on 06-11-2013 10:14 PM
Hi,
I have configured std ADS and it worked perfectly. Now configuring SSL for ADS interactive forms. ABAP only ECC and dual stack CRM. ECC is pointing to CRM for ADS. I have crptolib configured and the parameters are set both in ECC and CRM. Created server and client PSEs and exchanged between ECC and CRM using STRUST. I also defined the ICM parameters. Both systems have below parameters set. But I do not see HTTPS service in SMICM. It was working without HTTPS. Please help ASAP.
ssf/name SAPSECULIB
ssf/ssfapi_lib E:\usr\sap\XXX\SYS\exe\uc\NTAMD64\sapcrypto.dll
sec/libsapsecu E:\usr\sap\XXX\SYS\exe\uc\NTAMD64\sapcrypto.dll
snc/gssapi_lib E:\usr\sap\XXX\SYS\exe\uc\NTAMD64\sapcrypto.dll
ssl/ssl_lib E:\usr\sap\XXX\SYS\exe\uc\NTAMD64\sapcrypto.dll
icm/HTTPS/verify_client 1
icm/server_port_3 PROT=HTTPS,PORT=50001
icm/server_port_1 PROT=SMTP,PORT=0
icm/host_name_full xxxxxxxx.xxxxxxxxx.xxxxxxx.com
icm/HTTP/j2ee_0 PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00
icm/server_port_0 PROT=HTTP,PORT=80$$,PROCTIMEOUT=-1
ms/server_port_0 PROT=HTTP,PORT=81$$
Thanks,
Kavitha.
Hi Kavitha,
Could you refer following SAP Note 838111 - How to configure SSL for Adobe Document Services
Hope this helps.
Regards,
Deepak Kori
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Deepak,
I checked this OSS Note earlier. Only difference is, it is mentioned to use Java cryptographic tool kit. It is not available at SMP. When I enquired SAP mentioned, it will be available in few days. I used crptolib only in ABAP ECC. Also in dual stack CRM. In ECC, I am using ADS from CRM. Worked perfectly without HTTPS. But now nothing works. https:/xxxxxxxx.xxxx.xxxxxxxxxx.com:50001 worked earlier with certificate error. But after I have done few more configurations from ADS document, it stopped working too. Now showing page cannot be displayed. Not sure where I have issue. Please help.
Thanks,
Kavitha.
When you are configuring your ABAP stack to talk to Adobe using SSL you only need the RFC connection to be setup to use SSL. For JAVA it's basically the same. You really don't need to have both the ABA and Java stacks running SSL services, just that you've configured ADS properly and that you have the proper certificates installed to both the ABAP and Java stack. Try the below directions on your ABAP and Java stacks respectively.
ABAP.
3.3.2.3 Setting Up the SSL Connection in an ABAP Environment
In an ABAP environment, set up the SSL connection between the ABAP connection and the
J2EE environment.
To set up the SSL connection in an ABAP environment:
1. Log on to your SAP system and go to transaction SM59.
2. In the RFC Destinations tree, select HTTP Connections to Ext. Server.
3. Select ADS, then choose Change.
4. On the Logon/Security tab, in the SSL area, select SSL Client Certificate.
5. Select the certificate.
6. Select Active.
7. On the Technical Settings tab, in the PathPrefix box, enter
/AdobeDocumentServicesSec/Config?style=rpc
8. Choose Save.
For the JAVA Stack.
JAVA
3.3.2.4 Setting Up the SSL Connection in a Java Environment
Set up the SSL connection to access the Java version of the PDF object.
To set up the SSL connection in a Java environment:
1. Log on to the Visual Administrator. (See How to Start the Visual Administrator on page
33.)
2. On the Cluster tab, choose Server <x> → Services → Web Services Security.
3. Choose Web Services Clients → sap.com > tc~wd~pdfobject →
com.sap.tc.webdynpro.adsproxy.AdsProxy*ConfigPort_Document.
4. Change the URL to
https://<Host>:<Port>/AdobeDocumentServicesSec/Config?style=docume
nt
5. From the Authentication drop-down list box, select X.509 Client Certificate.
6. In the Client Certification Authentication area, from the Keystore view list, select
ADSCerts.
