cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to Enable SSL certificate at the receiver SOAP Adapter

Go to solution
former_member6134
Participant

on ‎07-08-2013 11:57 AM

0 Kudos

Hello Experts,

   We have a synchronous scenario between SAP R/3 and external web server. Now the external web server is configured for SSL and has a self Self Signed Certificate for SSL. The administrator for the web server has given us the SSL certificate ier server.crt. How to I import and what step I follow to enable this secured http lnk starting with https? Without enabling this in PI when we fired the scenario we got the following error:

com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.EOFException: Connection closed by remote host

Can somebody guide us on this as to how to implement this SSL certificate in the PI server to enable to send data to webserver from the SAP R/3.

Thanking You

Regards

shekar

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-08-2013 5:58 PM
0 Kudos

Hi Shekar,

Please below blogs on PI SSL and Security. You need to import the External Server certificate into TrustedCA view present in the Keystore Service of NWA. Below links will help you in creating SSL scenario. Let me know if you need any help:

http://scn.sap.com/people/rajendra.badi/blog/2011/08/24/configuring-wsse-digital-signing-and-encrypt...

http://scn.sap.com/people/rajendra.badi/blog/2011/11/23/pi-711-transport-level-secuirty-communicatin...

Thanks,

Rajendra

Show replies
Show replies
former_member6134
Participant
‎07-09-2013 10:56 AM
0 Kudos

Hi Rajendra,

Thanks for your reply. I have imported the certificate given by the web server administrator in the Trusted CA view in the NWA-> Certificate and Key-> Key Storage.. I can see the certificate in the Key Storage View Details as follows:

CERTIFICATE entry:
Creation date : Mon Jul 08 08:27:30 GMT 2013 (8 Jul 2013 08:27:30 GMT)
Version : ver.1 X.509
Algorithm : RSA
Key Size : 1024 bits
Subject name : CN=oneviewstg.timesjobs.com,OU=IT,O=TBSL lTd.,L=Newbury,ST=Berkshire,C=IN
Issuer name : CN=oneviewstg.timesjobs.com,OU=IT,O=TBSL lTd.,L=Newbury,ST=Berkshire,C=IN
Serial number : 16158301347897795999
Signature Algorithm : sha1WithRSAEncryption (1.2.840.113549.1.1.5)
Validity:
not before : Thu Jul 04 14:05:45 GMT 2013 (4 Jul 2013 14:05:45 GMT)
not after : Fri Jul 04 14:05:45 GMT 2014 (4 Jul 2014 14:05:45 GMT)
Public key fingerprint : BD:42:02:E2:5B:3F:D4:08:1D:9E:66:26:A1:07:D8:61
Certificate fingerprint(MD5): 2F:87:AF:D2:F3:3B:54:CE:57:0E:32:F8:FA:6A:0A:F0
Certificate extensions :
NONE.

But when I am trying to configure this imported certifiacte in the SOAP receiver channel -> in the Configure Certificate authentication-> KeyStore entry and Key stire view I am not able to see the imported certificate from the value list selection. How do I configure it in communication channel?

2) I have checked that https port is not shown in my server. Do I have to configure https port in this scenario when I am trying to connect to an outside webserver.?

Pls guide me on this.

Thanking You

With Best Regards

Shekar

Former Member
‎07-09-2013 12:50 PM
0 Kudos

Hi Shekar,

For your question 1:

But when I am trying to configure this imported certifiacte in the SOAP receiver channel -> in the Configure Certificate authentication-> KeyStore entry and Key stire view I am not able to see the imported certificate from the value list selection. How do I configure it in communication channel?

--> You do not make any configuration in SOAP receiver channel unless it is two-way SSL authentiation i.e, External server explicitly asks the clients(in our case it's PI) certificate. So in 1-way authentication what you do is, Server Certificate or Trusted CA certificates are imported NWA-->Certificates and Keys--> KeyStore-->TrustedA view. This is enough no need to modify anythingin channel.

