Skip to Content
avatar image
Former Member

Need Help for SOAP sender with HTTPS protocol

Hi Team

We have a scenario where the sender is a 3P system and they will be sending the message using web service.They will send the data using SSL ( HTTPS) using certificates.

In the sender soap adapter , I have two options

1. HTTPS with client Authorization

2. HTTPS without client Authorization

I think I need to use the first option. But I have doubt regarding certificates

1. Who is going to provide the certificate? is it PI Team or the third party team.

2. Once we have the certificate where we need to store it in NWA? is it in the TrustedCA keystore view or service_ssl keystore view.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Jul 01, 2014 at 01:32 PM

    Hi Indrajit,

    Third party team has to provide their public-key certificate which has to be maintained in <Client_ICM_SSL_InstanceID..>. if you have CA root and intermediate certificates import it in TrustedCA's.

    Please check below link:

    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66?QuickLink=index&…

    Regards,

    Krupa

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 02, 2014 at 04:39 PM

    Hi Indrajit,

    Krupa already shared a valuable resource on how to set up on Double Stack PI, so I'll focus on what's left to deal with / open questions.

    Indrajit Sarkar wrote:

    In the sender soap adapter , I have two options

    1. HTTPS with client Authorization

    2. HTTPS without client Authorization

    I think I need to use the first option. But I have doubt regarding certificates

    1. HTTPS with client authorization means that the 3rd party would not give username / password to authenticate to your PI but present a certificate you are trusting. You can think of this as an admission ticket to communicate with your PI server

    2. HTTPS without client authorization means they will authenticate with username password.

    In both cases the caller (3rd party) would need to trust your PI server. Most commonly this trust is established by not trusting your PI server's explicit certificate but in trusting the CA that issued your PI server's certificate. This CA can very well be a company internal CA. That way, if you happen to need changing the hostname of the server some time in the future, trust situation is still valid.

    In case of 1. (HTTPS with client authorization) your PI server in turn would also need to trust the 3rd party caller. This is often done in such ways that the interal CA on your side issues a client certificate with the CN of the caller. The caller presents this certificate to your server upon making a call (see here for a picture https://help.sap.com/saphelp_nw74/helpdata/en/43/dc1fa58048070ee10000000a422035/content.htm). You will also need to back up this process on your PI server by mapping the certificate to a specific user.

    --> Option 2 is the more polished one with ability to withdraw a certificate and the like. However it does result in some overhead setting it up so I personally would go with Option 1 if there's no business need / security policy enforcing so.

    HTH

    Cheers Jens

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 01, 2014 at 01:24 PM

    Hi Indrajit,

    1. Who is going to provide the certificate? is it PI Team or the third party team.

    --> Certificate needs to exchange between both system. PI provide the public key to sender and sender provide there public key to PI.

    2. Once we have the certificate where we need to store it in NWA? is it in the TrustedCA keystore view or service_ssl keystore view.

    Please check the below blog for certificate upload in NWA.

    Sender SOAP Adapter: HTTPS with Client Authentication

    regards,

    Harish

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 01, 2014 at 04:44 PM

    share your public key to your partner and ask them to use https in the end url.

    use the http tranport protocol.

    Add comment
    10|10000 characters needed characters exceeded