Solved: CL_HTTP_CLIENT download .zip file

juraj14 · ‎12-07-2021

Hi, i am trying to download a file via hyperlink which directly leads to dialog for download/open that file. File is .zip (zip contains xml file), file : link

I am trying to use CL_HTTP_CLIENT->create_by_destination (i set up RFC in SM59 type G, tested with no error )

host = https://report.financnasprava.sk
prefix = /ds_dphs.zip

But the response is definitely not the .zip file i am trying to download. Response:

<html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.https.com//report.financnasprava.sk:80/ds_dphs.zip?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYzODg4OTU1NCwiaWF0IjoxNjM4ODgyMzU0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycXY3bGtiNHBjbDlpNHZjZXMwMHZxMGEiLCJuYmYiOjE2Mzg4ODIzNTQsInRzIjoxNjM4ODgyMzU0MTY3MTYyfQ.wXv9PCqZ32VVgCJByydnQXvES5KVDVQZNyKjKFazkYc&sid=68fc4e12-575e-11ec-9ab4-cfde9affef56');</script></body></html>

I am not sure where the problem might be but that "Loading.." in response is a bit confusing.

Here is the code i am using everything ends with sy-subrc = 0.

CALL METHOD cl_http_client=>create_by_destination
    EXPORTING
      destination              = 'DS_DPHS'
    IMPORTING
      client                   = l_client
    EXCEPTIONS
      argument_not_found       = 1
      destination_not_found    = 2
      destination_no_authority = 3
      plugin_not_active        = 4
      internal_error           = 5.

  CALL METHOD l_client->send
    EXPORTING
      timeout                    = 0
    EXCEPTIONS
      http_communication_failure = 1
      http_invalid_state         = 2
      http_processing_failed     = 3
      http_invalid_timeout       = 4.

 CALL METHOD l_client->receive
    EXCEPTIONS
      http_communication_failure = 1
      http_invalid_state         = 2
      http_processing_failed     = 3
      OTHERS                     = 4.
 
  l_content = l_client->response->get_data( ).
  s_content = l_client->response->get_cdata( ).

Sandra_Rossi · ‎12-20-2021

In your case, the error is due to the certificate subject CN=edane.financnasprava.sk but the accessed domain is report.financnasprava.sk. Consequently, there's a mismatch, which you can see in the SMICM trace (trace level 2 to see a little bit better).

I could make it work only after defining the below parameter, as explained in note 2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client

icm/HTTPS/client_sni_enabled = TRUE

Including Juraj conclusion: with older kernel (Kernel 721 / 722, with sufficient patch level, see note 2384290 - SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients), set this parameter:

ssl/client_sni_enabled = TRUE

Sandra_Rossi · ‎12-07-2021

The link goes to a redirection URL. You get the ZIP at the indicated redirection URL.

juraj14 · ‎12-07-2021

So this is the redirection URL right ?

http://www.https.com//report.financnasprava.sk:80/ds_dphs.zip?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ...

but i am not sure which part of it i should use or / and how should i edit the RFC. Can you please provide some more informations ? When i try that url in my browser (or part of it like http://www.https.com//report.financnasprava.sk:80/ds_dphs.zip ) i get redirected to some advertisment / eshops

Sandra_Rossi · ‎12-07-2021

oops

This URL is really surprising (in the wrong way). https://superuser.com/questions/888283/why-is-https-www-google-com-getting-redirected-to-http-www-ht....

Please check your SM59 destination twice, seems that you forgot to type the colon character (https//report.financnasprava.sk/ds_dphs.zip is wrong).

juraj14 · ‎12-08-2021

I checked destination, there is a colon after https

host = https://report.financnasprava.sk

Just for testing purpose I tried to change rfc destination to the following, with this settings i get proper response (html web site)

host = financnasprava.sk     or www.financnasprava.sk
prefix = 
 - Defaul client SSL

When i tried the following, i get ICM_HTTP_SSL_ERROR

host = https://report.financnasprava.sk  OR report.financnasprava.sk  
prefix =  /ds_dphs.zip 
 - Defaul client SSL

tiborolle · ‎12-17-2021

Hi Juraj, just add parameter through RZ10.

icm/HTTPS/client_sni_enabled = TRUE

and it will works.....

juraj14 · ‎12-17-2021

Hi Tibor, i tried it but it didnt work, still i get response:

<html><head><title>Loading...</title></head><body><...

Sandra_Rossi · ‎12-17-2021

Sorry, didn't see your last answer.

