cancel
Showing results for 
Search instead for 
Did you mean: 

How to import *.pfx for 2 way SSL Web Service?

Former Member
0 Kudos

Hello,

We are trying to create web service consumer where 2 way SSL is needed.

We have exp_pfx_cert.pfx certificate. As far as we know there is need to convert it to PSE and then import in STRUST. Next steps like RFC, service consumer should be as usually.

PFX -> PSE

We tried to use sapgenpse but there was error like in attached image.

ROOT CA certificate is in another text file.

How to import this pfx + ROOT CA into SAP STRUST ?

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

You can import the root certificate together with your certificate either with sapgenpse.exe or STRUST. With the former, use option -r. See the attached links for details. In case of STRUST simply load both certificates and add to certificate list, save. The same applies for chained certificates.

http://scn.sap.com/people/jens.gleichmann/blog/2008/10/31/calling-webservices-from-abap-via-httpsssl...

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/0d/9ce63bab134b39a52e340255d7650c/frameset.htm

Former Member
0 Kudos

How to import *.pfx to STRUST?

I can only add ROOT CA saved as *.cer

I also tried to add *.cer (With ROOT CA) and pem (converted from pfx) to existing SSL client PSE with no success.

Is it possible to create new SSL client PSE ( using the menu item "Environment ==> SSL Client Identities) having only this *.pem and *.cer so 2 way SSL works correct? Or we need to use sapgenpse passing *.cer (ROOT CA) and *.pfx to receive *.pse ?


Former Member
0 Kudos

I doubt your *.pfx contains also the root certificate so it contains your signed certificate and the private key. Convert your *.pfx to *.cer (DER) or *.crt (Base-64) and import into STRUST. Do the same for your *.cer (DER) root certificate.

PEM certificates can't be mixed with other certificates since the whole trust chain including the private key can be contained in a PEM certificate.

Former Member
0 Kudos

I have exported *.cer (DER) from IE and imported it with ROOT CA ( *.cer) into Default SSL Client folder in STRUST. Afters restart in smicm I have: ICM_HTTP_CONNECTION_FAILED during connection test.

Is it correct to create new folder in STRUST for this connection (using the menu item "Environment ==> SSL Client Identities)  next right click on new folder "Create" and leave default values?

Former Member
0 Kudos

If you need to specify a client identity other than the default ones (anonymous or the default SSL one) then yes you need to create a new client identity. See the developer trace dev_icm to figure out why you are getting the connection error, it doesn't seem related to SSL. Could be a network issue or you are using wrong hostname or port.

Former Member
0 Kudos

In smicm i have:

*** WARNING => Connection request from (30/4018/1) to host: xxx.xxx.xxx.xxx, service: 443 failed (NIECONN_REFUSED

RM-T30, U4018, 800 XXXXXXX, T61, 20:56:44, M1, W3, SM59, 2/2 {00010018} [icxxconn_mt.c 2222]

Maybe this is firewall issue...

We will use many certificates for one destination webserwice to log in so I think we will have to create the same amount of client identities and SM59 connections as certificates.

Do we have to create client identity in special way (like there: http://scn.sap.com/people/jens.gleichmann/blog/2008/10/31/calling-webservices-from-abap-via-httpsssl...  using PSE) or just "Create" and leave default values?

Former Member
0 Kudos

Yes, then you need several identities. Use the steps in the blog or application help in order to setup the client identities.

Former Member
0 Kudos

Hi Samuli,

Any ideas on this:

Thank you in advance!

Br,

Serhat