Skip to Content

I would like to show you, how I have set up SSL for the Adobe Document Services.

The configuration was done on a NW04s system.

Instead of words let’s begin:

1. First we ensure we have a certificate in the ABAP, what can be used for the communication.

 a. Go to Tr. STRUST:

 b. I created “SOAP” Client certificate /* self-signed */ with help of menu option:

 c. Environment >> SSL Client Identities.

SSL-Soap

2. We have to assign this certificate to the ADS HTTP destination in Tr. SM59

a. Go to Tr. SM59

b. Choose you ADS destination, than choose tab: ‘Logon & Security’ activate SSL

c. and choose your freshly created certificate:

SM59 logon

3. Change the target System settings to the SSL Server proxy.

a. Go to Tr. SM59

b. Choose tab: Technical Settings

c. Change the Service No. to the SSL port of the J2EE engine

d. Change the path prefix to:

/AdobeDocumentServicesSec/Config?style=rpc

SM59 Technical settings

4. Copy the certificate to the JAVA host at OS level.

We can download the certificate from Tr. STRUST.

a. Open the certificate and press the export certificate button. Save the certificate in base64 format. I choosed the name: ERP_SOAP.cert 

b. This certificate has to be copied at os level to the NW JAVA engine to a directory that is accessibble by the j2ee_admin user. We will need the certificate in the Visual administrator.

5. Load the certificate into the JAVA engine .

In the Visual Administrator navigate to the Key Storage Service.

a. Create a view with the Name: ‘ADSCerts’.

b. Load the certificate with help of the ‘Load’ button.

After this step, you should have something similar to this: / you will have only 1 certificate /.

Key Storage

c. With the same mechanismus also load this certificate into the TrustedCAs view. / We do not have CA cetificate as we use self-signed certificate in this scenario so the CA cert is the same as the ADSUser’s cert. /

6. Assign the certificate to the ADSUser.

a. Go to the security provider Service.

b. On the tab User management search for the ADSUser. Click change.

c. At Certificates choose Add, and assign the certificate you have just loaded to the ADSCerts view.

d. Click the change again.

7. Set up the SSL provider to request the ADSUsers’s certificate

a. Go to the SSL provider Service.

b. Open the HTTPS port of the j2ee engine and go to the tab: Client authentication.

c. Add the certificate we loaded to the TrustedCAs to the list. / Ensure the request client certificate option is selected /. It should look similar to this:

8. Extract the J2EE servers server cetificate.

a. Go to the SSL provider Service.

b. Open the HTTPS port of the j2ee engine and go to the tab: Server Identity. Here you will find the name of the certificate the J2EE server is using as Indentification certificate.

c. Go to the Key Storage Service and choose the: service_ssl view.

d. Here choose the certificate you have found in point 8.b.

e. Download this file from the OS of the J2EE enginge to your Desktop.

9. Upload the J2EE server identity to STRUST

a. In the ABAP stack go to Tr. STRUST.

b. Choose the certificate you created for the communication.

c. Click on import Certificate >> A dialog opens. Choose the certificate you downloaded to your desktop. / J2EE Server Identity /

d. Click on Add to Certificate list.

e. Go To Tr. SMICM and restart the ICM.

 

 

With these steps the SSL communication from the ABAP to the JAVA side should work.

At least it did for me 😉

In the next part of the Jurnal we set up the SSL for the destination service. / JAVA -> ABAP / 

To report this post you need to login first.

17 Comments

You must be Logged on to comment or reply to a post.

  1. Amit Rai
    Hi Dezso,

    Nice blog, we followed all the steps written in your blog and tested the connection by running report “FP_CHECK_DESTINATION_SERVICE”. But we are getting error “Problem in accessing data from destination FP_ICF_DATA_E1S//sap/bc/fp/form/layout/FP_FORM_SECUTIRY_TEST.xdp”

    What could be the possible cause of error?

    Thanks in Advance,
    Amit

    (0) 
    1. Davinderpal Singh
      Check FPADS service and change your Logon Procedure to Standard , also choose SSL under Security Requirement. Deactive, activate and restart ICM.

      Please update whether this solves the issue or not.

