on 02-27-2015 5:25 PM
Dear all,
I have to consume an external Web Service with HTTPS and Basic Authentication from an ABAP program. Consumer Proxy and Logical Port are ready. Everything works fine - but everytime when testing or using the Consumer Proxy, a dialog for username and passwort popus up. When I enter the same access data there that is already saved in the Logical Port in SOAMANAGER, then the call is successful.
Consequently, background processing fails with "Authentication required".
I found out that the DFAULT Keystore is used in the calls. However, I need to use the ANONYM Keystore, as we do not use client certificates.
How can I configure usage of the ANONYM key store / client identity for this Consumer Proxy and Logical Port?
Thank you for every hint,
Ringo
Hello Ringo,
Could you perhaps explain a bit diagrammatically as to what you are trying to do ? which component in your communication diagram is SAP and which one is non-sap (assumed that one was not SAP).
Regards,
Siddhesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Siddhesh,
thanks for your query. That´s what it looks like:
The webservice call always produces a popup for username and password, even though that data is already saved in the Logical Port, but somehow it is not used by the Webservice Runtime. That´s why I can not run the function module in background successfully, and that´s a problem.
Best regards,
Ringo
Hello Ringo,
Start SOAMANAGER-> Application and Scenarios Communication -> Single Service Administration -> Consumer Proxies - > Select the Relevant Consumer Proxy -> Click on Configuation - > select the logical port and click Edit-> Security Tab -> Authentication -> Change the Client PSE from DFAULT to ANONYM
Hope that is what you are looking for.
Regards,
Siddhesh
Hello Siddhesh,
Thank you for the hint, it looks promising. However, the navigation structure in my SOAMANAGER is different, so that I can not follow your path. This is the main page:
When I choose "Web Service Configuration", then I get to this page:
From there, I can choose the "edit" action, which leads me to:
Here I have no chance to change the "PSE of Key". The tab "Transport Settings" looks like this:
So far I couldn´t find the spot where I could see the Client PSE - do you have an idea?
I can not rule out completely that my authorization is limited. As far as I know my user has the roles SAP_BC_WEBSERVICE_ADMIN_TEC as well as _BIZ.
Thank you and best regards,
Ringo
P.S.: Strangely enough, today I do not get the pop-up window anymore, and other users don´t get it as well - without having changed anything in the Web Service Configuration. That´s in the testing system - but what will happen in production?
Hi Ringo,
The following steps might help, please try this.
1. In the service definition, while creating the binding Provider Security->Transport Channel Authentication->Select X.509 SSL Client Certificate
2. I doubt it will allow you to change the existing Logical port to the Consumer proxy. But it allows you to create a new logical port. While creating the new Logical port in the Consumer Security tab, it will ask for SSL Client PSE of transaction STRUST, here you can select ANONYM.
Please let me know if it works.
Thanks
Naveen
Hi Naveen,
Thank you for your answer, it is a good hint. I do not use a Service Definition in SOAMANAGER so far. I created the Service Consumer in SE80 based on the WSDL file that I received from the Webservice Developers. For Creating the Logical Port I used the same WSDL, this time with URL-based access.
The Authentication Method must be "HTTP Basic", so that I can enter username and password. Based on your hint I am going to try two things:
- Work with a Service Definition
- Alter the WSDL to reflect that HTTPS with server certificate is required.
I still appreciate hints whether I am on the right track or whether I got something wrong!
Thanks and regards,
Ringo
Ok, SAP Note 1720478 clearly states that it is not foreseen to manually change the PSE in SOAMANAGER. The correct PSE is derived based on the authentication method. If a WSDL-based configuration is used, the selected PSE will be influenced by WS-Policy settings for authentication settings, if such are contained in the WSDL file. The only known case where this is really required is for authentication with client certificates.
This means to me that a failed basic authentication can not be caused by configuring the wrong PSE. The mistake will rather be in username, password or in proxy settings.
Correct note number is 1710478: http://service.sap.com/sap/support/notes/1710478
Let me put it in another way to hopefully make my question clearer:
When I create an RFC destination of Type G in SM59, then I can set the Certificate List used to check the external server´s SSL certificate to ANONYM:
How can I achieve the same setting for a Logical Port in SOAMANAGER?
Thank you in advance,
Ringo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.