cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using Third Party Certificate In Receiver Adapter

Go to solution
Former Member

on ‎10-20-2014 2:23 PM

0 Kudos

Hi,

I'm sure this is an easy question. I have had a search around and I can see lots of blogs/questions in and around this subject but I still feel I need to ask my own direct question...so apologies if this has all been dealt with before

The background is that I am successfully consuming a third party Web Service directly (i.e. not using PI) via soapUI. To get this to work I needed to install their certificate on my PC. If I go into into the 'Trusted Root Certification Authorities' tab within Internet Options/Content/Certificates on IE I can see the certificate.

Question is how do I get this certificate to be used by PI?

- Fairly sure I will need to export it to a .CER file. However which format? DER Encoded binary X.509 or Base-64 encoded X.509?

- Once I have the .CER file how do I get it installed? Is it something I can do myself or do I need to get the BASIS team involved?

- Once installed I take it I would need to enter appropriate values into Keystore Entry/Keystore View?

Cheers,

PaulC.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

xavisanse
Active Participant
‎10-22-2014 3:31 PM
0 Kudos

Hi Paul,

In 7.0 you should go to configTool. The option of NWA is for latest releases.

The path looks like:  usr\sap\XID\DVEBMGS##\j2ee\admin

Execute go.bat ... Connect...

Go to Cluster > Services > Key Storage > Trusted CAs and import your base64 X509

Show replies
Show replies
Former Member
‎10-22-2014 3:43 PM
0 Kudos

Xavier,

BASIS say that when they do that the X509 format will insist on a .crt file. At the moment IE has given me a .cer file. Therefore we can't import it.

Cheers,

PaulC.

xavisanse
Active Participant
‎10-22-2014 3:53 PM
0 Kudos

Try it anyway...

I have the option of import not based 64. And from explorer, i can export as X509 b64

Change extension and try to import as .cert

Former Member
‎10-22-2014 4:02 PM
0 Kudos

Xavier,

We will try this tomorrow morning. I will report back.

Cheers,

PaulC.

Former Member
‎11-03-2014 11:34 AM
0 Kudos

Xavier,

I exported the DER x.509 .CER file from IE. I then changed the .CER to a .CRT extension. When this was loaded into our Dev PI environment I was able to access the site using the installed certificate

Only thing I would add is, once the .crt file was installed I did not need to change the Soap Receiver adapter i.e. I didn't need to enter any 'Configure Certificate Authentication' parameters. My guess is the .crt existing within the dev environment was enough (for this type of certificate).

Cheers,

PaulC.

xavisanse
Active Participant
‎11-03-2014 1:41 PM
0 Kudos

Are you using https?

Former Member
‎11-03-2014 1:52 PM
0 Kudos

Xavier,

Yes:

Does it surprise you that I managed to get this to work without entering values in 'Configure Certificate Authentication'?

Cheers,

PaulC.

xavisanse
Active Participant
‎11-04-2014 9:35 AM
0 Kudos

yes, a surprise ...

Answers (4)

Answers (4)

Former Member
‎10-22-2014 10:44 AM
0 Kudos

Hi Paul,

Useually PI supports both formats either .DER or Base-64, you can ask your webservice guys for  the certificate (or) You can also export from your webservice URL.

Export steps from your webservice URL:

1) Copy the URL into Internet Explorer

2) after ' there you can see lock symbol' click the lock symbol

3) then click 'View Certificate'  then go to 'Deails' tab

4)In the 'Details' tab , there is a option 'CopyTofile'

5) Click 'CopyToFile' and export the certficate to your desktop either one of above format(.DER or base-64)

6) After exported to your desktop , the file of extension should be '.cer'

Go to NWA of your PI sytem


1)NWA---> configuration---> Certificate and keys----> Trusted systems ---> TrustedCAs

2)Once you clicked the 'TrustedCAs' , then create tab to import certficate from your desktop.

3) Once you created the certificate and Save it.

Go to your SOAP communication channel

1) Under target URL parameter , please click the check box for 'Configure certificate Authentication'

2) two parameters displayed

         Keystore Entry :      TRUSTED\TrustedCAs\yourCertificateName

         Keystore value : DEFAULT

And finally test your scenario. I hope you are expecting this configuration. Hope it helps


Thank you.
Sateesh

Show replies
Show replies
Former Member
‎10-22-2014 10:48 AM
0 Kudos

Hi Paul,

I storngly agree PI accpets .cer formats.

