Calling WebServices from ABAP via HTTPS/SSL with pfx certificates
The reason I write this blog is because it´s difficult to find information about this topic. I want to give an overview how to create a SSL connection in ABAP with a *.pfx certificate.
The main steps of calling a web service from abap via https are good described in Thomas Jung´s blog which can be found under https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1645
6 steps to success
- install the latest sapcryptolib and sapseculib
- configure the parameters and define the https service
- convert the *.pfx into a PSE with sapgenpse
- create a client PSE and load the created PSE into STRUST
- restart the ICM services to load the new PSE file
- create the RFC connection
1. Install the latest sapcryptolib and sapseculib
How to download and install these libraries is described in note 662340.
2. Configure the parameters and define the https service
The following parameters in your instance profile must be set to use the SAP Cryptographic Library:
Which port you´ll choose is your decision. Standard port for HTTPS is 443. The paths must point to your libsapcrypto.o.
3. Convert the *.pfx into a PSE with sapgenpse
Upload the *.pfx to your application server. Go to your exe directory with command shell and generate into PSE with sapgenpse:
The password can also set in the command with option -z. You can let the PIN empty.
4. Create a client PSE and load the created PSE into STRUST
You can create additional SSL client PSEs in transaction STRUST, using
the menu item “Environment ==> SSL Client Identities”.
In this case I called the PSE “HTTPS”.
The next step is a little bit tricky. Download the PSE file from your sec directory to your workstation. Than go on ABAP site to transaction STRUST. If you look around you´ll find the import option under PSE -> Import . This option is not the right one. This was my why the connection didn´t work at my tests. According to SAP support it´s a historic reason 😉
Choose File -> select your PSE on your workstation; than click on PSE -> Save as… -> SSL Client -> choose your new created client PSE
If you want to use a pfx certificate you also need a CA root. Upload your root.cer from your workstation and click on “Add to Certificate List”. Save your setting. Now you have successfully integrated your certificates.
5. Restarted the ICM services to load the new PSE file
This is also a little bit tricky; every time you change something in STUST on the PSE files you must restart the ICM.
Go to transaction SMICM and restart the services via “Exit Soft”.
6. Create the RFC connection
Set connection type to G and enter your address and path.
Set SSL to active and select your client certificate from the list.
Don´t forget to set your proxy settings! Be sure that the application server could establish a connection to the external server.
Be careful with the names in the certificate. They mustn´t include special characters like ö,ü,ä. You will get an error like this:
A few days ago I´ve got another error while refreshing a certificate:
ERROR: Incomplete certification path — NEED certificate of “Root-CA”!
Error while creating the PSE
In newer releases you have to provide (option -r <root-CA.cer>) also the root-CA while you create the PSE:
Creating PSE with option -r
- Note 662340 – SSF Encryption Using the SAPCryptolib
- Note 397175 – SAP Cryptographic Software – Export control
- Import SNC-PSE
- Thomas Jung´s Blog – Calling WebServices from ABAP via HTTPS
At least I hope I could collect the knowledge you need for setting up a SSL connection with *.pfx certificates and avoid a lot of mistakes you can made while setting up this connection.