Calling WebServices from ABAP via HTTPS/SSL with pfx certificates
Introduction
The reason I write this blog is because it´s difficult to find information about this topic. I want to give an overview how to create a SSL connection in ABAP with a *.pfx certificate.
The main steps of calling a web service from abap via https are good described in Thomas Jung´s blog which can be found under https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1645
6 steps to success
- install the latest sapcryptolib and sapseculib
- configure the parameters and define the https service
- convert the *.pfx into a PSE with sapgenpse
- create a client PSE and load the created PSE into STRUST
- restart the ICM services to load the new PSE file
- create the RFC connection
1. Install the latest sapcryptolib and sapseculib
How to download and install these libraries is described in note 662340.
2. Configure the parameters and define the https service
The following parameters in your instance profile must be set to use the SAP Cryptographic Library:
| icm/server_port_2 | PROT=HTTPS,PORT=443,TIMEOUT=1800,EXTBIND=1 |
| ssl/ssl_lib | /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o |
| sec/libsapsecu | /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o |
| ssf/ssfapi_lib | /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o |
| ssf/name | SAPSECULIB |
Which port you´ll choose is your decision. Standard port for HTTPS is 443. The paths must point to your libsapcrypto.o.
3. Convert the *.pfx into a PSE with sapgenpse
Upload the *.pfx to your application server. Go to your exe directory with command shell and generate into PSE with sapgenpse:
The password can also set in the command with option -z. You can let the PIN empty.
4. Create a client PSE and load the created PSE into STRUST
You can create additional SSL client PSEs in transaction STRUST, using
the menu item “Environment ==> SSL Client Identities”.
In this case I called the PSE “HTTPS”.
The next step is a little bit tricky. Download the PSE file from your sec directory to your workstation. Than go on ABAP site to transaction STRUST. If you look around you´ll find the import option under PSE -> Import . This option is not the right one. This was my why the connection didn´t work at my tests. According to SAP support it´s a historic reason 😉
Choose File -> select your PSE on your workstation; than click on PSE -> Save as… -> SSL Client -> choose your new created client PSE
If you want to use a pfx certificate you also need a CA root. Upload your root.cer from your workstation and click on “Add to Certificate List”. Save your setting. Now you have successfully integrated your certificates.
5. Restarted the ICM services to load the new PSE file
This is also a little bit tricky; every time you change something in STUST on the PSE files you must restart the ICM.
Go to transaction SMICM and restart the services via “Exit Soft”.
6. Create the RFC connection
Set connection type to G and enter your address and path.
Set SSL to active and select your client certificate from the list.
Don´t forget to set your proxy settings! Be sure that the application server could establish a connection to the external server.
Note
Be careful with the names in the certificate. They mustn´t include special characters like ö,ü,ä. You will get an error like this:
A few days ago I´ve got another error while refreshing a certificate:
ERROR: Incomplete certification path — NEED certificate of “Root-CA”!
Error while creating the PSE
In newer releases you have to provide (option -r <root-CA.cer>) also the root-CA while you create the PSE:
Creating PSE with option -r
References
- Note 662340 – SSF Encryption Using the SAPCryptolib
- Note 397175 – SAP Cryptographic Software – Export control
- Import SNC-PSE
- Thomas Jung´s Blog – Calling WebServices from ABAP via HTTPS
Closing
At least I hope I could collect the knowledge you need for setting up a SSL connection with *.pfx certificates and avoid a lot of mistakes you can made while setting up this connection.
great blog, this was very helpful to setup an additional client certificate on the ABAP stack for the first time!
cheers
Marc
great blog. I tried to configure my system as you suggest: I've converted the *.p12 into a PSE with sapgense and I've created the RFC connection. But when I test the connection the result is ICM_HTTP_SSL_ERROR.
In the ICM monitor these are the message:
[Thr 11] Thu May 26 16:02:57 2011
[Thr 11] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 11] session uses PSE file "/usr/sap/SV5/DVEBMGS10/sec/SAPSSLHTTPS1.pse"
[Thr 11] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"
[Thr 11] >> Begin of Secude-SSL Errorstack >>
[Thr 11] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer
WARNING in ssl3_output_cert_chain: (12354/0x3042) No hierarchy certificate in FCPath
WARNING in reduce_FCPath_by_Issuer: (12354/0x3042) No hierarchy certificate in FCPath
[Thr 11] << End of Secude-SSL Errorstack
[Thr 11] SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"
[Thr 11] Server's List of trusted CA DNames (from cert-request message):
[Thr 11] #1 certificate
[Thr 11] #2 certificate
[Thr 11] SSL NI-sock: local=ip peer=ip2
[Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=6000000000652010)==SSSLERR_SSL_CONNECT
[Thr 11] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {0001007f} [icxxconn_mt.c 2012]
Any suggestion?
Norberto
there are many reasons for an error during the handshake.
1) First of all test if the certificate works in the browser
2) set the trace level for the ICM to a higher level and reproduce the issue
3) check if any other factors can have influence to your connection like firewalls, proxies, ACL´s etc. and check their logs
4) Have you created the PSE via the root CA?
Cheers,
Jens
thanks for your reply.
I've installed the certificates on my PC to connect to the server to download the wsdl to generate the proxy client and they works.
The certificate path of the serivice contains 3 certificates:
1.Informatica Trentina S.p.A. Certification
Service
2. Informatica Trentina S.p.A. Certification
Service
3.ws-s.firma.intra.infotn.it
The third one is the host of the service.
I downloaded the second certificate in a file *.cer and I generated the pse with the command:
sapgenpse import_p12 -v -z<pw > -r file.cer -p file.pse file.p12
After these operation I created the client PSE as SSL Client, I create th RFC and I test it, but I've got the error message.
Best regards,
Norberto.
problem solved, I applyed the note 1115328, now it works,
great blog Jens.
Norberto.
Hello Jens,
I have configured the destination as you suggested. The private key is imported in STRUST and the destination test results in "you are being logged on". However when I am calling from code after create_by_destination, I also need to append the query parameters. I am using following
CALL METHOD lo_client->request->set_header_field
EXPORTING
name = '~request_uri'
value = lv_request_url.
where lv_request_url points to the https:// URL that I need to call. However after send and receive as well, I receive the same response "you are being logged on". Could you please help us in getting this corrected?
Regards,
Priyanka
Hi Jens,
I have tried to perform the steps but while uploading the PSE from File the save as option is not coming .
Please suggest shall I import it from PSE-->Import option.
Hi,
I confused...Step 3. As i understood, you got this sert from third party site? Right?
Hi Jens,
Thank you for sharing this article, it was very useful for me. I was able to follow the steps, and now I can call WS signing them using a certificate.
Now I have a doubt: When the certificate becomes invalid due to the expiring date, should I need to recreate the PSE again, or can I upload the renewed certificate to the existing PSE?
Thank you in advance