Skip to Content
author's profile photo Former Member
Former Member

ABAP HTTP(S) Client: HTTPS with server containing self-signed certificate

Hi experts,

I want to communicate using CL_HTTP_CLIENT (ABAP Stack in WebAS) over HTTPS with a server containing <u>self-signed</u> certificate. (In some more details, I wanna go through form-based authentication in this way)

What I already have done is

1. Client Identity (MAIL) in STRUST with the certificate of the target server

2. the small demo instantiating HTTP client in this way

cl_http_client=>create_by_url( exporting url = lf_url ssl_id = 'MAIL'

importing client = http_client ).

Unfortunately, the request doesn't leave the server and in ICM trace I can see that the reason is that the target certificate is not verified:

[Thr 3476] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed #

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=ISVPMAIL"#

ERROR in get_path: (27/0x001b) Found root certificate of <CN=ISVPMAIL> which does not fit the given PKRoot #

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=ISVPMAIL> which does not fit the given PKRoot #

Can I anyhow specify in STRUST that the certificate is self-signed, or is it possible to add this certificate to the list of root certificates on WebAS?

Thanks

Andrey

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    Posted on Nov 29, 2007 at 01:44 PM

    Hi Andrey,

    do you know SAP" target="_blank">https://service.sap.com/sap/support/notes/1094342">SAP Note 1094342, already?

    Advice: ensure that you are using the "SSL client certificate 'ANONYM" (not "DFAULT") since you only intend to use SSL for encrypted data transmission (but not for SSO based on client certificates).

    Cheers, Wolfgang

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 03, 2007 at 01:09 PM

    Hi Andrey,

    To be able to connect with HTTPS, the abap stack needs to know the certiifcation authority of the certificate of the SSL server.

    By definition for a self-signed certificate the authority is the SSL server certificate it self.

    It means that you need to import the self-signed SSL server certificate in the SSL client ( Anonymous or Standard depending whch one you're using) Certificate List of transaction STRUST.

    I hope I have been clear enough because its'much easier to do than to explain !

    Hope this helps,

    Olivier

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.