on 07-01-2014 1:53 PM
Hi Team
We have a scenario where the sender is a 3P system and they will be sending the message using web service.They will send the data using SSL ( HTTPS) using certificates.
In the sender soap adapter , I have two options
1. HTTPS with client Authorization
2. HTTPS without client Authorization
I think I need to use the first option. But I have doubt regarding certificates
1. Who is going to provide the certificate? is it PI Team or the third party team.
2. Once we have the certificate where we need to store it in NWA? is it in the TrustedCA keystore view or service_ssl keystore view.
Hi Indrajit,
Third party team has to provide their public-key certificate which has to be maintained in <Client_ICM_SSL_InstanceID..>. if you have CA root and intermediate certificates import it in TrustedCA's.
Please check below link:
Regards,
Krupa
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Indrajit,
Krupa already shared a valuable resource on how to set up on Double Stack PI, so I'll focus on what's left to deal with / open questions.
Indrajit Sarkar wrote:
In the sender soap adapter , I have two options
1. HTTPS with client Authorization
2. HTTPS without client Authorization
I think I need to use the first option. But I have doubt regarding certificates
1. HTTPS with client authorization means that the 3rd party would not give username / password to authenticate to your PI but present a certificate you are trusting. You can think of this as an admission ticket to communicate with your PI server
2. HTTPS without client authorization means they will authenticate with username password.
In both cases the caller (3rd party) would need to trust your PI server. Most commonly this trust is established by not trusting your PI server's explicit certificate but in trusting the CA that issued your PI server's certificate. This CA can very well be a company internal CA. That way, if you happen to need changing the hostname of the server some time in the future, trust situation is still valid.
In case of 1. (HTTPS with client authorization) your PI server in turn would also need to trust the 3rd party caller. This is often done in such ways that the interal CA on your side issues a client certificate with the CN of the caller. The caller presents this certificate to your server upon making a call (see here for a picture https://help.sap.com/saphelp_nw74/helpdata/en/43/dc1fa58048070ee10000000a422035/content.htm). You will also need to back up this process on your PI server by mapping the certificate to a specific user.
--> Option 2 is the more polished one with ability to withdraw a certificate and the like. However it does result in some overhead setting it up so I personally would go with Option 1 if there's no business need / security policy enforcing so.
HTH
Cheers Jens
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
share your public key to your partner and ask them to use https in the end url.
use the http tranport protocol.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Indrajit,
1. Who is going to provide the certificate? is it PI Team or the third party team.
--> Certificate needs to exchange between both system. PI provide the public key to sender and sender provide there public key to PI.
2. Once we have the certificate where we need to store it in NWA? is it in the TrustedCA keystore view or service_ssl keystore view.
Please check the below blog for certificate upload in NWA.
regards,
Harish
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.