cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL certificates not visible while RFC destination creation

Former Member

on ‎11-23-2005 3:25 PM

0 Kudos

Hi all,

I am setting up an RFC destination to connect to external server and which uses SSL certificates for its authorization.

So i have imported the Client certificates into STRUST.

While setting up an RFC connection of type G, in the security tab when we select the SSL security certificate radio button, will we be able to see the certificates(in the combo box) that we have imported in STRUST.

Currently, though i have imported the Client certificates into STRUST, i am not able to see them in the SS security certificates combo box.

Kindly help me out.

Cheers,

Siva Maranani.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
‎11-24-2005 3:01 PM
0 Kudos

Well, first of all we should avoid confusion by using the term "<i>ABAP destination</i>" rather than "<i>RFC destination</i>" (although ABAP transaction SM59 still has this old title).

When referring to an "ABAP destination of type G" we are talking of an outbound http connection to a non-ABAP server (e.g. an SAP J2EE server or any other http server).

I'm not sure whether you are aware that in this context "<i>SSL client certificate</i>" refers to the ABAP <u>system</u> (which is the SSL client in this scenario). This is different from scenarios where "X.509 client certificate" refers to a certificate which is assigned to an individual <u>user</u> (using a web browser). <b>In the given scenarios, where two systems are the communication peers, SSL cannot be used for user authentication.</b> That fact is often misunderstood.

By default you'll find 3 different SSL certificates (actually: PSEs) in an ABAP system (which can be used only after enabling SSL, of course - see note 510007 for instructions):

- SSL Server

- SSL Client (anonymous)

- SSL Client (Default)

Well, the "<i>SSL Client (anonymous)</i>" is actually not really a "client certificate" but used for outgoing http requests where you do not intend to send your own SSL client certificate. Since you cannot use the server's SSL client certificates for user authentication it might make sense to use "<i>SSL Client (anonymous)</i>" is most cases.

Please notice: you have to add the server's SSL certificate (respectively the root CA certificate and potentially intermediate CA certificates) to the certificate list of the "<i>SSL Client (anonymous)</i>" PSE (using STRUST). By default, that list is empty - consequently no SSL server certificate is trusted (in contrast to a web browser which is already shipped with a long list of "trusted CAs").

Only when the (remote) server demands SSL client certificates it might make sense to use either "<i>SSL Client (Default)</i>" or to define a new SSL client certificate (for the ABAP system that submits the https request).

Please notice:

SSL client certificates need to be issued by an Certification Authority (CA) in order to be accepted by the SSL server.

In addition to importing the SSL server's certificate to the certificate list of the SSL client PSE (see above: <i>anonymous SSL client</i>) you also need to export the root CA certificate (and potentially all intermediate CA certificates) of the SSL client certificate and import it to the (remote) SSL server's keystore (kindly refer to the manuals of that server for instructions).

Kind regards, Wolfgang

PS: I assume that you have imported some certificates to the certificate list of a SSL client PSE. In SM59 only those SSL client PSEs are listed: "<i>SSL Client (anonymous)</i>", "<i>SSL Client (Default)</i>" and all SSL client PSEs that you might have defined in addition (using transaction STRUST => <i>Environment</i> => <i>SSL Client Identities</i>).

Show replies
Show replies
Former Member
‎11-24-2005 5:15 PM
0 Kudos

Hi Wolfgang,

Thanks for your description. I have got a couple more queries.

In my current scenario, i am trying to connect to an external server, thru an HTTPS call, which authenticates the Sending system with the SSL certificate(This is a certificate issued by the external server, basically an Certification Authority CA).

I am getting <b>ICM_HTTP_SSL_ERROR</b> error, when i do my "ABAP DESTINATION" Test connection.

I will tell you what exactly i have done. Kindly let me know what i am missing ro what else needs to be done

1. Followed 510007 note to set up cryptographic

libraries and other profile params

2. In STRUST, SSL Client identities, i have created an entry for the Server i am going to interact

3. In STRUST, i have created a new entry and added the certificate that has been given to me by the CA authority.

4. In RFC destination, i am now able to select the SSL certificate of the entry that i had made.

Now when i test the connection, the connection fails.

Kindly help me. As the deadline is fast approaching, it would be great if you could the reply to my . (siva_maranani@satyam.com as well. Kindly request your help in this regard.

Cheers,

Siva Maranani

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
‎11-25-2005 9:50 AM
0 Kudos

Hi Siva,

well, frankly speaking, it does not surprise me at all that you are facing that problem (ICM_HTTP_SSL_ERROR error).

As described in my previous posting, it is <u>essential</u> to establish a <b>mutual trust</b> and therefore enable both sides to validate the peer's certificate. In order to do so you have to <b>exchange the root CA certificates</b> (and potentially intermediate CA certificates) <b>mutually</b>.

You have described that you have added the SSL server's certificate to the certificate list of the SSL client PSE (you have create a new one, you could also have used the "<i>SSL Client (Default)</i>" PSE - the required configuration steps would be exactly the same). Well, that's only one part (the basic part, also required for "<i>SSL Client (anonymous)</i>" as explained in my previous posting).

In <u>addition</u> you have to export the root CA certificate (and potentially all intermediate CA certificates) of the SSL client certificate (that you have created in step 2) and import it to the (remote) SSL server's keystore (kindly refer to the manuals of that server for instructions).

I'm actually not sure whether you've managed to convert the <i>self-signed</i> SSL client certificate (created in step 2) into a certificate that has been issued by your CA (as intended in step 3). Please verify the success of that action using transaction STRUST (=> issue should be your CA). (You have not described that you have created a "<i>Certificate Request</i>", send it to your CA, have it processed their and applied the "<i>Certificate Response</i>" back in STRUST).

<b><u>Important:</u></b> whenever you have changed any SSL-related PSE in an ABAP system (using transaction STRUST) you have to restart the ICMan afterwards (since ICMan uses buffered PSE files and will not be notified by STRUST about the changes that took place). Use transaction SMICM to do so (once per application server).

The error ICM_HTTP_SSL_ERROR displayed in SM59 should be analysed in detail evaluating the <b>ICMan trace file</b> (<i>dev_icm</i>) using transaction SMICM (or ST11). Most likely you'll find something like "<i>the verification of the server's certificate chain failed</i>".

Cheers, Wolfgang

Former Member
‎05-17-2007 7:16 AM
0 Kudos

Wolfgang,

Thanks for your input. I am basically new for SSL topic and I understood half of your description, but I would like to know more about non-ABAP connection.

Basically we are trying to connect XI server (i.e non-ABAP), So I think we need to implement ABAP destination of type G.

Can you please tell me step by step to perform this task. We donot have SSL Client (anonymous).

Thanks in advance

Regards

Srinivas.

Former Member
‎01-31-2008 4:35 PM
0 Kudos

Hi .

We have installed XI (ABAP+JAVA) on SAP Web AS. We enabled SSL on SAP J2EE engine. We generate the CSR request and send it to CA to be signed. After that, we imported

the corresponding request to XI for SAP J2EE engine.

Now we want to configure SAP Web AS for supporting SSL. Do i need another certificate signed by CA?

SAP J2EE engine is deployed on the same SAP Web AS where i'm trying to configure SSL now.

I checked the SAP help files. Configure SSL on J2EE Engine and configure SSL on SAP Web AS have the different steps.

Do i need another certificate signed by CA? or can i use the same certificate (that is used for J2EE Engine) for SAP Web AS?

Thanks once again.

Regards

Amar

Former Member
‎03-26-2008 12:40 PM
0 Kudos

Did you manage to resolve this?

Ask a Question