cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to enforce ANONYM SSL Keystore when consuming external Web Service

Former Member

on ‎02-27-2015 5:25 PM

0 Kudos

Dear all,

I have to consume an external Web Service with HTTPS and Basic Authentication from an ABAP program. Consumer Proxy and Logical Port are ready. Everything works fine - but everytime when testing or using the Consumer Proxy, a dialog for username and passwort popus up. When I enter the same access data there that is already saved in the Logical Port in SOAMANAGER, then the call is successful.

Consequently, background processing fails with "Authentication required".

I found out that the DFAULT Keystore is used in the calls. However, I need to use the ANONYM Keystore, as we do not use client certificates.

How can I configure usage of the ANONYM key store / client identity for this Consumer Proxy and Logical Port?

Thank you for every hint,

Ringo

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member185954
Active Contributor
‎03-02-2015 4:28 PM
0 Kudos

Hello Ringo,

Could you perhaps explain a bit diagrammatically as to what you are trying to do ? which component in your communication diagram is SAP and which one is non-sap (assumed that one was not SAP).

Regards,

Siddhesh

Show replies
Show replies
Former Member
‎03-02-2015 4:47 PM
0 Kudos

Hi Siddhesh,

thanks for your query. That´s what it looks like:

The webservice call always produces a popup for username and password, even though that data is already saved in the Logical Port, but somehow it is not used by the Webservice Runtime. That´s why I can not run the function module in background successfully, and that´s a problem.

Best regards,

Ringo

former_member185954
Active Contributor
‎03-03-2015 12:05 PM
0 Kudos

Hello Ringo,

Start SOAMANAGER-> Application and Scenarios Communication -> Single Service Administration -> Consumer Proxies - > Select the Relevant Consumer Proxy -> Click on Configuation - > select the logical port and click Edit-> Security Tab -> Authentication -> Change the Client PSE from DFAULT to ANONYM

Hope that is what you are looking for.

Regards,

Siddhesh

Former Member
‎03-03-2015 1:53 PM
0 Kudos

Hello Siddhesh,

Thank you for the hint, it looks promising. However, the navigation structure in my SOAMANAGER is different, so that I can not follow your path. This is the main page:

When I choose "Web Service Configuration", then I get to this page:

From there, I can choose the "edit" action, which leads me to:

Here I have no chance to change the "PSE of Key". The tab "Transport Settings" looks like this:

So far I couldn´t find the spot where I could see the Client PSE - do you have an idea?
I can not rule out completely that my authorization is limited. As far as I know my user has the roles SAP_BC_WEBSERVICE_ADMIN_TEC as well as _BIZ.

Thank you and best regards,

Ringo

P.S.: Strangely enough, today I do not get the pop-up window anymore, and other users don´t get it as well - without having changed anything in the Web Service Configuration. That´s in the testing system - but what will happen in production?

former_member185954
Active Contributor
‎03-03-2015 2:46 PM
0 Kudos

Understood, what version is your SAP system , SAP Netweaver 7.40 ?

Typically in SAP

Authentication Section covers - initial password check/logon mechanism etc

Transport Security covers -  encryption/transfer of data once successful logon is completed

Regards,

Siddhesh

Former Member
‎03-03-2015 2:56 PM
0 Kudos

Exactly, it is 7.40 SP 6.

The application help just says something like "make the desired settings" and does not go into details as far as I would need it.

I will be happy with further suggestions and I will keep on reading and trying.

Thank you and best regards,

Ringo

naveen_kumar82
Explorer
‎03-03-2015 3:37 PM
0 Kudos

Hi Ringo,

The following steps might help, please try this.

1. In the service definition, while creating the binding Provider Security->Transport Channel Authentication->Select X.509 SSL Client Certificate

2. I doubt it will allow you to change the existing Logical port to the Consumer proxy. But it allows you to create a new logical port. While creating the new Logical port in the Consumer Security tab, it will ask for SSL Client PSE of transaction STRUST, here you can select ANONYM.

Please let me know if it works.

Thanks

Naveen

former_member185954
Active Contributor
‎03-03-2015 3:52 PM
0 Kudos

Great, that should work, don't have 7.40 so can't check

Former Member
‎03-04-2015 8:23 AM
0 Kudos

Hi Naveen,

Thank you for your answer, it is a good hint. I do not use a Service Definition in SOAMANAGER so far. I created the Service Consumer in SE80 based on the WSDL file that I received from the Webservice Developers. For Creating the Logical Port I used the same WSDL, this time with URL-based access.

The Authentication Method must be "HTTP Basic", so that I can enter username and password. Based on your hint I am going to try two things:

- Work with a Service Definition

- Alter the WSDL to reflect that HTTPS with server certificate is required.

I still appreciate hints whether I am on the right track or whether I got something wrong!

Thanks and regards,

Ringo

Former Member
‎03-05-2015 10:12 AM
0 Kudos

Ok, SAP Note 1720478 clearly states that it is not foreseen to manually change the PSE in SOAMANAGER. The correct PSE is derived based on the authentication method. If a WSDL-based configuration is used, the selected PSE will be influenced by WS-Policy settings for authentication settings, if such are contained in the WSDL file. The only known case where this is really required is for authentication with client certificates.

This means to me that a failed basic authentication can not be caused by configuring the wrong PSE. The mistake will rather be in username, password or in proxy settings.

former_member760
Explorer
‎03-09-2015 3:35 PM
0 Kudos

Correct note number is 1710478: http://service.sap.com/sap/support/notes/1710478

Former Member
‎06-29-2015 2:49 PM
0 Kudos

There must have been some issue with the logical port I created. After I recreated it I never had problems again in the Test System. By now the solution works in production without any authentication issues.

Former Member
‎03-02-2015 3:56 PM
0 Kudos

Let me put it in another way to hopefully make my question clearer:

When I create an RFC destination of Type G in SM59, then I can set the Certificate List used to check the external server´s SSL certificate to ANONYM:

How can I achieve the same setting for a Logical Port in SOAMANAGER?

Thank you in advance,

Ringo

Show replies
Show replies
Ask a Question