cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ADS - SSL configuration ABAP

Go to solution
Former Member

on ‎06-11-2013 10:14 PM

0 Kudos

Hi,

I have configured std ADS and it worked perfectly. Now configuring SSL for ADS interactive forms. ABAP only ECC and dual stack CRM. ECC is pointing to CRM for ADS. I have crptolib configured and the parameters are set both in ECC and CRM. Created server and client PSEs and exchanged between ECC and CRM using STRUST. I also defined the ICM parameters. Both systems have below parameters set. But I do not see HTTPS service in SMICM.  It was working without HTTPS. Please help ASAP.

ssf/name                                    SAPSECULIB

ssf/ssfapi_lib                              E:\usr\sap\XXX\SYS\exe\uc\NTAMD64\sapcrypto.dll

sec/libsapsecu                              E:\usr\sap\XXX\SYS\exe\uc\NTAMD64\sapcrypto.dll

snc/gssapi_lib                              E:\usr\sap\XXX\SYS\exe\uc\NTAMD64\sapcrypto.dll

ssl/ssl_lib                                 E:\usr\sap\XXX\SYS\exe\uc\NTAMD64\sapcrypto.dll

icm/HTTPS/verify_client                     1

icm/server_port_3                           PROT=HTTPS,PORT=50001

icm/server_port_1                           PROT=SMTP,PORT=0

icm/host_name_full                         xxxxxxxx.xxxxxxxxx.xxxxxxx.com

icm/HTTP/j2ee_0                             PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00

icm/server_port_0                           PROT=HTTP,PORT=80$$,PROCTIMEOUT=-1

ms/server_port_0                            PROT=HTTP,PORT=81$$

Thanks,

Kavitha.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member188883
Active Contributor
‎06-12-2013 12:00 PM
0 Kudos

Hi Kavitha,

Could you refer following SAP Note 838111 - How to configure SSL for Adobe Document Services

Hope this helps.

Regards,

Deepak Kori

Show replies
Show replies
former_member196664
Participant
‎06-12-2013 3:48 PM
0 Kudos

Hi Deepak,

I checked this OSS Note earlier. Only difference is, it is mentioned to use Java cryptographic tool kit. It is not available at SMP. When I enquired SAP mentioned, it will be available in few days. I used crptolib only in ABAP ECC. Also in dual stack CRM. In ECC, I am using ADS from CRM. Worked perfectly without HTTPS. But now nothing works. https:/xxxxxxxx.xxxx.xxxxxxxxxx.com:50001 worked earlier with certificate error. But after I have done few more configurations from ADS document, it stopped working too. Now showing page cannot be displayed. Not sure where I have issue. Please help.

Thanks,

Kavitha.

Former Member
‎06-12-2013 6:09 PM
0 Kudos

Hi Deepak,

I used this note only. But still not working. Don't know where is the issue. ADS is working without HTTPS. as soon as I changed to HTTPS, it is not working. Pls help.

Answers (2)

Answers (2)

Private_Member_12188
Active Participant
‎06-17-2013 12:45 PM
0 Kudos

When you are configuring your ABAP stack to talk to Adobe using SSL you only need the RFC connection to be setup to use SSL.  For JAVA it's basically the same.  You really don't need to have both the ABA and Java stacks running SSL services, just that you've configured ADS properly and that you have the proper certificates installed to both the ABAP and Java stack.  Try the below directions on your ABAP and Java stacks respectively.

ABAP.

3.3.2.3 Setting Up the SSL Connection in an ABAP Environment

In an ABAP environment, set up the SSL connection between the ABAP connection and the

J2EE environment.

To set up the SSL connection in an ABAP environment:

1. Log on to your SAP system and go to transaction SM59.

2. In the RFC Destinations tree, select HTTP Connections to Ext. Server.

3. Select ADS, then choose Change.

4. On the Logon/Security tab, in the SSL area, select SSL Client Certificate.

5. Select the certificate.

6. Select Active.

7. On the Technical Settings tab, in the PathPrefix box, enter

/AdobeDocumentServicesSec/Config?style=rpc

8. Choose Save.

For the JAVA Stack.

