on 06-28-2008 9:07 PM
Hi all..
We had exported a X.509 certificate from a https site form one of our vendors...
then we imported this file using the keytool command as shown...
keytool -import -alias [AliasgoesHere] -file /tmp/[filename].cer -keystore ticketKeyStore -storepass [mypassword]
Then in the VA we uploaded it into the TrustedCAs.
However, when we run a webservice that shall use this certificate we are receiving the error... "unknown certificate"
Anyone know if we are missing any steps???
Hello,
Is your SAP System DUAL Stack ?
Regards,
Siddhesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi again,
who is the issuer of your certicate?
Double click on the certificate and check for the Issuer DN (I'm just curious)
If you are using commons http client it means that you are natively calling the webservice.
This means that your http client has to take care about SSL Handshake.
Since the request is not initiated by the J2EE Engine it doesn't work if you import the certificate into trusted certificates. You can do that but if you do that you will have to use SAP API to fetch the certificates from the Keystore and use those for your Handshake (like you are doing with your keystore file)
BUT again: This is only necessary if you use certificates that are not signed by trusted CAs.
If you need code assistance for commons http using SSL or fetching certificates from keystore let me know
Cheers
Hi Kerubon,
you will need the following JAR-Files to resolve the imports (only at development time):
- keystore_api.jar
- tc_sec_ssf.jar
For runtime you define the following sharing references if you do not want to deploy the jars with your application (SAPJ2EE::interface:keystore_api, SAPJ2EE::library:security.class)
Here's the code:
try {
// get profile from keystore service of J2EE engine
InitialContext ctx = ctx = new InitialContext();
Object o = (Object) ctx.lookup("keystore");
KeystoreManager manager = (KeystoreManager) o;
KeyStore ks = manager.getKeystore("DEFAULT");
String alias = "TEST-cert";
SsfProfileKeyStore profile = new SsfProfileKeyStore(ks, alias, null);
// Here you can fetch the certificate from the profile or do stuff with your certificate
String SubjectDN = profile.getCertificate().getSubjectDN().getName();
} catch (Exception Ex) {
Ex.printStackTrace();
}
Make sure you access the DEFAULT Keystore so you won't get into trouble with permissions (I suggest you store your certificates in DEFAULT)
Note that when creating a certificate you will mostly get 2 entries (PRIVATE KEY and certificate entry). Make sure that for alias you use the name of the PRIVATE KEY entry that also contains the certificate!
Hope this helps (Please reward points if helpful)
Cheers
Hey,
did you succeed or do you have further questions?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hmm Im consuming a regular CA certificate..
Basically we imported it to a custom kestorefile using the keytool.
After that we set some system properties to use it in the java code. (like the file path, password etc).
Now, in order to invoke the webservice we use the apis from the apache commons httpclient.
Thanks for your help.
>
> Hi again,
>
> so you call the remote site using https right and the remote site is using a certificate that
> is not trusted by an official CA like Thawte or Verisign?
>
> How do you invoke the WebService? Do you have a DUAL Stack?
>
> Cheers
Hi,
as of your message I guess you have a vendor who is calling a WebService on your site and the communication is secured using SSL and/or client authentication using certificates?
Does your vendor use selfsigned certificates or is it a trusted certificate signed by any trusted CA such as Verisign or Thawte?
In case it is selfsigned you need to import the root certificate that has been used to sign the certificate your vendor is using into Trusted CAs. You can then accept certificates that have been signed by the CA that uses the imported root certificate!
When using client certificates for authentication do not forget to define the Trusted Certification Authorities for Client Authentication. You do this in Visual Admin > SSL Provider Service.
Choose Runtime TAB and at the bottom of the page you choose the Client Authentication TAB
In the list of Trusted Certification Authorities the previosuly imported root CA of your vendor has to appear!
Why did you import it into a JKS Keystore first??
You can directly import certificate into Keystore.
Hope this helps...
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
As per your message, you have configured the system for X.509 certifcates. But I think you have to configure the receiving end also.
There are few secarios, that you are using ABAP or Java. But there are few links you can use as reference:
http://help.sap.com/saphelp_nw04s/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm
/people/sap.user72/blog/2004/10/25/sap-logon-ticket-based-single-sign-on ( go for ABAP or Java)
May be this one help.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.