So host this way is fine (financnasprava.sk or www.financnasprava.sk)

Your SSL error is simply due that you didn't upload the Web site certificates to STRUST in the Default client SSL (go to the Web site with your Web browser, click on the "https lock", you should find 3 (usually) certificates that you need to download and upload in STRUST; usually it takes 5 minutes if you're authorized to manage STRUST).

tiborolle · ‎12-17-2021

Hi Juraj,

in SM59 we haven´t certificate unless you have to use their API. Simple file download works pretty without CA. SM59 -> Type is G. In technical settings try target host: report.financnasprava.sk; Server No.: 443; path prefix: /ds_dphs.zip. Tab Logon security: Security Options: SSL Active and select DFAULT SSL Client (Standard). Special Options TAB Status of HTTP Version select HTTP 1.1.

In tr. RZ10 add these 3 or 4 parameters if need:

icm/HTTPS/client_sni_enabled = TRUE

ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

wdisp/ssl_ignore_host_mismatch = TRUE (not sure it must have)

and at last mandatory RESTART SAP App SERVER to force ICM changes

after this finally click Connection Test on SM59 - and see in header content type is zip file

juraj14 · ‎12-20-2021

Hi Tibor, i exactly followed your guide but when I test RFC i am getting ICM_HTTP_SSL_ERROR. The only thing that is different from you (probably) is that i am using proxy host and service in sm59. And u said that u didnt install any certificate in STRUST so am not sure where the problem might be.

Sandra_Rossi · ‎12-20-2021

juraj14

HTTPS without uploading the certificates in STRUST? I didn't know that it could work...

And what if you upload the certificates in STRUST?

juraj14 · ‎12-20-2021

Hi Sandra, i went to report.financnasprava.sk and download certificate to my PC, then upload it to STRUST under client SSL standard but still have ICM_HTTP_SSL_ERROR

Sandra_Rossi · ‎12-20-2021

Proceed with all the certificateS of the certification chain.

juraj14 · ‎12-20-2021

I downloaded OpenSSL to download cert chain, it was 3 certificates, i uploaded them into STRUST under client SSL standard (actually i uploaded only 2 of them, 1 already existed), still same error.

juraj14 · ‎12-20-2021

I have checked the ICM trace and there is error. It is wierd because i implemented wdisp/ssl_ignore_host_mismatch = TRUE as Tibor suggested.

so i went to edane.financnasprava.sk and again downloaded cert chain, but error is still there

based on below, i still should see the error message but communication should continue, but in my case, communication is stopped. (there is not other error message after this one)

NOTE: The wdisp/ssl_ignore_host_mismatch = 1 will ignore the mismatch error, but it will not solve it. Therefore, the error message will still be visible in the traces, but the system will not stop the communication because of the error.

Sandra_Rossi · ‎12-20-2021

You don't need OpenSSL, you can download each certificate directly from your Web browser and install in STRUST in 10 clicks.

I tried on my system. I could make it work only after defining the below parameter, as explained in note 2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client

icm/HTTPS/client_sni_enabled = TRUE

EDIT: forgot to say that the error is due to the certificate subject CN=edane.financnasprava.sk but the accessed domain is report.financnasprava.sk. Consequently, there's a mismatch, which you can see in the SMICM trace (trace level 2 to see a little bit better).

Sandra_Rossi · ‎12-20-2021

In your case, the error is due to the certificate subject CN=edane.financnasprava.sk but the accessed domain is report.financnasprava.sk. Consequently, there's a mismatch, which you can see in the SMICM trace (trace level 2 to see a little bit better).

I could make it work only after defining the below parameter, as explained in note 2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client

icm/HTTPS/client_sni_enabled = TRUE

Including Juraj conclusion: with older kernel (Kernel 721 / 722, with sufficient patch level, see note 2384290 - SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients), set this parameter:

ssl/client_sni_enabled = TRUE

juraj14 · ‎12-22-2021

Thank you and Tibor for help, i finally make it work. I read your suggested note and found out, i need to implement the note 2384290 (because we are on 722 kernel version), so the parameter i was missing in RZ11

ssl/client_sni_enabled = TRUE

former_member687386 · ‎01-31-2022

Thanks sandra.rossi

juraj14 · ‎12-22-2021

I imported the cert chain for both domains edane.financnasprava.sk and report.financnasprava.sk . So i am not sure why the system is trying to compare CN=edane.financnasprava.sk to CN=report.financnasprava.sk and not CN=edane.financnasprava.sk