Skip to Content
avatar image
Former Member

Calling webservice over SSL.

I would like to call a webservice on an external server using the HTTPS protocol.

When using SM59 to test the connetion I get:

SAP Web Application Server Error

IcmConnInitClientSSL:

SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT

When I use Internet Explorer (from the app server) to test the webservice I get:

"Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me."

Which proves that I get through to the server, but I have to use Post instead of Get. So I would think that the certifacte that I chooses from within Internet Explorer is working ok.

Is this regarded as client-server architecture where my app server is the client and the server where the webservice is situated is the server? Or is it server to server communication?

I have found this posting here on SDN

"

As described in my previous posting, it is essential to establish a mutual trust and therefore enable both sides to validate the peer's certificate. In order to do so you have to exchange the root CA certificates (and potentially intermediate CA certificates) mutually.

"

Does this mean that I have to exchange my CA signed root certificate of my app server with the CA signed root certificate of the server containing the webservice? Or can I get by with just importing the server that contains the webservice root certificate?

Finally when talking about J2EE integration I have found this posting:

"

If your server has the hostname "server.company.com" then the SSL server certificate should be issued to the subject "CN=server.company.com, O=company, C=country" (relevant is the CN section: it needs to be identical with the hostname used in the https URL to address the SSL server).

"

Does this mean that I would have to have a certificate on my app server where CN=xxx.yyy.no since my webservice is located on the xxx.yyy.no server. Is this in addition to the servers root certificate?

Jon Erling

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Jan 22, 2008 at 09:39 AM

    > I would like to call a webservice on an external server using the HTTPS protocol.

    >

    > When using SM59 to test the connetion I get:

    > SAP Web Application Server Error

    > IcmConnInitClientSSL:

    > SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT

    Well, it looks like that [SAP Note 1094342|https://service.sap.com/sap/support/notes/1094342] could be helpful for you.

    Unlike webbrowser, the NWAS ABAP has no "pre-installed trust"; the list of trusted root certificates is empty. That's why you experience this failure (when the NWAS ABAP acts as SSL client).

    The idea to use the browser for testing, is not that bad. But you should not get confused by the problem reported by the browser:

    > When I use Internet Explorer (from the app server) to test the webservice I get:

    > "Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me."

    The important part is the fact that the browser was able to validate the server's SSL certificate. That fact can be used to export the required root certificate (present at the browser) and import it to the ABAP system (into the "certificte list" of the SSL PSE used - see SM59 settings).

    Regards, Wolfgang

    PS: the "anonymous" SSL PSE is the correct one - if you intend to establish only a https connection to a server without the intension to use X.509 client certificates (of the NWAS ABAP) for authentication (of a technical user - assigned to the NWAS ABAP's certificate).

    Edited by: Wolfgang Janzen on Jan 22, 2008 10:56 AM

    Add comment
    10|10000 characters needed characters exceeded

    • > When I use Internet Explorer I get

      > "Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me."

      >

      > The owner of the Webservice confirms to me that the SSL handshake goes ok, but since I am only using a plain URL it is posted as GET and fails.

      As I've written previously: this "error" can be ignored.

      > Then when I click on the lock in the bottom right corner I get the certificate dialog box open. Choosing the "Certificate path" tab I see the following:

      >

      > <External CA certificate> (root certificate)

      > -


      ><External Client Certificate> (application certificate CN = path to application)

      That's the important part:

      you should "navigate" to the root certificate and export it.

      PS: the CN part of the SSL server certificate should be identical to the hostname used in the URL.

      > But in addition to those 2 certificates when opening the webpage IE asks me for a certificate. The dialogbox has the title "Choose a digital certificate".

      Well, that indicates that the SSL server is accepting X.509 client certificates from at least two CAs which have issued those X.509 client certificates which are present in the browser's certificate keystore.

      But that is not relevant in your case. You can kindly ignore it.

  • avatar image
    Former Member
    Jan 21, 2008 at 12:41 PM

    Hi Jon,

    You need to get some debug information.

    Lauch transaction SMICM, increase the trace level, reset the trace file then redo your test from SM59.

    Then look at the trace file.

    You should have very meaningful messages about what is wrong on your SSL connection.

    Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi again,

      >Thr 10740 Started service 443 for protocol HTTPS on host "xxx"(on all adapters) (timeout=60)

      >Seems ok.

      It sure is ok.

      >HTTPS is marked as Active.

      OK, also.

      >HTTP proxy : myproxy.mydomain

      >Jon: Not using proxy, do I have to?

      No, If you don't need it. For my example, I'm calling a web service over the internet. I have so a proxy in the DMZ for secure internet access.

      >Logon procedure : Basic Authentication

      >Jon: I do not see this choice, does it have something to do with SAP version? I am running >release 6.20.

      My example is from WAS 7.0. In 6.20 you only have the choice of user/pwd which is basic authentication. You just need it if your web service requires it.

      >Timeout : ICM default Timeout

      >HTTP Version : 1.1

      >Compression : inactive

      >Compression Response : No

      >Accept cookies : YES

      >Jon: Where do I find this? I am on SAP-Release 620.

      Not present in 6.20. Only in 7.0

      Your config seems OK. You pb is weird.

      You could try to create a test "loop" HTTP destination which does an HTTPS connection to itself.

      eg : the ICM ist all together the client and the server. This eliminates the external factor.

      I use this path /sap/public/info. Of course you have to activate this service in SICF.

      **********************************************************************

      >PS....I am trying hard to reward points....but what do I click on after selecting "Helpful answer" in >the left margin. I miss a "Submit" or "Update" button.

      Thanks, but don't bother : I don't care for points...

      Regards,

      Olivier