cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Help with X.509 certificate instalation

Go to solution
former_member225472
Explorer

on ‎06-28-2008 9:07 PM

0 Kudos

Hi all..

We had exported a X.509 certificate from a https site form one of our vendors...

then we imported this file using the keytool command as shown...

keytool -import -alias [AliasgoesHere] -file /tmp/[filename].cer -keystore ticketKeyStore -storepass [mypassword]

Then in the VA we uploaded it into the TrustedCAs.

However, when we run a webservice that shall use this certificate we are receiving the error... "unknown certificate"

Anyone know if we are missing any steps???

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member185954
Active Contributor
‎07-02-2008 11:16 AM
0 Kudos

Hello,

Is your SAP System DUAL Stack ?

Regards,

Siddhesh

Show replies
Show replies
former_member225472
Explorer
‎07-03-2008 1:53 PM
0 Kudos

Honestly i dont know.

how can i verify that and how that can affect the webservice execution?

Thanks in advance.

> 

> Hello,
> 
> Is your SAP System DUAL Stack ?
> 
> Regards,
> Siddhesh

former_member185954
Active Contributor
‎07-03-2008 2:09 PM
0 Kudos

Hello,

If your system is Dual stack, you may need to do some SSL configuration on the ABAP side too.

Regards,

Siddhesh

former_member698570
Active Participant
‎07-03-2008 3:34 PM
0 Kudos

Hi again,

who is the issuer of your certicate?

Double click on the certificate and check for the Issuer DN (I'm just curious)

If you are using commons http client it means that you are natively calling the webservice.

This means that your http client has to take care about SSL Handshake.

Since the request is not initiated by the J2EE Engine it doesn't work if you import the certificate into trusted certificates. You can do that but if you do that you will have to use SAP API to fetch the certificates from the Keystore and use those for your Handshake (like you are doing with your keystore file)

BUT again: This is only necessary if you use certificates that are not signed by trusted CAs.

If you need code assistance for commons http using SSL or fetching certificates from keystore let me know

Cheers

former_member225472
Explorer
‎07-06-2008 8:40 PM
0 Kudos

> 

> If you need code assistance for commons http using SSL or fetching certificates from keystore let me know
> 
> Cheers

Indeed...

if you can provide me any advice on the coding, it would be highly appreciated

best regards.

former_member698570
Active Participant
‎07-07-2008 8:24 AM
0 Kudos

Hi,

which Code do you need? Commons HTTP Client or Keystore access in SAP J2EE?

Cheers

former_member225472
Explorer
‎07-07-2008 12:56 PM
0 Kudos

Keystore Accesss...

former_member698570
Active Participant
‎07-07-2008 2:58 PM
0 Kudos

Hi Kerubon,

you will need the following JAR-Files to resolve the imports (only at development time):

- keystore_api.jar

- tc_sec_ssf.jar

For runtime you define the following sharing references if you do not want to deploy the jars with your application (SAPJ2EE::interface:keystore_api, SAPJ2EE::library:security.class)

Here's the code:

try {
  // get profile from keystore service of J2EE engine
  InitialContext ctx = ctx = new InitialContext();
  Object o = (Object) ctx.lookup("keystore");
  KeystoreManager manager = (KeystoreManager) o;
  KeyStore ks = manager.getKeystore("DEFAULT");
  String alias = "TEST-cert";
  SsfProfileKeyStore profile = new SsfProfileKeyStore(ks, alias, null);
  // Here you can fetch the certificate from the profile or do stuff with your certificate
  String SubjectDN = profile.getCertificate().getSubjectDN().getName();
} catch (Exception Ex) {
  Ex.printStackTrace();
}

Make sure you access the DEFAULT Keystore so you won't get into trouble with permissions (I suggest you store your certificates in DEFAULT)

Note that when creating a certificate you will mostly get 2 entries (PRIVATE KEY and certificate entry). Make sure that for alias you use the name of the PRIVATE KEY entry that also contains the certificate!

Hope this helps (Please reward points if helpful)

Cheers

Answers (3)

Answers (3)

former_member698570
Active Participant
‎07-03-2008 11:09 AM
0 Kudos

Hey,

did you succeed or do you have further questions?

Show replies
Show replies
former_member225472
Explorer
‎07-03-2008 1:09 PM
0 Kudos

Hi.

Sorry for the delayed answer.

In my scenario im running a webservice versus a https: site from this government site.

we could manage the situation by creating our own keystore file, and hardcoding this file location in the java code.

former_member698570
Active Participant
‎07-03-2008 1:40 PM
0 Kudos

Hi again,

so you call the remote site using https right and the remote site is using a certificate that

is not trusted by an official CA like Thawte or Verisign?

How do you invoke the WebService? Do you have a DUAL Stack?

Cheers

former_member225472
Explorer
‎07-03-2008 1:51 PM
0 Kudos

hmm Im consuming a regular CA certificate..

Basically we imported it to a custom kestorefile using the keytool.

After that we set some system properties to use it in the java code. (like the file path, password etc).

Now, in order to invoke the webservice we use the apis from the apache commons httpclient.

Thanks for your help.

> 

> Hi again,
> 
> so you call the remote site using https right and the remote site is using a certificate that
> is not trusted by an official CA like Thawte or Verisign?
> 
> How do you invoke the WebService? Do you have a DUAL Stack?
> 
> Cheers

former_member225472
Explorer
‎07-03-2008 1:59 PM
0 Kudos

50/50

We are able to execute the program successfully.

but time to time we are receiving a error like "unknown certificate"

we are still wondering why we have this bug.... basically it runs 2 times out of 4...

not too good to my test.

> 

> Hey,
> 
> did you succeed or do you have further questions?

former_member698570
Active Participant
‎07-02-2008 8:25 AM
0 Kudos

Hi,

as of your message I guess you have a vendor who is calling a WebService on your site and the communication is secured using SSL and/or client authentication using certificates?

Does your vendor use selfsigned certificates or is it a trusted certificate signed by any trusted CA such as Verisign or Thawte?

In case it is selfsigned you need to import the root certificate that has been used to sign the certificate your vendor is using into Trusted CAs. You can then accept certificates that have been signed by the CA that uses the imported root certificate!

When using client certificates for authentication do not forget to define the Trusted Certification Authorities for Client Authentication. You do this in Visual Admin > SSL Provider Service.

Choose Runtime TAB and at the bottom of the page you choose the Client Authentication TAB

In the list of Trusted Certification Authorities the previosuly imported root CA of your vendor has to appear!

Why did you import it into a JKS Keystore first??

You can directly import certificate into Keystore.

Hope this helps...

Cheers

Show replies
Show replies
Former Member
‎06-29-2008 1:26 AM
0 Kudos

Hi

As per your message, you have configured the system for X.509 certifcates. But I think you have to configure the receiving end also.

There are few secarios, that you are using ABAP or Java. But there are few links you can use as reference:

http://help.sap.com/saphelp_nw04s/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm

/people/sap.user72/blog/2004/10/25/sap-logon-ticket-based-single-sign-on ( go for ABAP or Java)

May be this one help.

Show replies
Show replies
Ask a Question