cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOAMANAGER: RFC connection uses 'anonymous' PSE?

former_member188433
Participant

on ‎03-11-2011 8:51 PM

0 Kudos

Hi Everybody - We want to configure our ERP 6.04 system to consume an external web service. The web service will be accessed by an ABAP program (not by the end user). We want to use SSL and a service userid/password.

If the developer uses the supplied WSDL and tcodes SE80 and soamanager, the automatic configuration generates an RFC connection that does not contain userid and password and uses the SSL Client Standard PSE (SAPSSLC.pse). If the developer uses a manual configuration in soamanager in order to specify basic authentication in addition to SSL then the RFC connection will contain the userid/password, but it will also specify the 'anonymous' PSE (SAPSSLA.pse).

1. Does the above sound correct?

2. Are there any real issues with using the 'anonymous' PSE instead of the standard client PSE?

3. Will the 'anonymous' PSE present a problem when we go to QA and production (which will use CA signed certificates)?

4. Is there a way to specify SSL with userid/password and get the RFC connection to use the standard client PSE?

Thanks for your help - points awarded for helpful input.

Jeff

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎03-14-2011 4:40 AM
0 Kudos

Hi,

I recommend that developer should create logical port using wsdl (not manual), wsdl will provide all necessary setting in SOAMANAGER.

You can import client certificate in STRUSTSSO2 (Environment->SSL Client Identities) and then use client certificate in RFC destination, if webservice support anonymous client certificate then it will work will standard SSL cleint certificate.

Regards,

Gourav

Show replies
Show replies
former_member188433
Participant
‎03-14-2011 1:55 PM
0 Kudos

Hi Gourav - Thanks for your response. I agree, we would prefer to use the WSDL to generate the logical port. However, when we use this method we are not able to get both SSL and userid/password (as this is not in the WSDL).

Any idea what causes this process choose the 'anonymous' PSE instead of the standard client PSE?

Best Regards - Jeff

Former Member
‎03-14-2011 4:50 PM
0 Kudos

Hi Jeff,

If service is configured to use SSL then you will get it automatically in WSDL which in turn enabled in LP. You can also change transport protocol from "HTTP" to "HTTPS".

Anonymous PSE is default behavior (as far as I know), you should import client certificate if you want to use it and then change RFC destination with correct client certificate.

Again, I suggest to use automatic configuration of logical port and if you want something change then suggestion is to make sure wsdl is configured that way by service provider (SSL enable, Message level security etc).

Regards,

Gourav

former_member188433
Participant
‎03-15-2011 2:48 PM
0 Kudos

Hi Gourav - Thanks for taking the time to discuss this with me.

As far as I can tell there is no way to change the generated RFC connection. This does not appear to be an authorization issue (I can change other RFC destinations and SU53 shows no missing authorizations). Are you able to change type 'G' RFCs that are generated from soamanager in your development system? We are on ERP 6.04 w/NW 7.01.

We imported the client certificate into the anonymous PSE and it works. I'm still confused on the following:

- why is the anonymous PSE selected by default

- what specifically can be changed in the WSDL to make SAP select the Client Standard PSE

- why I cannot change the generated RFC connection.

Best Regards - Jeff

Former Member
‎03-16-2011 3:08 AM
0 Kudos

Hi Jeff,

Yes, you are right automatic LP generation can't change via change in RFC destination but manual LP can be changed via RFC destination.

See SAP help:http://help.sap.com/saphelp_nw70/helpdata/en/5b/2e423c0bcc4a7ee10000000a114084/content.htm and read point 3 and 4 carefully.

STANDARD = "Mutual Authentication"

Anonymous = "Only server Authentication"

Make sure you configured/activated correct security setting as per following document:

Configure ABAP AS: http://help.sap.com/saphelp_nw70/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm

Workaround I'll suggest that create another LP manually with exact settings you can see in automatic created LP and then change generated RFC destination (you can change manually generated LP's RFC destination).

To use standard client SSL you need to configure mutual trust between consumer and provider (I haven't configured it myself).

I'll investigate more and come back to you.

Regards,

Gourav

former_member188433
Participant
‎03-16-2011 11:52 AM
0 Kudos

Thanks Gourav -

The first link was especially helpful. So it seems in my case the anonymous PSE is the correct choice because we do not have mutual authentication in place (the server that supplies the web service does not have a certificate from us)? Is this something that SAP can detect when an automatic LP is generated?

Best Regards - Jeff

former_member188433
Participant
‎03-22-2011 12:11 PM
0 Kudos

Hi Gourav - One more thought:

Have you ever tried changing the Profile radio button on the proxy configuration in SE80? We think it may be possbile to influence which PSE is selected based on this setting.

In SE80, open the proxy and select the Configuration tab for Security Profile > Authentication.

Regards - Jeff

Former Member
‎03-23-2011 9:19 AM
0 Kudos

Hi Jeff,

>Configuration tab for Security Profile > Authentication

This will affect LP configuration settings but I doubt it will enable selection of profile is SSL certificates (you can't change it BTW).

I think Anonymous profile selection was correct as you haven't established mutual trust between system, If you configure SSL properly on your ECC system then DEFAULT profile will be selected by default, you should follow one of the link I mentioned above for SSL configuration.

In our system once we activated SSL we can see default profile in RFC dest instead of Anon profile when SSL was not active on ECC system.

Regards,

Gourav

Ask a Question