      (0) 
  2. John Weldon

    I tried implementing this blog and I’m still getting the following error.<br/>[Thr 12] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL<br/>[Thr 12]    session uses PSE file “/usr/sap/DX1/DVEBMGS19/sec/SAPSSLSOAP.pse”<br/>[Thr 12] SecudeSSL_SessionStart: SSL_connect() failed<br/>  secude_error 9 (0x00000009) = “the verification of the server’s certificate chain failed”<br/>[Thr 12] >>            Begin of Secude-SSL Errorstack            >><br/>[Thr 12] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server’s certificate chain failed<br/>ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : “CN=hcidx1.hospira.corp, OU=IT, O=Hospira, L=<br/>ERROR in get_path: (27/0x001b) Found root certificate of <CN=hcidx1.hospira.corp, OU=IT, O=Hospira, L=Lake Forest, SP=Illinois,<br/>ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=hcidx1.hospira.corp, OU=IT, O=Hospira, L=Lake Forest, SP=Ill<br/>[Thr 12] <<            End of Secude-SSL Errorstack<br/>[Thr 12]   SSL_get_state() returned 0x00002131 “SSLv3 read server certificate B”<br/>[Thr 12]   SSL NI-sock: local=10.23.62.221:37172  peer=10.23.62.221:51901<br/>[Thr 12] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x105a40150)==SSSLERR_SSL_CONNECT<br/>[Thr 12] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT <br/><br/>I’m doing this on an 2004s Netweaver system running both ABAP and JAVA. Is it necessary to set up the SSL layer if the ABAP and JAVA stack are on the same instance?<br/>

    (0) 
    1. Davinderpal Singh
      For this error, i believe you need to import the CA Server Root Certificate. Errors say Chain of certificates is incomplete – means you ABAP stack don’t know CA Server identification.

      So get Root Certificate from your CA Server and import that in ABAP system – SSL Client pse.

      Good Luck…

      (0) 
  3. Sushil Kumar
    Good Blog!! Very helpful
    Thank You

    Even if I access the portal with SSL can I choose ADS calls not to be SSL? My ADS is running on the portal server itself and the destination is ADS in ECC. For this scenario will it be enough if I do what you have mentioned in this blog or should I also do what you will be publishing in the next?

    (0) 
    1. Dezso Pap Post author
      Hello,

      This can be achived as follows:
      Visual Administrator -> Server -> Services -> Configuration Adapter
      here:
      Webdynpro -> sap.com -> tc~wd~dispwda -> Propertysheet default ->
      sap.protocolSchemeForADSCall >> custom value: HTTP

      than independently from the portal protocol HTTP will be used for the ADS requests.

      Hopefully new blogs or Wikis will come this year 🙂

      Dezso

      (0) 
      1. Sushil Kumar
        Hello,

        I am aware of this configuration and have applied it too.

        Actually my problem was that when I access the portal through http everything works fine but when I access through https, I can open the PCR Adobe Form but when I change any data on the form and click Review it just spins forever, it doesn’t timeout nor does it show me anything in the ADS trace. My guess is that when the form wants to validate against ECC it either fails or tries forever without timing out.

        Can you please suggest a solution for this.

        To be more specific, in the SecConfig Port configuration, is it a MUST to use X.509 certificates for authentication?

        Thanks for the quick reply

        (0) 
        1. Dezso Pap Post author
          Hello,

          1.
          if you set the mentioned configuration than the Sec ConfigPort is not used at all.
          2.
          This might be related to proxy configuration. Please ensure that there is no proxy that requires authentication between your frontend and the backend server.

          As this is not relating to my blog but to your problem, would you please open a thread in the Interactive Forms forums for further discussion?

          Best regards,
          Dezso

          (0) 
  4. Davinderpal Singh
    Hello,

    Thanks for sharing such useful information which is hardly availbale anywhere else. We have setup ADS SSL between ABAP and JAVA, would highly appreciate if you can share information on following:

    As part of ADS configuration check, when we test URL URL https://FQDN:50001/AdobeDocumentServicesSec/Config?style=rpc it gives us an error “This Service requires an unsupported type of authentication”, how can we solve this issue.

