Skip to Content

ABAP SE37 Web Service and x.509 certificate

ECC 7.01 EPH 1

I have created a Web Service from an ABAP function module. I then created a service using SOAMANAGER and have configued it and tested it using Web Navigator. This WS uses no auththentication or username/password. It also works being consumed from a non-SAP server/application

I want to have another non-SAP server and application use this WS. Currently the non-SAP can consume it passing the user/password.

I now want to have the WS consumed using x.509 certs.

I have tried multiple methods with no success.

On the server I have imported using STRUSTS

Maintain the serveru2019s SSL server PSE.

Use the trust manager (transaction STRUST) and import the issuing CAu2019s root certificate into this PSEu2019s certificate list.

Created Web Service communication user, technical type with security roles --> zwebserviceuser

Cretaed entries in table USREXTID using transaction SM30, view VUSREXTID

external type = DN

imported non-SAP server cert into external id

user = zwebserviceuser


Tthe ICM to request a client X.509 certificate. (check icm/HTTPS/verify_client profile parameter) was alreday configued

I choose tha appropriate security profile for your ABAP web service --> security HIGH

I choose in SOAMANAGER http authentication and x.509 certificate

The NON-SAP Server/application is calling the SAP WEBservice and sends the "certificate"

The RunTime error is

The request failed with HTTP status 401: Unauthorized.

Any Help would be appreciated

thank you,


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Oct 26, 2009 at 11:56 PM


    I don't know if you have already tried this but there are different trace levels in ICM. You can set it up in SMICM -> Goto -> Trace Level. So try again but with the highest trace level. With high trace level you will get detailed info about connection. I used it to debug different problem but it helped a lot.


    Add comment
    10|10000 characters needed characters exceeded

  • Oct 29, 2009 at 03:39 PM

    Take a kind look on SAP note 495911 to analyse ABAP logon errors.

    Most likely you have forgotten to add the root certificate of the CA which has issued the SSL client certificate (of the WS consumer) to the certificate list of the SSL server PSE (of the NWAS ABAP, acting as WS provider). In that case the SSL handshake will be incomplete: the SSL client certificate will not be requested by NWAS ABAP and thus no SSL client certificate will be send by the WS consumer. That's why no credentials are there resulting in the 401 error.

    Add comment
    10|10000 characters needed characters exceeded