cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Importing SSL Certificate into STRUST

Former Member

on ‎02-20-2008 2:52 PM

0 Kudos

I have SAP configured to allow outbound HTTPS calls to FEDEX and UPS. To do this I had to import FEDEX and UPS's SSL certificate into transaction STRUST. I'm not sure why I needed to do that for an outbound call. Everythings works fine until one of those certificates expire or FEDEX or UPS update their certificate. Is there any way to allow SAP to send outbound HTTPS requests without importing the certificate of FEDEX and UPS.

NOTE: The SAP server is an ERP 4.7(6.20) box.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎02-20-2008 4:42 PM
0 Kudos

Hi,

In fact, you don't need to import the FEDEX or UPS certificate in STRUST but you do need to import the certification authorities certificates of FEDEX or UPS in STRUST.

There is no other way because it would not be secure. You would not be sure to actually connect to FEDEX or UPS.

With SAP abap as a http client you cannot get the equivalent of Internet explorer warning that the web site is insecure but that you can confirm and connect to the site.

Regards,

Olivier

Show replies
Show replies
Former Member
‎03-15-2008 10:29 PM
0 Kudos

Well, my only other alternative is to have SAP call a web service on the local LAN (.NET on IIS) that I can control and then have the .NET web service call out to FedEx and UPS. I'm not sure if that is the best way to do it performance wise but it will get me around the certificate problem. Does anyone have any suggestions?

Thank you

Former Member
‎03-17-2008 10:19 AM
0 Kudos

Hi,

The problem will be exactly the same from .NET IIS.

The problem is http authentication over the internet : changing the client technology will not change the request...

Regards,

Olivier

Former Member
‎03-17-2008 2:36 PM
0 Kudos

I was able to make the call from .NET with no problem. I didn't have to do anything with the SSL certificate. I'd rather have this logic in SAP but I guess .NET is the way to go.

Former Member
‎12-16-2008 7:24 AM
0 Kudos

Does anyone have anymore information on this issue? In .NET I don't have to do anything with the SSL certificates. I just make the call to the web service and it works fine. In SAP, I have to import the SSL Cert into STRUST and then bounce the system. The problem is that I don't know when the SSL certs are going to expire and if they do expire the application breaks. On top of that, the system will need to be bounced to fix the problem. Anyone have an alternative solution?

achim_hauck2
Active Contributor
‎12-16-2008 8:11 AM
0 Kudos

Tony,

there's no other solution (because it's not secure!). You can see when the certificates expire whet you install them/look at them in STRUST, so you can re-install new ones (but this has to be done once per year maximum). and ok, the restart of the system is not so nice, but I guess you have to do it several times in a year so can can plan installing new certificates.

if the .NET solution doesn't check the certificates but just accepts the https-connection, the communication partner could be anyone but the desired FEDEX or UPS (not probably, but theoretically) - it's not secure.

kr, achim

Former Member
‎12-16-2008 12:07 PM
0 Kudos

Hi,

When installing a certificate in STRUST, it is not necessary to restart the whole system.

Restarting the ICM is enough and takes much less time.

Regards,

Olivier

Ask a Question