Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Calling webservice over SSL.

Former Member
0 Kudos

I would like to call a webservice on an external server using the HTTPS protocol.

When using SM59 to test the connetion I get:

SAP Web Application Server Error

IcmConnInitClientSSL:

SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT

When I use Internet Explorer (from the app server) to test the webservice I get:

"Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me."

Which proves that I get through to the server, but I have to use Post instead of Get. So I would think that the certifacte that I chooses from within Internet Explorer is working ok.

Is this regarded as client-server architecture where my app server is the client and the server where the webservice is situated is the server? Or is it server to server communication?

I have found this posting here on SDN

"

As described in my previous posting, it is essential to establish a mutual trust and therefore enable both sides to validate the peer's certificate. In order to do so you have to exchange the root CA certificates (and potentially intermediate CA certificates) mutually.

"

Does this mean that I have to exchange my CA signed root certificate of my app server with the CA signed root certificate of the server containing the webservice? Or can I get by with just importing the server that contains the webservice root certificate?

Finally when talking about J2EE integration I have found this posting:

"

If your server has the hostname "server.company.com" then the SSL server certificate should be issued to the subject "CN=server.company.com, O=company, C=country" (relevant is the CN section: it needs to be identical with the hostname used in the https URL to address the SSL server).

"

Does this mean that I would have to have a certificate on my app server where CN=xxx.yyy.no since my webservice is located on the xxx.yyy.no server. Is this in addition to the servers root certificate?

Jon Erling

1 ACCEPTED SOLUTION

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> I would like to call a webservice on an external server using the HTTPS protocol.

>

> When using SM59 to test the connetion I get:

> SAP Web Application Server Error

> IcmConnInitClientSSL:

> SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT

Well, it looks like that [SAP Note 1094342|https://service.sap.com/sap/support/notes/1094342] could be helpful for you.

Unlike webbrowser, the NWAS ABAP has no "pre-installed trust"; the list of trusted root certificates is empty. That's why you experience this failure (when the NWAS ABAP acts as SSL client).

The idea to use the browser for testing, is not that bad. But you should not get confused by the problem reported by the browser:

> When I use Internet Explorer (from the app server) to test the webservice I get:

> "Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me."

The important part is the fact that the browser was able to validate the server's SSL certificate. That fact can be used to export the required root certificate (present at the browser) and import it to the ABAP system (into the "certificte list" of the SSL PSE used - see SM59 settings).

Regards, Wolfgang

PS: the "anonymous" SSL PSE is the correct one - if you intend to establish only a https connection to a server without the intension to use X.509 client certificates (of the NWAS ABAP) for authentication (of a technical user - assigned to the NWAS ABAP's certificate).

Edited by: Wolfgang Janzen on Jan 22, 2008 10:56 AM

10 REPLIES 10

Former Member
0 Kudos

Hi Jon,

You need to get some debug information.

Lauch transaction SMICM, increase the trace level, reset the trace file then redo your test from SM59.

Then look at the trace file.

You should have very meaningful messages about what is wrong on your SSL connection.

Regards,

Olivier

0 Kudos

Thank you.

I am increasing the trace depth to 3.

I have also found 2 certificates on the external server (one root) and one where CN = site where webservice sits.

So in STRUST I tried to import both these certificates under SSL Client (Anonymous) and SSL Client (Default) with a rather weird result.

Using SM59 to test my connection it is using Port 80 (for HTTP) instead of Port 443 which I would have expected (for HTTPS).

So that means the trace information is somewhat useless.

In STRUST the owner certificate is mine from the app server and the certificate list contains the two certificates from the server that has the webservice. 1 - Root certificate and 1 - CN = xx.yy.zzz (URL to server)

In SM59 I have target host = xx.yy.zzz, Service no = 443 (which I would expect to be the port) and

path prefix = path on the server to the webservice.