    Thanks
    Davinder

    (0) 
    1. Dezso Pap Post author
      Hello,

      the “Sec” port can not be tested directly from a browser. You can test the connection Eg. with report: FP_PDF_TEST_00 from the ABAP stack.

      Kind regards,
      Dezso

      (0) 
      1. Davinderpal Singh
        Hi,

        We have portal and ADS SSL configured on same Java instance which is connecting to backend system. This is part of ESS/MSS setup. As part of ADS SSL, Dispatcher is set to “Request Client Certificate”.

        Now all the users who login to the portal, gets pop up message for client certificate which is annoying for end users.

        Is there any way to get rid of this on scenario where we have portal runing with ADS SSL

        Thanks
        Davinder

        (0) 
  5. John Ma
    That was a good blog. However, it did not work in our situation. The environment we have is a dual stack ECC6 support stack 12 server. I have followed your procedure thoroughly. However, when I did a test connection from sm59, here’s the error I got:

    [Thr 07] >> ———- Begin of Secude-SSL Errorstack ———- >>
    [Thr 07] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSL
    v3 handshake failure alert message from the peer
    [Thr 07] << ———- End of Secude-SSL Errorstack ———-
    [Thr 07] SSL_get_state() returned 0x00002120 “SSLv3 read server hello A”
    [Thr 07] No certificate request received from Server
    [Thr 07] SSL NI-sock: local=10.100.48.226:41738 peer=10.100.48.226:51201
    [Thr 07] <<- ERROR: SapSSLSessionStart(sssl_hdl=10502f7d0)==SSSLERR_SSL_CONNECT
    [Thr 07] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSS
    LERR_SSL_CONNECT {000100e2} [icxxconn_mt.c 2012]

    Please advise.
    Thanks,
    Jonathan.

