Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Problem creating SM59 connection to HTTPS

Former Member
0 Kudos

Hello -

I am trying to connect to an external REST API from SAP over HTTPS. In SAP I have created a connection in SM59 with the host/prefix & port. The vendor has indicated that they do not issue out SSL certificates, and that we must use basic authentication (username/password) to authenticate.

In SM59 when I set SSL to inactive and test the connection, I get a 400 Bad Request - The plain HTTP request was sent to HTTPS port message. When I set to SSL active I get an ICM_HTTP_SSL_ERROR which I assume indicates that there is an issue with the SSL certificate, yet we do not need an SSL certificate to connect. Thus I am not sure what to do in order to make SAP connect?

Has anyone faced this issue that can offer any advice? Below is the error from the ICM monitor.

[Thr 16924] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 16924] session uses PSE file "K:\usr\sap\DEV\DVEBMGS00\sec\SAPSSLA.pse"

[Thr 16924] SecudeSSL_SessionStart: SSL_connect() failed

[Thr 16924]   secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 16924] >> Begin of Secude-SSL Errorstack >>

[Thr 16924] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed #

[Thr 16924] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "EMAIL=info@valicert.com, CN=http://w

[Thr 16924] ERROR in get_path: (27/0x001b) Found root certificate of <EMAIL=info@valicert.com, CN=http://www.valicert.com/, OU=ValiC

[Thr 16924] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <EMAIL=info@valicert.com, CN=http://www.valicert.com/, O

[Thr 16924] << End of Secude-SSL Errorstack

[Thr 16924] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 16924]   SSL NI-sock: local=10.10.7.78:62645  peer=131.103.27.179:443

[Thr 16924] <<- ERROR: SapSSLSessionStart(sssl_hdl=000000000C170B10)==SSSLERR_SSL_CONNECT

[Thr 16924] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {005a66f8} [icxxconn.c 1957]

1 ACCEPTED SOLUTION

Former Member
0 Kudos

HTTPS (which is basically HTTP over SSL) requires a certificate, always. Your vendor might not issue client certificates but they have a server certificate. You have to import the complete server certificate including any intermediate certificates and root certificate, uless already known by AS ABAP, in STRUST.

5 REPLIES 5

Former Member
0 Kudos

HTTPS (which is basically HTTP over SSL) requires a certificate, always. Your vendor might not issue client certificates but they have a server certificate. You have to import the complete server certificate including any intermediate certificates and root certificate, uless already known by AS ABAP, in STRUST.

0 Kudos

Thanks for the quick reply Samuli. But if they do not issue the certificate, then how do I obtain one? Would this be a self-signed certificate? If so how can I create one for STRUST?  Apologies my knowledge in this area is not too great.

0 Kudos

You get the server certificate by connecting to the provided URL with your favorite browser. You can then save a local copy of the certificate. It depends on your vendor what kind of certificate they are using. You need to import the certificate(s) in STRUST so that AS ABAP trusts the certificate chain when you connect to your vendor. Most browsers these days have many root and even some intermediate certificates as where the certificates known to AS ABAP are very limited. In STRUST you can import the certicate(s) in the SSL client PSE (anonymous or standard) which you can then use in SM59 to verify the connectivity.

0 Kudos

This worked! Thanks for the help!!!

0 Kudos

Hi,

same with me,

downloading the certificate and implementing it in STRUST transaction permit to use it in SM59.

remains using it in ABAP with method cl_http_client=>create_by_destination which doesn't seem to work so far.