on 02-11-2008 4:38 PM
Hello together,
I need to configure an HTTPS Sender Connection with client and server authentication. I have already check the documentation however I am still not sure about the particular steps. My questions are as follows:
- Do I configure the HTTPS connection on the ABAP or JAVA stack?
- Is it necessary to setup an HTTP sender communication channel
- How does the URL look like (compared to HTTP connection)?
I have provided XI certificates to the client and the client has provided the certificates to me already. So I guess I have to import them somehow on XI.
Any help is appreciated!
Thank you very much.
Hello,
the import of certificates is described here (3.d.):
http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm
Regards
Patrick
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
Please follow below steps for HTTPS configuration as sender
You need to use either SOAP adapter or XI Adapter for HTTPS connectivity.
Here configure the Security Check for Inbound Messages.
Refer below links
http://help.sap.com/saphelp_nw04/helpdata/en/fc/5ad93f130f9215e10000000a155106/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/4f/0a1640a991c742e10000000a1550b0/frameset.htm
SAP Security Guide XI, HTTP and SSL
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/97/818a4286031253e10000000a155106/frameset.htm
No configuration is required in the adapter-specific sender channel configuration (inbound) of the Integration Directory.
The authentication/authorization is performed by the J2EE Engine and therefore needs to be configured with the Visual Administrator. This configuration is described in the J2EE Engine Administration Manual and is outlined in the following section.
When a message is to be sent to the Adapter Engine (and ultimately to the Integration Server), the J2EE Engine serves as the SSL Server and presents its server certificate to the client as part of the SSL handshake procedure.
Client-Side Configuration (Required)
The public certificate of the trusted authority (CA) that signed the public certificate of the SSL server needs to be imported to the list of trusted certificates of the SSL client. This allows the SSL client to accept the certificate of the server in the SSL handshake.
Server-Side Configuration (Optional)
If basic authentication is used, no additional configuration is required on server side.
If client certificate authentication is requested or required by selection of the corresponding option in the SSL service and configuration of the ClientCertLoginModule in the SecurityProvider service (using the J2EE Administration Tool), additional configuration steps are required.
If the server certificate check on the client side is successful, the client sends its public certificate to the server as part of the SSL handshake (when requested). The server needs to map the certificate to a user for authentication and will then check the authorization based on the security roles of the user.
Perform the following steps to allow the J2EE engine to map the client certificate to a user:
1. Import the CA cert of the client certificate to the list of trusted certificates (TrustedCAs keystore view in the keystore service) and import the client cert to an arbitrary keystore view.
2. Map the client certificate to an existing user with role SAP_XI_APPL_SERV_USER by using the Visual Administrator, SecurityProvider service, UserManagement tab page.
Refer below link
Here u go
http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
Hi,
thank you very much for this helpful answer!
Just two more questions:
1. You say that SOAP or XI Adapter are possible for HTTPS requests. Is it really the XI Adapter and NOT the HTTP Adapter? In the HTTP Adapter you can also configure security
2. How should the URL look like in case you use the HTTP Sender Communication Channel is configured for Security Level "HTTPS with client authentification"? The same URL string as used for HTTP connection only with a different port?
Thank you very much for your additional explanation!
Hello,
you can use the HTTP Adapter!
You choose 'Sender' and 'HTTP Security Level' -> HTTPS with Client Authentication.
Your URL is just the address of your adapter (it's the same like without ssl) you don't even need a special port in this case something like '/sap/xi/adapter_plain...'.
Regards
Patrick
Hello,
in my opinon you send to your http-adapter, not even with https.
But you can test it with the code here:
Regards
Patrick
I think you definitely need to send it via the URL "https ......" otherwise I get the error message "https required" if the communication is set to "HTTPS".
We tested it with the testing tool you sent me the link. However if we use https nothing happens and there is no message in the monitoring. I do not know why...
Hello,
i still think you have to use http but i am sure that you have to use the http port.
Your address has to look something like this:
http://<hostname>:8024/sap/xi/adapter_plain?namespace=.
And you need all parameters like described here:
http://help.sap.com/saphelp_nw04/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
Another possibility to test your connection is to use a rfc destination (type G).
Regards
Patrick
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.