Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

NW7.11 dual-stack PI system and SSL-HTTPs Java Stack

Former Member
0 Kudos

Experts,

I have a NW PI 7.11 sp6 system with kernel 118 on AIX6.1 64-bit Unicode system. I want to enable HTTPs/SSL in the JAVA stack and then use the WSnavigator to connect to a webservice listening on the HTTPs port 443. I have done the following:

Installed SAPCRYPTOlib for my OS version, placing the ticket, sapgenpse, and libsapcrypto.o in the correct locations.

Setup profile params in the instance profile:

ssl/pse_provider = JAVA

ssf/name = SAPSECULIB

icm/HTTPS/verify_client = 0

login/create_sso2_ticket = 2

login/accept_sso2_ticket = 1

ssl/ssl_lib = /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o

sec/libsapsecu = /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o

ssf/ssfapi_lib = /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o

icm/server_port_5 = PROT=HTTPS,PORT=50001,TIMEOUT=-1,PROCTIMEOUT=-1,VCLIENT=0

icm/host_name_full = <hostname>.<mycompany>.com

icm/keep_alive_timeout = 90

Setup the env variable for <sid>adm to set the SECUDIR:

SECUDIR=/usr/sap/<SID>/DVEBMGS00/sec

Setup keystore views, I created new keys, signed keys with our CA and included the cert(s) of the box where the webservice resides:

ICM_SSL_<j2eeinstanceID>

CLIENT_ICM_SSL_<j2eeinstanceID>

I also made sure to "export view to PSE" on any changes I made. I did check and it does update correctly the ./../../../sec/SAPSSLS.pse and ./../../../sec/SAPSSLC.pse

I have restarted the instance also ssl_provider service and restarted ICM from the ABAP stack.

Now I am listening on port 50001 with a signed cert. Good so far, right?

Now, I go to https://<hostname>.<mycompany>.com:50001/wsnavigator

I plug in the WSDL of the service I want to connect to:

https://<hostname>.<company>.com/CgiSspWebSite/InboundJobService.asmx?WSDL

I get error "Connection Error". If I look in the log viewer I see these errors:

1.

An error occurred while loading WSDL: https://<hostname>.<company>.com/CgiSspWebSite/InboundJobService.asmx?WSDL

[EXCEPTION]

com.sap.engine.services.webservices.jaxrpc.exceptions.WebserviceClientException: GenericServiceFactory initialization problem. [Proxy Generator Error. Problem with WSDL file parsing. See nested message.]

[see details]

<plenty of stuff in between, but this is the top/bottom>

Caused by: java.net.SocketException: Connection reset

at java.net.SocketInputStream.read(SocketInputStream.java:168)

at iaik.security.ssl.Utils.a(Unknown Source)

at iaik.security.ssl.o.b(Unknown Source)

at iaik.security.ssl.o.c(Unknown Source)

at iaik.security.ssl.r.f(Unknown Source)

at iaik.security.ssl.x.b(Unknown Source)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.r.d(Unknown Source)

at iaik.security.ssl.x.a(Unknown Source)

at iaik.security.ssl.r.b(Unknown Source)

at iaik.security.ssl.SSLTransport.a(Unknown Source)

at iaik.security.ssl.k.b(Unknown Source)

at iaik.security.ssl.k.a(Unknown Source)

at iaik.security.ssl.k.read(Unknown Source)

at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)

at java.io.BufferedInputStream.read(BufferedInputStream.java:235)

at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.readLine(HTTPSocket.java:945)

at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.getInputStream(HTTPSocket.java:413)

at com.sap.engine.services.webservices.tools.WSDLDownloadResolver.resolveEntity(WSDLDownloadResolver.java:219)

at com.sap.engine.services.webservices.tools.WSDLDownloadResolver.resolveEntity(WSDLDownloadResolver.java:152)

at com.sap.engine.services.webservices.espbase.wsdl.WSDLLoader.loadDOMDocument(WSDLLoader.java:136)

2.

Attempting to create outgoing ssl connection without trusted certificates

<just a "warning", not much else in the log>

3.

Client certificate error.IP address

<just a "warning", not much else in the log>

If I switch to the "http" URL for the webservice I want to hit, it works every time:

http://<hostname>.<company>.com/CgiSspWebSite/InboundJobService.asmx?WSDL

I have a feeling something is wrong with the client PSE, but I'm not sure what my next step ought to be.

I went to a DIFFERENT PI system I just built (same versions of NW/OS, etc), and instead of JAVA, I did everything using STRUSTSSO2. I then created an HTTP RFC in SM59. I connected to the 443 port of the WSDL and I used the SSL Client (standard). When I test that way, I do get the web service to return everything I would expect out of the WSnavigator in JAVA stack.

This further leads me to believe I have missed something when setting up SSL in JAVA stack. Help? thoughts?

Much thanks for reading this,

NICK

1 REPLY 1

Former Member
0 Kudos

Hey all,

SAP helped me to resolve. They pointed me to note 1551481. in there it describes a situation where SAP is talking on SSL versions v3.0 / 3.1 and 3.2. But if your partner isn't talking 3.2, you could get the error we got.

So I took the JAR files mentioned in the note from a NW7.0sp19 instance I had and replaced my 7.11 jars with the old jars which talk only 3.0/3/1.

Real fix is getting your partner system to accept 3.2....

Hope this helps someone out there.

NICK