JAVA

3.3.2.4 Setting Up the SSL Connection in a Java Environment

Set up the SSL connection to access the Java version of the PDF object.

To set up the SSL connection in a Java environment:

1. Log on to the Visual Administrator. (See How to Start the Visual Administrator on page

33.)

2. On the Cluster tab, choose Server <x> → Services → Web Services Security.

3. Choose Web Services Clients → sap.com > tc~wd~pdfobject →

com.sap.tc.webdynpro.adsproxy.AdsProxy*ConfigPort_Document.

4. Change the URL to

https://<Host>:<Port>/AdobeDocumentServicesSec/Config?style=docume

nt

5. From the Authentication drop-down list box, select X.509 Client Certificate.

6. In the Client Certification Authentication area, from the Keystore view list, select

ADSCerts.

7. From the Certificate list, select the certificate associated with the user that is assigned the

ADSCaller security role, which you created earlier.

8. Choose Save

Show replies
Show replies
Private_Member_12188
Active Participant
‎06-17-2013 12:48 PM
0 Kudos

Take a look at this guide, I know the version is not what you are running but the concept on how it works is the same.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/90/71d273fa724cc9bb644ab00405e6f8/frameset.htm

Former Member
‎06-17-2013 6:57 PM
0 Kudos

Tony,

In webservices security, under ADSCerts view, I did not find my certificate. Though it is physically there, it is not showing in VA webservices security. Not sure why. The only certificate showing is ssl-credentials java certificate. Pls help. All other configurations are exactly same. Even in SM59, SSL client certificates are not showing. I made in active and chose default ssl client certificates, but certificates are not showing up. Please help.

Thanks,

Kavitha.

Private_Member_12188
Active Participant
‎06-18-2013 12:47 PM
0 Kudos

Have you installed the Java cryptographic toolkit on your Java stack yet?  This is required in order to use SSL.

"Use

Per default, the SAP J2EE Engine is delivered with an export version of the security toolkit that only contains functions for digital signatures, but does not contain the encryption functions necessary for using SSL. Therefore, before you can use SSL on the SAP J2EE Engine you must replace this default library with the complete version of the SAP Java Cryptographic Toolkit.

You can skip this procedure if you installed the SAP Java Cryptographic Toolkit during the J2EE Engine installation."

You need to walk through the steps listed here.

Administration Manual -> Server Administration -> J2EE Engine Security -> Transport Layer Security on the SAP J2EE Engine -> Configuring the Use of SSL on the SAP J2EE Engine

(Direct Link)

http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm

Here is the main link to SAP NetWeaver 2004 Help

http://help.sap.com/saphelp_nw04/helpdata/en/49/e98876e9865b4e977b54fc090df4ed/frameset.htm

Once you have gone through getting SSL setup you should then be able to proceed with configuring SSL for ADS.

You really need to follow the help guide step by step.  Fully read each of the highlighted steps below before you start.  This will give you a better understanding of what you are trying to accomplish before you begin.

Former Member
‎06-18-2013 5:43 PM
0 Kudos

Tony,

Java cryptographic tool kit is not available in SMP.

https://websmp109.sap-ag.de/swdc-->

Installations and Upgrades-->Browse our download catalog-->SAP

Cryptographic Software-->SAP JAVA CRYPTO TOOLKIT

Nothing is available in above location. I asked SAP, they said it will be available in few days. I thought since it is dual stack, I can use Cryptolib for ABAP and activate SSL. Please advise.

Thanks,

Kavitha

Private_Member_12188
Active Participant
‎06-20-2013 4:28 PM
0 Kudos

As far as I know there is not a workaround for using SSL in a JAVA stack without the cryptographic toolkit installed.  SAP said it would be available in a few days, I would keep checking and if its not open an OSS message.

Former Member
‎06-20-2013 7:34 PM
0 Kudos

Tony,

For ABAP only ECC also, In SMICM, HTTPS is not active. I am using sapcryptolib for ABAP. Is it also because of Java cryptographic tool kit in CRM? Pls advise.

Thanks,

Kavitha

Private_Member_12188
Active Participant
‎06-21-2013 1:21 PM
0 Kudos

Can you post the current SMICM trace log?

