cancel
Showing results for 
Search instead for 
Did you mean: 

SSL: Client Certificate

Former Member
0 Kudos

hi,

am connecting to a HTTPS URL - receiver adapter.

So do i have to install the external company's certificate in XI Server?

thanks,

tirumal

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi tirumal,

If you use XI as an https client, you have to TRUST your external partner server certificate that he will sent to you ( automatically during the SSL handshake procedure.

This means you have to add his CA ( certification authority ) hierarchy in the list of your Trusted CA's of the 'keystore' J2EE service ( via the Visual Administration Tool ) or on in the ABAP STRUST transaction depending from where you call the client ( Java or ABAP side )

Hope it helps

regards

Dirk

Former Member
0 Kudos

PS It could be that your external partner uses an public CA authority ( e.g. Verisign ) and then you can use e.g. the certificate you will find in your browser for Verisign to import in the keystore service.

Otherwise you indeed need to first ask him a server certificate and install in in the trusted CA's

rgds

Dirk

Former Member
0 Kudos

Hi Dirk -

thanks for the response.

Yes i will be using XI as https client.

Question based on your first response...

"depending from where you call the client ( Java or ABAP side )"...how would i know from where i am calling.

I will be calling the HTTPS from the Integration Directory using HTTP Adapter. So should be using ABAP.

Correct me.

Question based on your second response...

how can i know/determine whether the external partner uses public CA or not?

Thanks,

Tirumal

Former Member
0 Kudos

Hi Tirumal,

No all XI adapters ( also HTTP -- except IDOC I believe -- ) run on the J2EE framework and you have to use the J2EE keystore to manage certificates that you use in the adapters.

IF you can https the external URL in your browser you will normally see the SSL secured icon in the browser status bar ( and your browser might request you to trust the server depending upon your security settings and the server certifiacte ) : if you double click this icon ( in IE ) you see the server certificate with all the details you need and you can export it to file ( also the CA hierarchy certificates ) and import them XI as needed

rgds

Dirk

Former Member
0 Kudos

Hello Dirk -

I have exported the certificate as you suggested and imported it using STRUST. Now i am getting the ICM_HTTP_SSL_ERROR.

I will award you points for your answers. If you have answers to the above do let me know.

Thanks,

Tirumal

Former Member
0 Kudos

Hi Tirumal,

How did you trigger the ssl client ?

What is the scenario that you are trying ? Since you are getting an ICM error, it sounds like you are on the ABAP stack ?

Is the SAP CryptoLib for use on ABAP/JAVA installed ?

rgds

Dirk

Former Member
0 Kudos

Hi Dirk -

Scenario is IDOC -> XI -> HTTP Adapter as Receiver with HTTPS as url.

Yes i am on the ABAP Stack.

SAP Cryptolib is intalled on the ABAP.

Thanks,

Tirumal

Former Member
0 Kudos

Dirk -

After importing the certificate forgot to restart the ICM->exit soft option.

I executed this option and finally i am able to get the response for the SM59 "Test connection" which is status code of 200.

I will need to test this option with real xml payload.

You have really helped me solve the issue.

Thanks,

Tirumal

Former Member
0 Kudos

Hi Tirumal,

Could you please explain how to restart the ICM->exit soft option? and how to import the certificate in STRUST?

Thanks!

Regards,

Hui

Former Member

Hi Hui,

you should use transaction SMICM, and there - Administration, ICMAN, Exit Soft,

regards

Anna

Answers (0)