cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOAP with Client Authentication

itabhishek9
Participant

on ‎10-04-2016 11:42 AM

0 Kudos

Hi SDNites,

I am trying to implement SOAP sender communication channel with Client authentication. Can you please help me with below queries from certificates perspective,

1. Have generated a certificate and installed in NWA and have kept the private key in a specific folder. Is that correct?

2. Do we need to share any public key with 3rd party.

3. Do we need to get any public key from 3rd party and install it in PI NWA.

4. Can we test this connectivity via SOAP UI. I tried to simulate the same but not sure which key I need to update in SOAP UI while sending request from SOAP UI to SAP PI and it should be in which format.

Regards,

Abhi

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Harish
Active Contributor
‎10-05-2016 12:27 AM
0 Kudos

Hi Abhishek,

Please follow the steps given in the below blog

1. Have generated a certificate and installed in NWA and have kept the private key in a specific folder. Is that correct?

-->> Logon/authentication certificate needs to be associate with a user id in identity management. refer the step 1 of  blog.

2. Do we need to share any public key with 3rd party.

-->> HTTPS certificate is req from caller/sender.

3. Do we need to get any public key from 3rd party and install it in PI NWA.

-->> HTTPS certificate needs to install/upload in NWA.

4. Can we test this connectivity via SOAP UI. I tried to simulate the same but not sure which key I need to update in SOAP UI while sending request from SOAP UI to SAP PI and it should be in which format.

-->> Yes you can test the connectivity with SOAPUI. please follow the below blog

more reference -

regards,

Harish

Show replies
Show replies
itabhishek9
Participant
‎10-05-2016 12:49 AM
0 Kudos

Thanks Harish for your inputs. From the above if you can please add few more words to the detail, it will be of great help.

1. Do we need to share the public key with 3rd party - We have a certificate signed by CA and a private key. Should we share the certificate with 3rd party. Please confirm.

Also we have uploaded the same certificate in NWA. Please confirm if that is correct.

I have followed step 1 as you have mentioned. Do I need to link the same certificate with the user id. Please confirm.

Is this user id in some way being used by 3rd party?

2. Do we need to get a public key from 3rd party - Should we ask our partner to provide us public key and then we upload the same in NWA in addition to the certificate which we have already uploaded which was generated by us.

3. When testing via SOAP UI, which certificate / key to be uploaded in key store - Generated by us or generated by 3rd party.

Regards,

Abhi

Harish
Active Contributor
‎10-05-2016 1:14 AM
0 Kudos

Hi Abhi,

1. Do we need to share the public key with 3rd party - We have a certificate signed by CA and a private key. Should we share the certificate with 3rd party. Please confirm.

-->> you need to share the authentication certificate (public key) which is associated with user id and HTTPS certificate with 3rd party.

Also we have uploaded the same certificate in NWA. Please confirm if that is correct.

-->> you need to associate the certificate with user id.

I have followed step 1 as you have mentioned. Do I need to link the same certificate with the user id. Please confirm.

-->> Yes you need to.

Is this user id in some way being used by 3rd party?

-->> No this user is not used by 3rd party but system authenticate the certificate associated with user.

2. Do we need to get a public key from 3rd party - Should we ask our partner to provide us public key and then we upload the same in NWA in addition to the certificate which we have already uploaded which was generated by us.

-->> You need to ask for HTTPS key and upload the same in NWA Trusted CA.

3. When testing via SOAP UI, which certificate / key to be uploaded in key store - Generated by us or generated by 3rd party.

-->> you can use public key generated and associated to user for authentication and for HTTPS you need to generate a key pair (because 3rd party will not provide there private key).

regards,

Harish

itabhishek9
Participant
‎10-05-2016 1:30 AM
0 Kudos

Thanks Harish for detailed response.

Few queries from above response.

1. -->> No this user is not used by 3rd party but system authenticate the certificate associated with user. - While generating the certificate, is there any user that we have to use and the same user has to be used in identity management? Also When call is made to SAP PI via SOAP UI, I have to provide user name and password. Is this the user name the same as identity management.

2. You need to ask for HTTPS key and upload the same in NWA Trusted CA. - This will be only required when we wanted to authenticate that the request is coming from a valid client. If we do not want to do this, it becomes optional?

3. In SOAP UI - The certificate which we have generated has to be uploaded in SAOP UI in .pfx format (We need to convert the certificate in this format). Please confirm. Also if we wanted to authenticate client the we need to upload private key of 3rd party (In this case we will generate a new dummy one for testing - What format should it be) in SOAP UI. Please confirm.

Regards,

Abhishek

Harish
Active Contributor
‎10-05-2016 3:25 AM
0 Kudos

Hi Abhi,

1. -->> No this user is not used by 3rd party but system authenticate the certificate associated with user. - While generating the certificate, is there any user that we have to use and the same user has to be used in identity management? Also When call is made to SAP PI via SOAP UI, I have to provide user name and password. Is this the user name the same as identity management.

-->> AFAIK - you can generate the certificate and associate with the user later via identity management. while calling from SOAP UI, no need to enter the user name and password, you only need to associate the certificate which is linked to one user id.

2. You need to ask for HTTPS key and upload the same in NWA Trusted CA. - This will be only required when we wanted to authenticate that the request is coming from a valid client. If we do not want to do this, it becomes optional?

-->> SAP PI/PO soap adapter only provide HTTPS with client authentication, there is no option with HTTP.

3. In SOAP UI - The certificate which we have generated has to be uploaded in SAOP UI in .pfx format (We need to convert the certificate in this format). Please confirm. Also if we wanted to authenticate client the we need to upload private key of 3rd party (In this case we will generate a new dummy one for testing - What format should it be) in SOAP UI. Please confirm.

-->> Please refer the blog for SOAPUI configuration. if third party provides a key pair then you need to use the private key in SOAPUI for HTTPS.

regards,

Harish

itabhishek9
Participant
‎10-05-2016 3:09 PM
0 Kudos

Thanks for all the helpful responses.

I am getting below error when trying to test via SOAP UI,

Couldn't retrieve inbound binding for the given P/S/A values : FP='TP=;FS=null;TS=;AN=null;ANS=null;

Regards,

Abhi

iaki_vila
Active Contributor
‎10-05-2016 3:19 PM
0 Kudos

Hi Abhishek,

That error is typical when the party (optional) or sender business component or sender namespace or sender interface don't fit with you ICO or sender agreement configuration.

Regards.

itabhishek9
Participant
‎10-05-2016 3:31 PM
0 Kudos

Hi Inaki,

What I have done in URL which has resolved the issue,

1. Removed all the & with &

2. Removed %3F with /

3.Removed %3A with :

Note : I have changed the url manually to https and port to the one applicable for https.

Now I am getting the error as "Client certificate required". Please let me know your thoughts on how to eliminate this error

Note : I have uploaded a certificate signed by CA in NWA and the same certificate is converted to .PFX format and updated in keystore of SOAP UI.

Regards,

Abhishek

iaki_vila
Active Contributor
‎10-05-2016 3:38 PM
0 Kudos

Hi Abhishek,

What is your PI version?, i remember that in lower versions it was necessary to restart the java instance.

Regards.

itabhishek9
Participant
‎10-05-2016 3:47 PM
0 Kudos

Hi Inaki,

I am working on PI 7.31 EHP 9.

Regards,

Abhi

Ask a Question