Skip to Content
avatar image
Former Member

HTTPS With Client Authentication

Hi,

I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:

java.security.AccessControlException: client certificate required

In the the transaction scim the following can be seen:

[Thr 5061] <<- SapSSLSessionInit()==SAP_O_K

[Thr 5061] in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

[Thr 5061] out: sssl_hdl = 1117534b0

[Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K

[Thr 5061] in: sssl_hdl = 1117534b0

[Thr 5061] in: cred_hdl = 116cfc110

[Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE

[Thr 5061] SSL NI-sock: local=XX.XX.XX.XX:50001 peer=XX.XX.XX.XX:2310

[Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K

[Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K

[Thr 5061] status = "resumed SSL session, NO client cert"

The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.

Sender Communication Channel,

Transport Protocol: HTTP,

Message Protocol: Soap 1.1,

Adapter Engine: Central Adepter Engine,

HTTPS with Client Authentication,

Keep Headers

Any ideas?

Kind regards,

John

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Mar 10, 2011 at 03:05 PM

    Questions: Do you have trusted root node certificate imported in netweaver PI keystore? Your PI server should have trusted root node certificate and similar trusted client certificate should come from external system or client (SOAP UI) which consume web service of PI server. If both happens then only we can able to communicate via HTTPS client authentication.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Baskar,

      Both the root CA and the clients certificate are installed in the trust store.

      The CA and the Client certs are just for test purposes and were created in house.

      John

  • avatar image
    Former Member
    Dec 24, 2012 at 10:12 AM

    Hi John,

    Have you managed to solve the problem? Our configuration is PI 7.31 Process Orchestration, but it looks as if we have the same problem.

    Could you please let me know if you have found the solution? Thanks.

    Ihar.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Peter,

      If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.

      It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.

      All the best,

      John