7. From the Certificate list, select the certificate associated with the user that is assigned the
ADSCaller security role, which you created earlier.
8. Choose Save
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Take a look at this guide, I know the version is not what you are running but the concept on how it works is the same.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/90/71d273fa724cc9bb644ab00405e6f8/frameset.htm
Tony,
In webservices security, under ADSCerts view, I did not find my certificate. Though it is physically there, it is not showing in VA webservices security. Not sure why. The only certificate showing is ssl-credentials java certificate. Pls help. All other configurations are exactly same. Even in SM59, SSL client certificates are not showing. I made in active and chose default ssl client certificates, but certificates are not showing up. Please help.
Thanks,
Kavitha.
Have you installed the Java cryptographic toolkit on your Java stack yet? This is required in order to use SSL.
"Use
Per default, the SAP J2EE Engine is delivered with an export version of the security toolkit that only contains functions for digital signatures, but does not contain the encryption functions necessary for using SSL. Therefore, before you can use SSL on the SAP J2EE Engine you must replace this default library with the complete version of the SAP Java Cryptographic Toolkit.
You can skip this procedure if you installed the SAP Java Cryptographic Toolkit during the J2EE Engine installation."
You need to walk through the steps listed here.
Administration Manual -> Server Administration -> J2EE Engine Security -> Transport Layer Security on the SAP J2EE Engine -> Configuring the Use of SSL on the SAP J2EE Engine
(Direct Link)
http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
Here is the main link to SAP NetWeaver 2004 Help
http://help.sap.com/saphelp_nw04/helpdata/en/49/e98876e9865b4e977b54fc090df4ed/frameset.htm
Once you have gone through getting SSL setup you should then be able to proceed with configuring SSL for ADS.
You really need to follow the help guide step by step. Fully read each of the highlighted steps below before you start. This will give you a better understanding of what you are trying to accomplish before you begin.
Tony,
Java cryptographic tool kit is not available in SMP.
https://websmp109.sap-ag.de/swdc-->
Installations and Upgrades-->Browse our download catalog-->SAP
Cryptographic Software-->SAP JAVA CRYPTO TOOLKIT
Nothing is available in above location. I asked SAP, they said it will be available in few days. I thought since it is dual stack, I can use Cryptolib for ABAP and activate SSL. Please advise.
Thanks,
Kavitha
Tony,
My port issue is resolved. I am only getting certificate error now while accessing HTTPS. Please let me know what could be the issue. I have created client standard PSE certificates and assigned the ads users. I have created java certificate and used in webservices security in visual admin. Not sure where the issue is. Pls help.
Thanks,
Kavitha.
This is kind of a cliché question, but have you restarted ICM since making those parameter changes?
As a test you can create a temporary service inside of SMICM.
Once in SMICM go to the services (Goto menu -> services or shift + F1). Then select the Service Menu -> Create.
You can then test out new service configurations without having to restart. These are only temporary and will not persist past a restart. This can help you determine if your issue is with your parameters as well as whether your SSL ADS connection is functioning.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tony,
I am able to create in ABAP only ECC. When I restarted it is gone. Why can't I see in SMICM, please let me know.
I am not able to start in dual stack CRM, looks like it is already running? I am not able to see? Pls help. Below is SMICM-->goto-->trace file-->display all.