Former Member
‎06-21-2013 6:05 PM
0 Kudos

Tony,

Please find the attached SMICM log from ECC.

Thanks,
kavitha

SMICM.TXT.zip
Private_Member_12188
Active Participant
‎06-21-2013 6:13 PM
0 Kudos

What is the port for HTTPs in SMICM on your ABAP stack?  Is it the same one that's specified in the Java stack?  If so can you make them different and try restarting again?

Former Member
‎06-21-2013 6:34 PM
0 Kudos

Java port is 50000

icm/server_port_3                           PROT=HTTPS,PORT=8001

icm/server_port_0                           PROT=HTTP,PORT=80$$

Thanks,

Kavitha

Former Member
‎06-26-2013 2:38 PM
0 Kudos

Tony,

My port issue is resolved. I am only getting certificate error now while accessing HTTPS. Please let me know what could be the issue. I have created client standard PSE certificates and assigned the ads users. I have created java certificate and used in webservices security in visual admin. Not sure where the issue is. Pls help.

Thanks,

Kavitha.

Private_Member_12188
Active Participant
‎06-12-2013 2:15 PM
0 Kudos

This is kind of a cliché question, but have you restarted ICM since making those parameter changes?

As a test you can create a temporary service inside of SMICM.

Once in SMICM go to the services (Goto menu -> services or shift + F1).  Then select the Service Menu -> Create.

You can then test out new service configurations without having to restart.  These are only temporary and will not persist past a restart.  This can help you determine if your issue is with your parameters as well as whether your SSL ADS connection is functioning.

Show replies
Show replies
former_member196664
Participant
‎06-12-2013 3:15 PM
0 Kudos

Hi Tony,

I am able to create in ABAP only ECC. When I restarted it is gone. Why can't I see in SMICM, please let me know.

I am not able to start in dual stack CRM, looks like it is already running? I am not able to see? Pls help. Below is SMICM-->goto-->trace file-->display all.

[Thr 5068] Wed Jun 12 10:04:37 2013

[Thr 5068] IcmHandleMonServMsg: Start service 50001 for protocol 2 (timeout=15, proc_timeout: 15, ext_bind: 1)

[Thr 5068] *** INFO => the EXTBIND attribute in parameter icm/server_port_<xx> for service 50001 is not necessary on Windows - i

[Thr 5068] *** ERROR => NiIBindSocket: SiBind failed for hdl 24 / sock 8592

    (SI_EPORT_INUSE/10013; I4; ST; 0.0.0.0:50001) [nixxi.cpp    3237]

[Thr 5068] *** ERROR => IcmBindService: NiBuf2Listen failed for host sapcrmsbx.crestron.crestron.com:50001 (rc=-4): NIESERV_USED

[Thr 5068] *** ERROR => IcmHandleMonServMsg: IcmAddService failed (rc=-1) [icxxmsg.c    1814]

[Thr 4664] Wed Jun 12 10:04:51 2013

[Thr 4664] IcmHandleMonServMsg: Start service 50001 for protocol 2 (timeout=15, proc_timeout: 15, ext_bind: 1)

[Thr 4664] *** ERROR => IcmAddService: service 50001 already exists [icxxserv.c   300]

[Thr 4664] *** ERROR => IcmHandleMonServMsg: IcmAddService failed (rc=-23) [icxxmsg.c    1814]

[Thr 6804] Wed Jun 12 10:05:05 2013

[Thr 6804] IcmHandleMonServMsg: Start service 50001 for protocol 2 (timeout=15, proc_timeout: 15, ext_bind: 1)

[Thr 6804] *** ERROR => IcmAddService: service 50001 already exists [icxxserv.c   300]

[Thr 6804] *** ERROR => IcmHandleMonServMsg: IcmAddService failed (rc=-23) [icxxmsg.c    1814]

[Thr 5996] Wed Jun 12 10:11:10 2013

[Thr 5996] IcmHandleMonServMsg: Start service 50001 for protocol 2 (timeout=15, proc_timeout: 15, ext_bind: 1)

[Thr 5996] *** ERROR => IcmAddService: service 50001 already exists [icxxserv.c   300]