2) I have checked that https port is not shown in my server. Do I have to configure https port in this scenario when I am trying to connect to an outside webserver.?

Ans: Yes, you have to enable the SSL(HTTPS) port in PI server. Please contact your basis team to configure it and cross check by opening https://<pihost><port>/dir/ if this URL works then https is enabled in PI and ready to execute https(ssl) scenario. Let me know if you need any help.

Thanks,

Rajendra

former_member6134
Participant
‎07-10-2013 11:36 AM
0 Kudos

Hi Rajendra,

  Thanks for your reply , time and effort. I have done exactly as suggested by you ie

1) The certificate given for external web server ir server.crt is imported in the NWA-> Configuration Management -> Certificate & Keys -> TrustedCAs ->server.

2) The https port is configured and the link is checked on the PI server. But while testing the https url of the PI server link we are getting the certificate error.  Following is the error we are getting in the browser

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this website.

When we click on continue to this website, we get the page displayed with certifiacte error in the Browser.

3) Also I have fired the scenario and tested it. We are still getting the same error as earlier ie as follows:

com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.EOFException: Connection closed by remote host.

It is something that we need to enable the https on the network layer and the proxy as the traffic in ourlandscape goes to the outside webserver through the proxy dedicated to connect the servers outside our landscape.

Kindly guide me on this.

Thanking You

With Best Regards

Shekar

former_member6134
Participant
‎07-10-2013 2:40 PM
0 Kudos

Hi Rajendra,

Thanks for all the efforts you ahve taken to help me and thanx everybody for contributing all other possibilities. The problem has been solved. The certificate has been installed and there was a slight problem in URL for the web server.

Thanks

Regards

Shekar

Former Member
‎07-10-2013 5:33 PM
0 Kudos

Hi Shekar,

It's good that you have enabled the https port and imported the web server cert in Trusted CA. The error you were getting while opening https link of PI is because PI server certificate is not signed by any other TrustedCA. Once you import the PI server certificate in the "Web Browser e.g. IE", this error wont be seen. This error is not related to your interface error, you can leave this error for time being.

For interface error, try to check

1. whether you are able to open external server link from your system(network). If you are not accessing it then ask your network team to open the ports to send/recieve the data.

2. Make sure you have given FQDN(host name) in SOAP receiver channel or if you are giving IP then you should set DNS setup in /etc/hosts file.

3. If this didnt solve then try to increase the debug level for SOAP and security packages in Log configurator of NWA and check the trace or you can past in the blog, we check it.

Hope these points will help you in trouble-shooting.

Thanks,
Rajendra

Answers (3)

Answers (3)

naveen_chichili
Active Contributor
‎07-09-2013 8:23 AM
0 Kudos

Hi,

Please check below links..

http://scn.sap.com/thread/1899314

http://scn.sap.com/community/pi-and-soa-middleware/blog/2013/01/06/how-to-load-keys-and-certificates...

http://scn.sap.com/message/10515917

http://scn.sap.com/thread/3190661

Thanks,

naveen.

Show replies
Show replies
Former Member
‎07-08-2013 11:10 PM
0 Kudos

Hi Shekar,

I advise against using a self-signed certificate in a production scenario. At the very least, ask the external server administrator to create a signing authority certificate using OpenSSL (there are plenty of examples on the web) with a long expiry (say 10 years). They can then use this certificate to sign the server certificate and give it a typical expiry which is 1-2 years. Therefore you only need to import the certificate of the signing authority into your TrustedCAs keystore view and will not have to perform this action every time the external server certificate expires.

The next question is which provider are using on the PI system. If you are using the ABAP provider then you should load the certificate into transaction STRUST. If you're using Java, load the certificate into the TrustedCAs view of the Java keystore accessible via NWA.

I hope this helps.

Regards,

Nick

Show replies
Show replies
Former Member
‎07-08-2013 5:43 PM
0 Kudos

load it in the default folder in the keystore in the NWA.

Show replies
Show replies
Ask a Question