cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enable communication HTTPS in SOAP Receiver Adapter

Former Member

on ‎04-30-2008 3:44 PM

0 Kudos

Hi gurus,

I have configured the soap receiver adapter with the URL:

"https://www.xxxx.com/yyyyyyyyyy.asmx" without the user authentication.

I have executed the webservice since SOAP-UI and works well. But if I run the webservice from SAP XI does not work. In the transaction SXMB_MONI shows the following error:

<SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">

<SAP:Category>XIAdapterFramework</SAP:Category>

<SAP:Code area="MESSAGE">GENERAL</SAP:Code>

<SAP:P1 />

<SAP:P2 />

<SAP:P3 />

<SAP:P4 />

<SAP:AdditionalText>com.sap.aii.af.ra.ms.api.DeliveryException: Connection closed by remote host.</SAP:AdditionalText>

<SAP:ApplicationFaultMessage namespace="" />

<SAP:Stack />

<SAP:Retry>M</SAP:Retry>

</SAP:Error>"

What is happening?

Thanks,

Jose.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (7)

Answers (7)

Former Member
‎05-06-2008 12:02 PM
0 Kudos

Thanks Christophe,

The solution has been to install the Java Criptographic Toolkit and the CA at the root certs in TrustedCAs key storage.

Greetings.

Show replies
Show replies
Former Member
‎05-05-2008 2:04 PM
0 Kudos

Christophe,

For the connection client-server with HTTPS (in our case in the SOAP Adapter) Is always necessary authentication certificate by both client and server?

Thanks,

Jose.

Show replies
Show replies
Former Member
‎05-05-2008 2:19 PM
0 Kudos

Jose,

client certificate is the "top" authentication mechanism during SSL handshake, like this :

- XI authenticate the SSL certificate (server) issued by target server against a (trusted) list of known certification authority, then target will ask XI to present its own certificate (client) and it will make sure this client certificate can be trusted (verifying it has been certified by a known authority). Handshake is "done"

but you can also have

- "anonymous" mode (XI will make sure SSL cert provided by the target has been issued - and so can be trusted - by a (well)known certification authority), that's it. Target does not expected any other security feature

- user/pwd over a SSL connection (like above, but you'll also have to provide a user and pwd for authentication at target level)

Hope this helps

Chris

Former Member
‎05-05-2008 12:05 PM
0 Kudos

Christophe,

SOAP-UI is a standard tool used to test requests to webservices. In other words, you can execute operations webservices.

What comes certificate known by the server means that must have XI a client certificate for his communication? Why in other platforms there is no need?

Thanks,

Jose.

Show replies
Show replies
Former Member
‎05-05-2008 12:10 PM
0 Kudos

Jose,

XI comes only with a limited number of known root CAs (like SAPTrust, some VerigSign's) but you'll have to extend this list by importing unknown certificate in XI's corresponding key store

For a user perspective, you almost never do this in your browser because it comes with a preloaded list or use OS certificate storage (mainly in windows).

Rgds

Chris

Former Member
‎05-05-2008 11:28 AM
0 Kudos

Hi Christophe,

We have installed a CA in TrustedCAs in j2ee engine XI. This CA have downloaded the browser when we access the definition of the WSDL webservice.

But that does not work. Do you know of any tutorial explaining how to do it step by step?

Why from SOAP-UI is not necessary to use authentication certificate?

Thanks,

Jose.

Show replies
Show replies
Former Member
‎05-05-2008 11:45 AM
0 Kudos

Jose,

If I remember right, you may need to restart the J2EE engine in order for the SSL service to take the new CAs to be taken into account (if it is a core service, a full restart is needed)

What do you name "SOAP-UI" ? If this is something reached using your own browser thru SSL, target url may already be "certified" by wellknown CA root preloaded in browsers (like IE or FF). You can check HTTPS details (cert chain) using the suitable option in the browser (like double clicking on the "lock" at the bottom left of FF window)

Chris

Former Member
‎05-05-2008 9:20 AM
0 Kudos

Hi Henrique,

We are in version SAP XI 3.0 SP20. In this link is described as deploying the SAP Java Cryptographic Toolkit, something we have already done.

Should we do something more to enable communication in the SSL SOAP Adapter?

Thanks,

Jose.

Show replies
Show replies
Former Member
‎05-05-2008 9:28 AM
0 Kudos

In order to have SSL enabled for a receiver channel, you need to make sure target server's CA root chain has been loaded into the KeyStorage TrustedCAs store. Ie, if receiver's CA is VeriSign Class 3 CA, you need to import this certificate in XI "TrustedCAs" KeyStore

If target server is requesting from your own client certificate, you will have to provide your own CA root chain for it to authenticate yours

Hope this helps

Chris

Former Member
‎04-30-2008 5:28 PM
0 Kudos

Thanks Christophe,

How is enabled the SSL level to J2EE Engine?

But with the tool test web services, SOAP-UI, operated without CA's or certified.

Regards,

Jose.

Show replies
Show replies
henrique_pinto
Active Contributor
‎04-30-2008 5:59 PM
0 Kudos

Which version of XI do you have?

If it's PI 7.0, it's already enabled.

If it's XI 3.0, follow this: http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/frameset.htm

Other than that, it should go just like Christophe said.

Regards,

Henrique.

Former Member
‎04-30-2008 3:54 PM
0 Kudos

Jose,

Is everything setup at J2EE level to enable SSL ? You must then add target's CA root certs in TrustedCAs key storage in order to allow target's cert chain certification ...

If target expects client authentication, you must also send your public client cert (and its root ca chain) for them to recognize your server and allow SSL handshake to take place successfully

Chris

Show replies
Show replies
Ask a Question