When I click "test connection". This is the reply:

"

*Forbidden#*

You don't have permission to access "path on the server to the webservice"#on this server.#

-


#

IBM_HTTP_Server Server at xx.yy.zzz Port 80< /address>##

"

Why is it using Port 80 when I specify Service no = 443. I have tried both SSL client Anonymous and SSL client Default.

0 Kudos

Jon,

You have something obviously wrong which makes you trying to establish an SSL connection on port 80 instead of 443.

Double check you HTTP destinatin on SM59.

I have an example working OK :

Type : G

Target Host : www.mysite.mydomain Service Nu00B0 : 443

Path prefix : /mywebservice/URL

HTTP proxy : myproxy.mydomain

Proxy service : 443

Logon procedure : Basic Authentication

SSL : Active

SSL Client Certificate : ANONYM SSL Client

Logon . myuser

password : mypassword

Timeout : ICM default Timeout

HTTP Version : 1.1

Compression : inactive

Compression Response : No

Accept cookies : YES

Check also SMICM --> Goto --> Services

HTTPS needs to be active, even if you only use the client part.

It means also, that you need at least 2 entries in STRUST

one for SSL server

and one for SSL client (either anonymous or standard)

In the SMICM trace file do you get similar lines like :

[Thr 6268] = using SECUDIR=I:\usr\sap\DXI\DVEBMGS68\sec

[Thr 6268] = Success SapCryptoLib SSL ready!

[Thr 6268] =================================================

[Thr 6268] Started service 1468 for protocol HTTPS on host "myhost.mydomain"(on all adapters)

Regards,

Olivier

0 Kudos

Just did a soft restart of ICM.

From Tracefile:

[Thr 10740] Started service 80 for protocol HTTP on host "xxx"(on all adapters) (timeout=60)

[Thr 10740] Started service 25 for protocol SMTP on host "xxx"(on all adapters) (timeout=60)

[Thr 10740] =================================================

[Thr 10740] = SSL Initialization on PC with Windows NT

[Thr 10740] = (620,Jan 4 2005,mt,ascii,SAP_UC/size_t/void* = 8/32/32)

[Thr 10740] SapISSLComposeFilename(): profile param "ssl/ssl_lib" = "D:\usr\sap\DEV\sys\exe\run\sapcrypto.dll"

resulting Filename = "D:\usr\sap\DEV\sys\exe\run\sapcrypto.dll"

[Thr 10740] = found SAPCRYPTOLIB 5.5.5C pl21 (May 7 2007) MT-safe

[Thr 10740] = current UserID: LNDEV01\SAPServiceDEV

[Thr 10740] = found SECUDIR environment variable

[Thr 10740] = using SECUDIR=D:\usr\sap\DEV\DVEBMGS00\sec

[Thr 10740] = Success SapCryptoLib SSL ready!

[Thr 10740] =================================================

[Thr 10740] Started service 443 for protocol HTTPS on host "xxx"(on all adapters) (timeout=60)

Seems ok.

"Check also SMICM --> Goto --> Services"

HHTPS is marked as Active.

Double check you HTTP destinatin on SM59.

I have an example working OK :

Type : G

Jon: OK

Target Host : www.mysite.mydomain Service Nu00B0 : 443

Jon: OK

Path prefix : /mywebservice/URL

Jon: OK

HTTP proxy : myproxy.mydomain

Jon: Not using proxy, do I have to?

Proxy service : 443

Jon: Not using proxy, do I have to?

Logon procedure : Basic Authentication

Jon: I do not see this choice, does it have something to do with SAP version? I am running release 6.20.

SSL : Active

Jon: OK

SSL Client Certificate : ANONYM SSL Client

Jon: OK (Tried Anonym and Default)

Logon . myuser

Jon: Blank on my system

password : mypassword

Jon: Blank on my system

The webservice is not password protected.

Timeout : ICM default Timeout

HTTP Version : 1.1

Compression : inactive

Compression Response : No

Accept cookies : YES

Jon: Where do I find this? I am on SAP-Release 620.