[Thr 5996] *** ERROR => IcmHandleMonServMsg: IcmAddService failed (rc=-23) [icxxmsg.c    1814]

[Thr 5052] Wed Jun 12 10:11:21 2013

[Thr 5052] *** ERROR => NiIBindSocket: SiBind failed for hdl 24 / sock 8592

    (SI_EPORT_INUSE/10013; I4; ST; 0.0.0.0:50001) [nixxi.cpp    3237]

[Thr 5052] *** ERROR => IcmBindService: NiBuf2Listen failed for host sapcrmsbx.crestron.crestron.com:50001 (rc=-4): NIESERV_USED

[Thr 5052] *** ERROR => IcmHandleMonServMsg: IcmActivateService failed for 50001, 2(rc=-1) [icxxmsg.c    1861]

Thanks,

Kavitha

Private_Member_12188
Active Participant
‎06-12-2013 3:54 PM
0 Kudos

In SMICM can you send me a screenshot of what your active services currently looks like?

Similar to this one.

Private_Member_12188
Active Participant
‎06-12-2013 4:08 PM
0 Kudos

Can you check to see if that port is already in use on that server?

Run from a command prompt :

netstat -an | find "50001"

Former Member
‎06-12-2013 4:16 PM
0 Kudos

Hi Tony,

Above command returns nothing. In ECC SMICM --> active services

  Active Services

      No. Protocol           Service Name/Port    Host Name            Keep Alive Proc.Timeo Actv External Bind

       1  HTTP               8000                 SAPECCSBX.CRESTRON.C        30         60
       2  SMTP               0                    SAPECCSBX.CRESTRON.C        30         60

In CRM:

  Active Services

      No. Protocol           Service Name/Port    Host Name            Keep Alive Proc.Timeo Actv External Bind

       1  HTTP               8000                 sapcrmsbx.crestron.c 9,999,999          1-
       2  SMTP               0                    sapcrmsbx.crestron.c        30  9,999,999

Thanks,
kavitha

Private_Member_12188
Active Participant
‎06-12-2013 7:49 PM
0 Kudos

Can you try to change the port number from 50001 to something else?  Try 8001, restart and see if the HTTPS services shows up.  The error log is saying that for some reason that port is in use.

Former Member
‎06-12-2013 7:57 PM
0 Kudos

Tony,

First I tried 8001 only, later changed to 50001 as I saw in Visual Admin Server)-->services-->SSL provider-->Active sockets 50001, 50003 and 50006. Once I changed to 50001, https:/crmsbx.xxx.xx.com:50001 worked with certificate error. Then I proceeded with further ADS config in VA, then I checked that https:/crmsbx.xxx.xx.com:50001 stopped working. Please advise.

Thanks,
kavitha

Private_Member_12188
Active Participant
‎06-13-2013 2:05 PM
0 Kudos

It seems like you are trying to setup SSL on the same port for both the Java and ABAP stacks. When setting up SSL in a dual stack environment there are a couple of things that need to be done differently than in a single stack environment (e.g. your ECC system being ABAP only).

What version of CRM are you running?

former_member196664
Participant
‎06-13-2013 2:46 PM
0 Kudos

Tony,

It is CRM 6.0. Please explain how to set up. Do you mean I should not use the ones that I see in active sockets in VA?

Thanks,

Kavitha.

Private_Member_12188
Active Participant
‎06-13-2013 4:03 PM
0 Kudos

I was not able to find something specifically for CRM 6.0, but the below guide should be able to get you going.  Start on section 5.4.5 for the SSL ABAP to ADS config, then on 5.4.7 for the Java.

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30a9630b-4f89-2a10-6fab-e311b3ffd...

Former Member
‎06-14-2013 4:45 PM
0 Kudos

Tony,

I changed to 8001 in ICM Https port in ECC and CRM. I can start the https service manually and the HTTPS url works. Once restarted the service disappeared, the url did not work. Now the problem is I don't see the service active in SMICM automatically in both ECC and CRM. It works when created manually. Please help and let me know what is missing.

Thanks,
kavitha Rajan.

Ask a Question