    (0) 
  6. Shilpa Chatrath
    cmWatchDogThread: watchdog started
    ** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set =>
    ll be removed from header [http_plg_mt. 743]
    SC: created 400 MB disk cache.
    SC: created 50 MB memory cache.
    ttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0
    ttpExtractArchive: files from archive /usr/sap/IQE/DVEBMGS01/exe/icmadmin.SAR in directory /usr/sap/IQE/DVEBMGS01/data/icman
    ttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0
    siInit(): Initializing the Content Scan Interface
    AMD/Intel x86_64 with Linux (mt,unicode,SAP_CHAR/size_t/void* = 16/64/64)
    siInit(): CSA_LIB = “/usr/sap/IQE/DVEBMGS01/exe/libsapcsa.so”
    ttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0
    ttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=3, flags=1052677) for /:0
    tarted service 8001 for protocol HTTP on host “iqe.ggn.com”(on all adapters) (processing timeout=60, keep_alive_timeout=30)
    ================================================
    SSL Initialization on AMD/Intel x86_64 with Linux
    (700_REL,Aug 21 2009,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
    found SAPCRYPTOLIB 5.5.5C pl21 (May 7 2007) MT-safe
    current UserID: “iqeadm”, env-var USER=”iqeadm”
    using SECUDIR=/usr/sap/IQE/DVEBMGS01/sec
    Success SapCryptoLib SSL ready!
    ================================================
    tarted service 8443 for protocol HTTPS on host “iqe.ggn.com”(on all adapters) (processing timeout=60, keep_alive_timeout=30)
    at Apr 17 18:45:46 2010
    cmNetCheck: network check passed without detecting problems
    on Apr 19 09:22:07 2010
    ** WARNING => IcmCheckForBlockedThreads(id=3/5998): forced shutdown of nihdl 27 connected to 172.25.0.85:50101 on blocked SS
    ** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
    session uses PSE file “/usr/sap/IQE/DVEBMGS01/sec/SAPSSLSOAP.pse”
    o Secude Error present in trace stack!
    SSL_get_state() returned 0x00002120 “SSLv3 read server hello A”
    SSL NI-sock: local=172.25.0.85:8618 peer=172.25.0.87:50101
    <- ERROR: SapSSLSessionStart(sssl_hdl=0xdd0de0)==SSSLERR_SSL_CONNECT
    ** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {0003176e} [icxxconn_mt.c 2012] WARNING => IcmCheckForBlockedThreads(id=3/6005): forced shutdown of nihdl 27 connected to 172.25.0.85:50101 on blocked SS
    ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
    session uses PSE file “/usr/sap/IQE/DVEBMGS01/sec/SAPSSLSOAP.pse”
    Secude Error present in trace stack!
    SL_get_state() returned 0x00002120 “SSLv3 read server hello A”
    SL NI-sock: local=172.25.0.85:8634 peer=172.25.0.87:50101
    ERROR: SapSSLSessionStart(sssl_hdl=0xe01800)==SSSLERR_SSL_CONNECT
    ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00031775} [icxxconn_mt.c 2012]
    Apr 20 11:45:59 2010
    WARNING => IcmCheckForBlockedThreads(id=2/10118): forced shutdown of nihdl 8 connected to 172.25.0.85:50101 on blocked SS
    ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
    Secude Error present in trace stack!
    SL_get_state() returned 0x00002120 “SSLv3 read server hello A”
    SL NI-sock: local=172.25.0.85:22754 peer=172.25.0.87:50101
    ERROR: SapSSLSessionStart(sssl_hdl=0x2aaa7074e0)==SSSLERR_SSL_CONNECT
    ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00022786} [icxxconn_mt.c 2012]
    Apr 20 11:47:59 2010
    WARNING => IcmCheckForBlockedThreads(id=3/10125): forced shutdown of nihdl 27 connected to 172.25.0.85:50101 on blocked S
    ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
    Secude Error present in trace stack!
    SL_get_state() returned 0x00002120 “SSLv3 read server hello A”
    SL NI-sock: local=172.25.0.85:22769 peer=172.25.0.87:50101
    ERROR: SapSSLSessionStart(sssl_hdl=0xdf31d0)==SSSLERR_SSL_CONNECT
    ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {0003278d} [icxxconn_mt.c 2012]
    Apr 21 10:12:20 2010
    WARNING => IcmCheckForBlockedThreads(id=2/13620): forced shutdown of nihdl 8 connected to 172.25.0.85:50101 on blocked SS
    ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
    o Secude Error present in trace stack!
    SSL_get_state() returned 0x00002120 “SSLv3 read server hello A”
    SSL NI-sock: local=172.25.0.85:34793 peer=172.25.0.87:50101
    <- ERROR: SapSSLSessionStart(sssl_hdl=0x2aaa707530)==SSSLERR_SSL_CONNECT
    ** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00023534} [icxxconn_mt.c 2012]
    ed Apr 21 14:41:15 2010
    ** ERROR => NiBufIConnect: non-buffered connect pending after 5000ms (hdl 8;172.25.0.62:1090) [nibuf.cpp 4611]
    ** WARNING => Connection request from (0/1/0) to host: 172.25.0.62, service: 1090 failed (NIECONN_REFUSED)
    onn_mt.c 2321]
    hu Apr 22 10:27:42 2010
    ** WARNING => IcmCheckForBlockedThreads(id=2/17401): forced shutdown of nihdl 8 connected to 172.25.0.85:50101 on block
    ** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST
    session uses PSE file “/usr/sap/IQE/DVEBMGS01/sec/SAPSSLSOAP.pse”
    o Secude Error present in trace stack!
    SSL_get_state() returned 0x00002120 “SSLv3 read server hello A”
    SSL NI-sock: local=172.25.0.85:47805 peer=172.25.0.87:50101
    <- ERROR: SapSSLSessionStart(sssl_hdl=0x2aaa701db0)==SSSLERR_SSL_CONNECT
    ** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000243f9} [icxxconn_mt.c 2012]
    Can you guys help me as of the mentioned error as i have spends nights over it 🙁 still same error
    (0) 
  7. Susan Haenicke
    First of all, thank you for this excellent blog.  It has helped me a lot in setting up the SSL connection from ECC 6.0 to a stand-alone NW 7.01 Java instance to be used for Adobe.

    Is there any chance of getting the mentioned information about securing the destination service?

    (0) 

Leave a Reply