It means also, that you need at least 2 entries in STRUST

one for SSL server

and one for SSL client (either anonymous or standard)

Jon: In STRUST I have three endries over two different variations depending on if I am using Anonymous or Default.

1) Anonymous:

Own Certificate

CN=anonymous

Cert list:

CN=site, OU=x, OU=y, OU=zz, O=yy, C=NO (site certificate - customer cert 1)

CN=xx, O=BBS, C=NO (root certificate to the organization who owns the webservice - customer cert 2)

2) Default

Own Certificate

<My own root certificate>

Cert list:

CN=site, OU=x, OU=y, OU=zz, O=yy, C=NO (site certificate - - customer cert 1)

CN=xx, O=yy, C=NO (root certificate to the organization who owns the webservice - - customer cert 2)

**********************************************************************

PS....I am trying hard to reward points....but what do I click on after selecting "Helpful answer" in the left margin. I miss a "Submit" or "Update" button.

0 Kudos

Hi again,

>Thr 10740 Started service 443 for protocol HTTPS on host "xxx"(on all adapters) (timeout=60)

>Seems ok.

It sure is ok.

>HTTPS is marked as Active.

OK, also.

>HTTP proxy : myproxy.mydomain

>Jon: Not using proxy, do I have to?

No, If you don't need it. For my example, I'm calling a web service over the internet. I have so a proxy in the DMZ for secure internet access.

>Logon procedure : Basic Authentication

>Jon: I do not see this choice, does it have something to do with SAP version? I am running >release 6.20.

My example is from WAS 7.0. In 6.20 you only have the choice of user/pwd which is basic authentication. You just need it if your web service requires it.

>Timeout : ICM default Timeout

>HTTP Version : 1.1

>Compression : inactive

>Compression Response : No

>Accept cookies : YES

>Jon: Where do I find this? I am on SAP-Release 620.

Not present in 6.20. Only in 7.0

Your config seems OK. You pb is weird.

You could try to create a test "loop" HTTP destination which does an HTTPS connection to itself.

eg : the ICM ist all together the client and the server. This eliminates the external factor.

I use this path /sap/public/info. Of course you have to activate this service in SICF.

**********************************************************************

>PS....I am trying hard to reward points....but what do I click on after selecting "Helpful answer" in >the left margin. I miss a "Submit" or "Update" button.

Thanks, but don't bother : I don't care for points...

Regards,

Olivier

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

> I would like to call a webservice on an external server using the HTTPS protocol.

>

> When using SM59 to test the connetion I get:

> SAP Web Application Server Error

> IcmConnInitClientSSL:

> SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT

Well, it looks like that [SAP Note 1094342|https://service.sap.com/sap/support/notes/1094342] could be helpful for you.

Unlike webbrowser, the NWAS ABAP has no "pre-installed trust"; the list of trusted root certificates is empty. That's why you experience this failure (when the NWAS ABAP acts as SSL client).

The idea to use the browser for testing, is not that bad. But you should not get confused by the problem reported by the browser:

> When I use Internet Explorer (from the app server) to test the webservice I get:

> "Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me."

The important part is the fact that the browser was able to validate the server's SSL certificate. That fact can be used to export the required root certificate (present at the browser) and import it to the ABAP system (into the "certificte list" of the SSL PSE used - see SM59 settings).

Regards, Wolfgang

PS: the "anonymous" SSL PSE is the correct one - if you intend to establish only a https connection to a server without the intension to use X.509 client certificates (of the NWAS ABAP) for authentication (of a technical user - assigned to the NWAS ABAP's certificate).

Edited by: Wolfgang Janzen on Jan 22, 2008 10:56 AM

0 Kudos

Thank you Wolfgang.

>

> Well, it looks like that [SAP Note 1094342|https://service.sap.com/sap/support/notes/1094342] could be helpful for you.

