be established ?

As per observation - 1> SSL configuration is performed on J2ee stack of the server. 2> Certificates wich are bind to the HTTPs port are removed from the "SSL Provider" ( Dispatcher ) of the server. 3> HTTPs URL shared by the server is not working in the clients browser.

But once the Client send the request ( data ) on the servers HTTPs port 50001 ( URL ) using (PI to PI). It is processing sucessfully. ( We are using the user name and password to connect )

In this scenario,

1> is SSL handshake is working/performing on the transport level ?

2> How the Client is able to authenticate the Server ? (only through User name Password ?)

are we missing any configuration steps on the SSL?. Where to check the correct logs of the entire end to end request processing ?.

Thanks and regards

Machindra Patade

0 Kudos

Hi,

I am not sure if I understand your case. But you are right port 50001 is for Java stack. Have you tried to connect to that port using browser to see what SSL certificate do you use. Or using tool such as wireshark to see if traffic is encrypted.

Authentication is using certificates is a different thing.

Cheers

0 Kudos

Dear Martin,

Thanks for your response.

Yes, Auth using the Certificates are different thing but pls find the below doubts. ( will try to explain )

1> As per my understanding in the Dual stack installation we need to have at least one stack active/configured on SSL to have HTTPs communcation. ( Pls correct if wrong )

To explain in the detail, Pls find the below practical scenario,

At Client end -

ID part. Receiver

1> Adapter Type - SOAP - Receiver

2> Transport Protocol - HTTP.

3> Message Protocol - SOAP 1.1

4> Adapter Eng. -- Intergration Server.

5> Target URL -- HTTPs URL

6> Configure Use AUTH is on. ( Checked )

7> Select Security Profile ON ( Checked ) - We services Security.

in the J2ee Admin

Key Store

1) Trusted CA - Private Certicate and Public Certicate of its own.

2) Service_SSL - Private Certicate and Public Certicate of its own.

At Server end -

ID part.

1- Adapter Type - SOAP - Sender

2> Transport Protocol - HTTP.

3> Message Protocol - SOAP 1.1

4> Adapter Eng. -- Intergration Server.

5> HTTP Security Level - HTTPs without Client Authentication

6> Select Security Profile ON ( Checked ) - We services Security.

in the J2ee Admin

Key Store

1) Trusted CA - Private Certicate and Public Certicate of its own.

2) Service_SSL - Private Certicate and Public Certicate of its own.

Now in the above scenario,

What I observed is that even if I remove the certificates from the servers key store, request is procssing sucessfully.

Request your views on the HTTPs communication using SOAP adapter to achive the Transport and Message level security.

Require to follow the SAP standards on the Transport and Message level security

Thanks again for your given time.

Regards

Machindra Patade

0 Kudos

Dear Martin

Answer for your query "Have you tried to connect to that port using browser to see what SSL certificate do you use. "

When I removed the certifcate from the Servers " SSL proivder " ( on the 50001 port where certificate are binded)

and test the servers URL on the client's browser I got "page can not be dispalyed" error where as when I initiated the test message from the RWB it got processed to the server.

Don't know how it worked. Pls highlight on the same.

Thanks

Machindra Patade

0 Kudos

Hi,

I would try to listen on network and see if request from client is encrypted after removing keys from key store. It's possible that you don't force SSL and then it fall backs to plaint HTTP. But that's just my guess.

Cheers

0 Kudos

Dear Martin,

Thanks for your reply. Will take your advise to see on network level and will update on the final outcome/observations on the subjected issue.

Your views are really helped us to debug the issues. Thanks again for your given time.

Regards

Machindra patade

0 Kudos

Hi,

I don't understand your problems.

A PI system is a mandatory dual stack system (abap and Java).

The HTTP server of the abap stack is the ICM.

The ICM is able to direct HTTP(s) requests to the disp+work processes for abap URLs and to the java dispatcher for java URLs.

The default rule is that all URLs beginning with /sap are for the abap stack and all others for the java stack.

So the easiest way is to configure only HTTPS on the abap stack (signed certificate) and to send all requests (wether abap or java) to the ICM port. It works perfectly.

On my production PI system, I have a SAP Web dispatcher which ends the SSL connection (it has the signed certiifcate) and sends all requests with HTTP to the ICM which sends the java URLs to the java stack.

Regards,

Olivier