[Thr 5068] Wed Jun 12 10:04:37 2013
[Thr 5068] IcmHandleMonServMsg: Start service 50001 for protocol 2 (timeout=15, proc_timeout: 15, ext_bind: 1)
[Thr 5068] *** INFO => the EXTBIND attribute in parameter icm/server_port_<xx> for service 50001 is not necessary on Windows - i
[Thr 5068] *** ERROR => NiIBindSocket: SiBind failed for hdl 24 / sock 8592
(SI_EPORT_INUSE/10013; I4; ST; 0.0.0.0:50001) [nixxi.cpp 3237]
[Thr 5068] *** ERROR => IcmBindService: NiBuf2Listen failed for host sapcrmsbx.crestron.crestron.com:50001 (rc=-4): NIESERV_USED
[Thr 5068] *** ERROR => IcmHandleMonServMsg: IcmAddService failed (rc=-1) [icxxmsg.c 1814]
[Thr 4664] Wed Jun 12 10:04:51 2013
[Thr 4664] IcmHandleMonServMsg: Start service 50001 for protocol 2 (timeout=15, proc_timeout: 15, ext_bind: 1)
[Thr 4664] *** ERROR => IcmAddService: service 50001 already exists [icxxserv.c 300]
[Thr 4664] *** ERROR => IcmHandleMonServMsg: IcmAddService failed (rc=-23) [icxxmsg.c 1814]
[Thr 6804] Wed Jun 12 10:05:05 2013
[Thr 6804] IcmHandleMonServMsg: Start service 50001 for protocol 2 (timeout=15, proc_timeout: 15, ext_bind: 1)
[Thr 6804] *** ERROR => IcmAddService: service 50001 already exists [icxxserv.c 300]
[Thr 6804] *** ERROR => IcmHandleMonServMsg: IcmAddService failed (rc=-23) [icxxmsg.c 1814]
[Thr 5996] Wed Jun 12 10:11:10 2013
[Thr 5996] IcmHandleMonServMsg: Start service 50001 for protocol 2 (timeout=15, proc_timeout: 15, ext_bind: 1)
[Thr 5996] *** ERROR => IcmAddService: service 50001 already exists [icxxserv.c 300]
[Thr 5996] *** ERROR => IcmHandleMonServMsg: IcmAddService failed (rc=-23) [icxxmsg.c 1814]
[Thr 5052] Wed Jun 12 10:11:21 2013
[Thr 5052] *** ERROR => NiIBindSocket: SiBind failed for hdl 24 / sock 8592
(SI_EPORT_INUSE/10013; I4; ST; 0.0.0.0:50001) [nixxi.cpp 3237]
[Thr 5052] *** ERROR => IcmBindService: NiBuf2Listen failed for host sapcrmsbx.crestron.crestron.com:50001 (rc=-4): NIESERV_USED
[Thr 5052] *** ERROR => IcmHandleMonServMsg: IcmActivateService failed for 50001, 2(rc=-1) [icxxmsg.c 1861]
Thanks,
Kavitha
Hi Tony,
Above command returns nothing. In ECC SMICM --> active services
Active Services
No. Protocol Service Name/Port Host Name Keep Alive Proc.Timeo Actv External Bind
1 HTTP 8000 SAPECCSBX.CRESTRON.C 30 60
2 SMTP 0 SAPECCSBX.CRESTRON.C 30 60
In CRM:
Active Services
No. Protocol Service Name/Port Host Name Keep Alive Proc.Timeo Actv External Bind
1 HTTP 8000 sapcrmsbx.crestron.c 9,999,999 1-
2 SMTP 0 sapcrmsbx.crestron.c 30 9,999,999
Thanks,
kavitha
Tony,
First I tried 8001 only, later changed to 50001 as I saw in Visual Admin Server)-->services-->SSL provider-->Active sockets 50001, 50003 and 50006. Once I changed to 50001, https:/crmsbx.xxx.xx.com:50001 worked with certificate error. Then I proceeded with further ADS config in VA, then I checked that https:/crmsbx.xxx.xx.com:50001 stopped working. Please advise.
Thanks,
kavitha
It seems like you are trying to setup SSL on the same port for both the Java and ABAP stacks. When setting up SSL in a dual stack environment there are a couple of things that need to be done differently than in a single stack environment (e.g. your ECC system being ABAP only).
What version of CRM are you running?
I was not able to find something specifically for CRM 6.0, but the below guide should be able to get you going. Start on section 5.4.5 for the SSL ABAP to ADS config, then on 5.4.7 for the Java.
Tony,
I changed to 8001 in ICM Https port in ECC and CRM. I can start the https service manually and the HTTPS url works. Once restarted the service disappeared, the url did not work. Now the problem is I don't see the service active in SMICM automatically in both ECC and CRM. It works when created manually. Please help and let me know what is missing.
Thanks,
kavitha Rajan.
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.