> Unlike webbrowser, the NWAS ABAP has no "pre-installed trust"; the list of trusted root certificates is empty. That's why you experience this failure (when the NWAS ABAP acts as SSL client).

I have seen this link before and did what it said (doubleclick on the key symbol - viewed the certificates - downloaded them as Base64 (plain text) - installed them in STRUST transaction and still no success. It was 2 certificates. I root certificate and 1 certificate with CN = URL to host. Using SM59 to test the connection it seems to try to connect on port 80 and not port 443 as I have told it to. So this fails ofcourse. Weird.

I have showed this problem to a more experienced collegue and he wrote an ABAP program to test the STRUST connection (instead of SM59). I am sorry that I can not post the latest error message that this program gives us (he is a bit busy now), but our best try now is to upgrade from 6.20 to 6.40.

Will post the result of the upgrade - and the errormessage if the upgrade still does not fix the problem.

0 Kudos

Hmm - maybe you trapped into a common pitfall:

you have to restart ICMan after any change to the SSL PSEs (because ICMan is caching the PSE files).

Only as of NW 7.1 this is no longer required (because STRUST notifies ICMan which then simply flushes the cache).

Other commonly made mistake:

importing the certificates to the wrong PSE ...

Cheers, Wolfgang

0 Kudos

When I use Internet Explorer I get

"Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me."

The owner of the Webservice confirms to me that the SSL handshake goes ok, but since I am only using a plain URL it is posted as GET and fails.

Then when I click on the lock in the bottom right corner I get the certificate dialog box open. Choosing the "Certificate path" tab I see the following:

<External CA certificate> (root certificate)

-


><External Client Certificate> (application certificate CN = path to application)

But in addition to those 2 certificates when opening the webpage IE asks me for a certificate. The dialogbox has the title "Choose a digital certificate".

I give in <Own company certificate>

So I have:

<Own company certificate> signed by "TEST ZebSign Enterprise ID CA 1"

- So it is signed externally

The Certification path for this certificate is:

TEST ZebSign Enterprise ID CA 1

-


><Own company certificate>

So it seems to me that I have 4 certificates that come into play when getting the webpage up and (almost) running. (just need to use POST not GET)

1) <external CA> (root)

2) <external client certificate>

3) <own company CA> (my root) - signed by "TEST ZebSign Enterprise ID CA 1" and finally

4) <TEST ZebSign Enterprise ID CA 1> root certificate of signer of my root certificate

****************************

To transfer these into the magic world of SAP and STRUST is another ballgame.

The external client will not import my companies root certificate to his keystore saying there is no need to do so.

To transfer the certifcates to SAP I click "View Certificate" then on the "Details" tab I click "Copy to file". Specify "Do not export private key" (no choice there) and "Base 64" and a filename. Then I have a filename that I can import to the STRUST section in SAP.

So do I use the SSL Client Anonymous PSE?

Do I import all those 4 certificates to the certificate list of the "Cert list" section?

Thank you so much for all help so far. Much appreciated.

Jon

0 Kudos

> When I use Internet Explorer I get

> "Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me."

>

> The owner of the Webservice confirms to me that the SSL handshake goes ok, but since I am only using a plain URL it is posted as GET and fails.

As I've written previously: this "error" can be ignored.

> Then when I click on the lock in the bottom right corner I get the certificate dialog box open. Choosing the "Certificate path" tab I see the following:

>

> <External CA certificate> (root certificate)

> -


><External Client Certificate> (application certificate CN = path to application)

That's the important part:

you should "navigate" to the root certificate and export it.

PS: the CN part of the SSL server certificate should be identical to the hostname used in the URL.

> But in addition to those 2 certificates when opening the webpage IE asks me for a certificate. The dialogbox has the title "Choose a digital certificate".

Well, that indicates that the SSL server is accepting X.509 client certificates from at least two CAs which have issued those X.509 client certificates which are present in the browser's certificate keystore.

But that is not relevant in your case. You can kindly ignore it.