09-04-2013 8:50 PM
Hello -
I am trying to connect to an external REST API from SAP over HTTPS. In SAP I have created a connection in SM59 with the host/prefix & port. The vendor has indicated that they do not issue out SSL certificates, and that we must use basic authentication (username/password) to authenticate.
In SM59 when I set SSL to inactive and test the connection, I get a 400 Bad Request - The plain HTTP request was sent to HTTPS port message. When I set to SSL active I get an ICM_HTTP_SSL_ERROR which I assume indicates that there is an issue with the SSL certificate, yet we do not need an SSL certificate to connect. Thus I am not sure what to do in order to make SAP connect?
Has anyone faced this issue that can offer any advice? Below is the error from the ICM monitor.
[Thr 16924] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 16924] session uses PSE file "K:\usr\sap\DEV\DVEBMGS00\sec\SAPSSLA.pse"
[Thr 16924] SecudeSSL_SessionStart: SSL_connect() failed
[Thr 16924] secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 16924] >> Begin of Secude-SSL Errorstack >>
[Thr 16924] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed #
[Thr 16924] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "EMAIL=info@valicert.com, CN=http://w
[Thr 16924] ERROR in get_path: (27/0x001b) Found root certificate of <EMAIL=info@valicert.com, CN=http://www.valicert.com/, OU=ValiC
[Thr 16924] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <EMAIL=info@valicert.com, CN=http://www.valicert.com/, O
[Thr 16924] << End of Secude-SSL Errorstack
[Thr 16924] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 16924] SSL NI-sock: local=10.10.7.78:62645 peer=131.103.27.179:443
[Thr 16924] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000C170B10)==SSSLERR_SSL_CONNECT
[Thr 16924] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {005a66f8} [icxxconn.c 1957]
09-04-2013 9:09 PM
HTTPS (which is basically HTTP over SSL) requires a certificate, always. Your vendor might not issue client certificates but they have a server certificate. You have to import the complete server certificate including any intermediate certificates and root certificate, uless already known by AS ABAP, in STRUST.
09-04-2013 9:09 PM
HTTPS (which is basically HTTP over SSL) requires a certificate, always. Your vendor might not issue client certificates but they have a server certificate. You have to import the complete server certificate including any intermediate certificates and root certificate, uless already known by AS ABAP, in STRUST.
09-04-2013 9:21 PM
Thanks for the quick reply Samuli. But if they do not issue the certificate, then how do I obtain one? Would this be a self-signed certificate? If so how can I create one for STRUST? Apologies my knowledge in this area is not too great.
09-04-2013 9:30 PM
You get the server certificate by connecting to the provided URL with your favorite browser. You can then save a local copy of the certificate. It depends on your vendor what kind of certificate they are using. You need to import the certificate(s) in STRUST so that AS ABAP trusts the certificate chain when you connect to your vendor. Most browsers these days have many root and even some intermediate certificates as where the certificates known to AS ABAP are very limited. In STRUST you can import the certicate(s) in the SSL client PSE (anonymous or standard) which you can then use in SM59 to verify the connectivity.
09-04-2013 10:09 PM
09-28-2016 12:16 PM
Hi,
same with me,
downloading the certificate and implementing it in STRUST transaction permit to use it in SM59.
remains using it in ABAP with method cl_http_client=>create_by_destination which doesn't seem to work so far.