on 02-21-2014 10:24 PM
Dear Experts,
After reading many blogs on SCN and SAP help content, still I have few doubts which I wants to clarify with you guys.
our basis team has installed the brand new PI 7.4(dual stack) server, we need communicate with bank by using HTTPS(SSL), bank has provided signed(verisign) test certificates(DigitalSignature.jks and SSL.jks) to install in our QA PI server. We need to use this certificate for transport level security as well as for message level(for digital signature from mapping) . All our scenarios are Proxy to HTTP_AEE synchronous.
Bank has not asked us for any generated CSR from QA PI server before sending this certificate to us, they said you can use this certificate for DEV and QA environment, this project is Re-implementation project from SAP BC to SAP PI , so they also said you can use the same certificate(installed on BC prod) for PI prod server.
Questions
I have gone through the below mentioned blogs ans many more, so please just try to help me to get my answers.
Please help me as much you can, as my basis guy is not have any prior experience in installing certificates in PI. I have attached the certificates received from bank,
Thanks,
Farhan
Hi Farhan,
I am no expert in Certs but have worked with a few and these are my findings.
Please see the answers below to your questions.
1 - The answer is yes. We have done this. We integrated to a 3rd party system and they only had Development and Production systems. So for testing we implemented the same cert on our Dev and QA PI systems.
2. No it is not. Not 100% sure why, but some 3rd parties gives us a cert and if we install it the interface works fine without a CSR(I might be wrong)
3. We normally use X.509 Certificate.
4. Will have to test it. But one should work
5. NWA -> Certificates -> Key Storage -> TrustedCA
6. Only on Java because it is only the java stack making the connection. If you go through the ABAP stack you would have needed to load the cert in STRUST.
Hope this helps.
Regards,
Jannus Botha
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jannus Botha,
Thanks a ton for answering my question. Highly appreciated my friend, I am sorry for being late her
Could you please help me to install these certificates in keystore. I have received two .jks files(DigitalSignature.jks and SSL.jks) from bank, but I am nor able to install it, whenever I am trying its not throwing any error, but its not installing as well. below steps in keystore I have tried.
NWA -> Certificates -> Key Storage -> TrustedCA->Import Entry->Entry Type->X.509 Certificate->select the .jks file->import
after that its not throwing any error, but its not installing as well under "View Entries"
Could you please me to install it. Do you think I need to convert it to some other format?
Please help me here guys, as I my deadline is very close.
Hi Roberto Viana , I followed you blog to install .jks files but still unable to archive, please help me.
Thanks,
Farhan
Hi Farhan,
Yes. No problem.
Ok so there is no errors but it is not displaying the cert in the TrustedCA Tab?
This could be that is already installed. Can you please rename the file(cert) and import it again.
Please can you also confirm that the cert is 100% correct. That it has the entire certificate chain?
Try and send a message and see what error you get.
If the cert has not been installed it should give a error - ChainVerify etc.
Please check and let me know.
Regards,
Jannus Botha
Hello Jannus Botha,
Thanks again.
NWA -> Certificates -> Key Storage -> TrustedCA->Import Entry->Entry Type->X.509 Certificate->select the .jks file->import
Highly appreciated your help
Thanks,
Farhan
Hi Farhan,
Ok. There is always a possibility that the cert they provided is incorrect. But will confirm that now.
Try all these and let me know. Then we will take it from there.
Regards,
Jannus Botha
Hi Jannus Botha,
Thanks a lot for the nice description. In my case the certificate is encrypted and hardly I am able to read few words and characters from them.
I tried to rename with ".cer" extension , but still the content is encrypted. I am attaching the screenshot from both the certificate files.
I believe I will have to decrypt first it to some readable format, than only I can verify this weather this format is correct or not. Please suggest me, if you feel any better option.
Hi Farhan,
You are using a HTTP_AAE as your target communication channel correct? Do you have the URL you are sending the messages to?
Can you please insert that URL in internet explorer and click on the broken certificate icon on the right of the URL. This will give you the cert that you can download and save in internet explorer. Once you save it in internet explorer you can export it as a cert and use it in PI.
If that fails please ask the guys to send you a new certificate. Which is not encrypted.
Regards,
Jannus Botha
Dear Jannus Botha,
Sorry for being late here again, yes I am using HTTP_AAE as your target communication channel, and your approach worked for getting certificate by that way as well.
However ,I communicated to bank again to get the certificates in the form of ".crt" and they have given now.
I have just one last question and I will close this thread, as you have answered almost all my question.
Bank said, "both the files(DigitalSignature.crt and SSL.crt) are private keys,one is for SSL and one for digital signature. The public keys are kept on our(bank) side, the corresponding public key for SSL.crt is installed on our web server for SSL authentication and the corresponding public key for DigitalSignature.crt is kept on our app server for digital signature authentication.
Question
Thanks a ton for your all help my friend.
Regards,
Farhan
Hi Farhan,
That is excellent news. Would suggest that you load both certs into TrustedCAs and keystorage.
Not 100% sure how the bank configured the certs to respond but loading both should do the trick.
Just a reminder to do a monthly check when your certs expire on the production environment. So if you need to renew your certs that you are not to late.
It is no problem.
Good luck and let me know if you need any additional help.
Regards,
Jannus Botha
Hello Experts,
Any help pointers on the above questions please.
Thanks,
Farhan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
9 | |
8 | |
6 | |
6 | |
6 | |
5 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.