Thanks
Sateesh

Former Member
‎10-22-2014 10:58 AM
0 Kudos

Sateesh,

Thanks for that. I have passed this info the the BASIS team. Hopefully they can now import the .cer file. If not I may be back!

Cheers,

PaulC.

Former Member
‎10-22-2014 11:29 AM
0 Kudos

Sateesh,

Our BASIS team have attempted to drill down to:

NWA---> Configuration---> Certificate and keys----> Trusted systems ---> TrustedCAs


However, they only seem to have access to:


NWA -> Configuration -> Trusted Systems.

We are using 7.02 SP 16

Seems previously they have imported certs using the Visual Admin - which is the one which doesn't accept .cer extensions (only *.cert, *.key, *.p8, *.p12, *.pfx, or *.crt.)

Cheers,

PaulC.

Former Member
‎10-22-2014 11:36 AM
0 Kudos

Sorry, my mistake.

Right one Please go NWA---> Configuration---> Certificate and Keys --->TrustedCAs( 'TrustedCAs' under Key Storage Tab, they are lot please filer to find easily)


For 7.0 it is possible

Former Member
‎10-22-2014 11:46 AM
0 Kudos

Sateesh,

BASIS do not see 'Certificate and Keys'

...only

NWA -> Configuration -> Trusted Systems


Cheers,

PaulC.

Former Member
‎10-22-2014 11:50 AM
0 Kudos

Former Member
‎10-22-2014 11:53 AM
0 Kudos

Hi Paul,

I am in 7.31 version. if  you are using NWA PI 7.0 not sure where it is.

Thanks

Sateesh


Former Member
‎10-22-2014 12:03 PM
0 Kudos

Sateesh,

Seems this is a version issue:

Looks like 7.0 doesn't have the Certs/Keys options on NWA i.e. we have to use Visual Admin. However, that puts us back where we started in that it doesn't like .cer files

Cheers,

PaulC.

Former Member
‎10-20-2014 2:34 PM
0 Kudos

Hello Paul ,

Please select DER Encoded binary X.509 and then go to SAP PI NWA and import this is the trustedCA's.

You can use this in your receiver communication channel then.

Thanks

Gaurav

Show replies
Show replies
Former Member
‎10-21-2014 4:07 PM
0 Kudos

Hi,

I went into IE, exported the relevant cert to a .CER file which I passed to BASIS. However, BASIS came back to me and said that:

PI will not accept a .cer file, it can only accept *.cert, *.key, *.p8, *.p12, *.pfx, or *.crt.

How do I export from IE into one of these formats?

Cheers,

PaulC.

Harish
Active Contributor
‎10-21-2014 4:15 PM
0 Kudos

Hi,

The blog has the steps to export certificate as .pfx from IE.

regards,

Harish

Former Member
‎10-21-2014 4:23 PM
0 Kudos

Hello Paul ,

PI NWA provides the option to import .cer. See the screenshot below:

Thanks

Former Member
‎10-22-2014 9:57 AM
0 Kudos

Harish,

When attempting to export from Trusted Root Certification Authorities tab within IE , you don't get the pfx option in your blog - only .CER or .P7B.



Cheers,


PaulC.

Former Member
‎10-22-2014 9:58 AM
0 Kudos

Gaurav,

Can you please provide details on how you get to the above screenshot?

I will need to get our BASIS team to do this so I'll need to tell them exactly how to achieve this.

Cheers,

PaulC.

azharshaikh
Active Contributor
‎10-20-2014 2:33 PM
0 Kudos

Hi Paul,

Please check blogs on PI SSL and Security. You need to import the External Server certificate into TrustedCA view present in the Keystore Service of NWA. Below links will help you in creating SSL scenario.

http://scn.sap.com/people/rajendra.badi/blog/2011/08/24/configuring-wsse-digital-signing-and-encrypt...

http://scn.sap.com/people/rajendra.badi/blog/2011/11/23/pi-711-transport-level-secuirty-communicatin...

Reference:

http://scn.sap.com/thread/3387180

Regards,

Azhar

Show replies
Show replies
Harish
Active Contributor
‎10-20-2014 2:30 PM
0 Kudos

Hi Paul,

Refer the below blog (it has all the steps which you required).

regards,

Harish

Show replies
Show replies
Ask a Question