on 10-20-2014 2:23 PM
Hi,
I'm sure this is an easy question. I have had a search around and I can see lots of blogs/questions in and around this subject but I still feel I need to ask my own direct question...so apologies if this has all been dealt with before
The background is that I am successfully consuming a third party Web Service directly (i.e. not using PI) via soapUI. To get this to work I needed to install their certificate on my PC. If I go into into the 'Trusted Root Certification Authorities' tab within Internet Options/Content/Certificates on IE I can see the certificate.
Question is how do I get this certificate to be used by PI?
- Fairly sure I will need to export it to a .CER file. However which format? DER Encoded binary X.509 or Base-64 encoded X.509?
- Once I have the .CER file how do I get it installed? Is it something I can do myself or do I need to get the BASIS team involved?
- Once installed I take it I would need to enter appropriate values into Keystore Entry/Keystore View?
Cheers,
PaulC.
Hi Paul,
In 7.0 you should go to configTool. The option of NWA is for latest releases.
The path looks like: usr\sap\XID\DVEBMGS##\j2ee\admin
Execute go.bat ... Connect...
Go to Cluster > Services > Key Storage > Trusted CAs and import your base64 X509
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Xavier,
I exported the DER x.509 .CER file from IE. I then changed the .CER to a .CRT extension. When this was loaded into our Dev PI environment I was able to access the site using the installed certificate
Only thing I would add is, once the .crt file was installed I did not need to change the Soap Receiver adapter i.e. I didn't need to enter any 'Configure Certificate Authentication' parameters. My guess is the .crt existing within the dev environment was enough (for this type of certificate).
Cheers,
PaulC.
Hi Paul,
Useually PI supports both formats either .DER or Base-64, you can ask your webservice guys for the certificate (or) You can also export from your webservice URL.
Export steps from your webservice URL:
1) Copy the URL into Internet Explorer
2) after ' there you can see lock symbol' click the lock symbol
3) then click 'View Certificate' then go to 'Deails' tab
4)In the 'Details' tab , there is a option 'CopyTofile'
5) Click 'CopyToFile' and export the certficate to your desktop either one of above format(.DER or base-64)
6) After exported to your desktop , the file of extension should be '.cer'
Go to NWA of your PI sytem
1)NWA---> configuration---> Certificate and keys----> Trusted systems ---> TrustedCAs
2)Once you clicked the 'TrustedCAs' , then create tab to import certficate from your desktop.
3) Once you created the certificate and Save it.
Go to your SOAP communication channel
1) Under target URL parameter , please click the check box for 'Configure certificate Authentication'
2) two parameters displayed
Keystore Entry : TRUSTED\TrustedCAs\yourCertificateName
Keystore value : DEFAULT
And finally test your scenario. I hope you are expecting this configuration. Hope it helps
Thank you.
Sateesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Sateesh,
Our BASIS team have attempted to drill down to:
NWA---> Configuration---> Certificate and keys----> Trusted systems ---> TrustedCAs
However, they only seem to have access to:
NWA -> Configuration -> Trusted Systems.
We are using 7.02 SP 16
Seems previously they have imported certs using the Visual Admin - which is the one which doesn't accept .cer extensions (only *.cert, *.key, *.p8, *.p12, *.pfx, or *.crt.)
Cheers,
PaulC.
Hello Paul ,
Please select DER Encoded binary X.509 and then go to SAP PI NWA and import this is the trustedCA's.
You can use this in your receiver communication channel then.
Thanks
Gaurav
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Paul,
Please check blogs on PI SSL and Security. You need to import the External Server certificate into TrustedCA view present in the Keystore Service of NWA. Below links will help you in creating SSL scenario.
Reference:
http://scn.sap.com/thread/3387180
Regards,
Azhar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.