cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Why HTTP is redirected to HTTPS even if web service is without security?

isathore
Product and Topic Expert
Product and Topic Expert

on ‎01-18-2011 7:12 PM

0 Kudos

Dear experts,

I have generated a web service from SOAMANAGER, based on FM. The service is configured with the following:

- Security to none

- Transport protocol to HTTP

- No authentication method

- No ABAP service user/password

- Transport security to none

The WDSL is with HTTP but redirected to HTTPS and requires a certificate to be executed. I was expecting that there would be no redirection and that a certificate would not be requested.

Reading on ICM (Internet Communication Manager)[http://help.sap.com], ([http://help.sap.com/saphelp_nw04s/helpdata/en/00/040f3a39ce8704e10000000a114084/frameset.htm]), it seems that the HTTP redirection to HTTPS is configured in ICM.

My questions are:

- Is it normal that HTTP is redirected to HTTPS?

- Is ICM the reference and wins over the web service configuration in SOAMANAGER?

- How are ICM and SOAMANAGER related then?

- Why is a certificate required if the web service has not security set whatsoever?

Thanks a lot for any hints or links to documents that would help understand.

Best Regards

Isabelle

Edited by: Isabelle Thore on Jan 18, 2011 8:49 PM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎01-19-2011 8:11 AM
0 Kudos

Hi Isabelle,

 
Is it normal that HTTP is redirected to HTTPS?

In my experience, it isn't normal but it happens if the ICM profile parameter 'icm/HTTP/redirect_0' is configured to specifically do that. 

Is ICM the reference and wins over the web service configuration in SOAMANAGER?

Just an educated guess here, the ICM configuration should take precedence over the SOAMANAGER configuration as the ICM config is applicable to the entire application server not just specific web services.

How are ICM and SOAMANAGER related then?

Following on from the comment above, to me it makes no sense to enable both http & http communication for the app server in the ICM & then have a redirect to https for http. This would then negate any http type config done in SOAMANAGER. If you don't want plain http communication then disable http in the ICM & only leave https enabled.

 Why is a certificate required if the web service has not security set whatsoever?

There is another ICM profile parameter that is relevant in this case because of the HTTPS redirect, it's called 'icm/HTTPS/verify_client'. Possible values are 0, 1 & 2 with different pre-requisites, read more about it here:

[http://help.sap.com/saphelp_nw04s/helpdata/en/0d/88153a1a5b4c2de10000000a114084/content.htm]

Regards, Trevor

Show replies
Show replies
Ask a Question