Skip to Content
Author's profile photo Gregor Wolf

Authenticate from PHP to a Web Service using X.509 Certificates

It’s always a bad idea to save username and password in PHP Scripts. Sometimes it is required i.e. for the Logon data to a SAP Web AS when using a Web Service. But there is an alternative: Authentication with X.509 Certificates.


Create and Test Function Module

Let’s just create a RFC Enabled Function Module called ZTEST which will be made available as a Web Service.

Here is the Source:

FUNCTION z_hello. *"---------------------------------------------------------------------- *"*"Local Interface: *" IMPORTING *" VALUE(NAME) TYPE NAME_FIRST OPTIONAL *" EXPORTING *" VALUE(GREETING) TYPE BU_TITLE_LET *"----------------------------------------------------------------------     CONCATENATE 'Hello' name ', you are logged in as ' sy-uname INTO greeting SEPARATED BY space.   ENDFUNCTION.

When you test the Module the Result should be:

Create Web Service from RFC enabled Function Module

Thomas Jung described the creation of Web Services with Web AS 6.40 in Detail Develop a Web Service that sends an Email – in ABAP, Netweaver 04S, and Develop a Web Service that sends an Email – in ABAP. But there are some differences you should take care of. Fist start in SE80 by creating the Web Service:

I named my Virtual Interface like the Function Module “Z_HELLO”. Please note that I’ve checked “Name Mapping”

Choose the Function Module:

To use X.509 Authentication we have to use the “Secure SOAP Profile”:

Prepare Private Key and Certificate

From the PSE I’ve created during the Blog Setup data encryption between RFC Client and Web AS ABAP with SNC I now create a p12 Filewhich contains the Private Key and Certificate in binary. You have to provide an encryption password.

# /usr/sap/IDS/SYS/exe/run/sapgenpse export_p12 -p RFC.pse RFC.p12 Please enter PKCS#12 encryption password: ****** For verification, please reenter password: ******

With openssl the p12 File can be converted into a Base64 encoded file containing the Private Key and Certificate. This format can be used by curl. You have to provide the password set before and also a new password:

$ openssl pkcs12 -in ~/RFC.p12 -out RFC.crt Enter Import Password: ****** MAC verified OK Enter PEM pass phrase: ****** Verifying - Enter PEM pass phrase: ******

I’ve placed the file in “/etc/ssl” so that it is not accessible from the Internet.

Map X.509 Certificate to User

In the Blog Setup data encryption between RFC Client and Web AS ABAP with SNC I’ve already described how to map a X.509 Certificate to a User. You have to maintain the View VUSREXTID. Via this View you can setup a mapping between the Distinguished Name provided by a X.509 Certificate and an ABAP User. Start Transaction SM30, enter VUSREXTID and click Maintain. Choose DN for the External ID type:

Create a new entry and don’t forget to activate it:

PHP Client

Now we are ready to implement the PHP Client. I’ve added many comments to the source. Note that the only password provided is the Password to decrypt the Private Key.

getProxy(); // Set Session Options $proxy->setOpt('curl', CURLOPT_VERBOSE, 1); $proxy->setOpt('curl', CURLOPT_SSL_VERIFYPEER, 1); $proxy->setOpt('curl', CURLOPT_CAINFO, "/etc/ssl/CAcert-root.crt"); $proxy->setOpt('curl', CURLOPT_SSLCERT, "/etc/ssl/RFC.crt"); $proxy->setOpt('curl', CURLOPT_SSLCERTPASSWD, "sapsdn"); $proxy->setOpt('curl', CURLOPT_TIMEOUT, 120);   // Set namespace option $options = array('namespace' => $wsdl->namespaces[tns] );   // Set Call parameter $params = array ( 'Name' => 'Gregor', ); // Call Web Service $return = $proxy->call("ZHello", $params, $options);   print $return; ?>

Call this script in your Web Browser and you should get this result:

That’s all folks. If you have problems with the authentication then look to the log file dev_icm located in the work directory of your ABAP server:

tail -f /usr/sap/IDS/DVEBMGS00/work/dev_icm

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.