Skip to Content

Introduction

The reason I write this blog is because it´s difficult to find information about this topic. I want to give an overview how to create a SSL connection in ABAP with a *.pfx certificate.
The main steps of calling a web service from abap via https are good described in Thomas Jung´s blog which can be found under https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1645

6 steps to success

  • install the latest sapcryptolib and sapseculib
  • configure the parameters and define the https service
  • convert the *.pfx into a PSE with sapgenpse
  • create a client PSE and load the created PSE into STRUST
  • restart the ICM services to load the new PSE file
  • create the RFC connection

1. Install the latest sapcryptolib and sapseculib

How to download and install these libraries is described in note 662340.

2. Configure the parameters and define the https service

The following parameters in your instance profile must be set to use the SAP Cryptographic Library:

icm/server_port_2 PROT=HTTPS,PORT=443,TIMEOUT=1800,EXTBIND=1 
ssl/ssl_lib /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
sec/libsapsecu /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
ssf/ssfapi_lib /usr/sap/<SID>/SYS/exe/run/libsapcrypto.o
ssf/name SAPSECULIB

Which port you´ll choose is your decision. Standard port for HTTPS is 443. The paths must point to your libsapcrypto.o.

3. Convert the *.pfx into a PSE with sapgenpse

Upload the *.pfx to your application server. Go to your exe directory with command shell and generate into PSE with sapgenpse:

/wp-content/uploads/2008/10/sapgenpse_121988.png

The password can also set in the command with option -z. You can let the PIN empty.

4. Create a client PSE and load the created PSE into STRUST

You can create additional SSL client PSEs in transaction STRUST, using
the menu item “Environment ==> SSL Client Identities”.

/wp-content/uploads/2008/10/create_client_pse_121989.png

In this case I called the PSE “HTTPS”.

The next step is a little bit tricky. Download the PSE file from your sec directory to your workstation. Than go on ABAP site to transaction STRUST. If you look around you´ll find the import option under PSE -> Import . This option is not the right one. This was my why the connection didn´t work at my tests. According to SAP support it´s a historic reason 😉

Choose File -> select your PSE on your workstation; than click on PSE -> Save as… -> SSL Client -> choose your new created client PSE 

/wp-content/uploads/2008/10/strust_save_pse_121990.png

Import_certificate.PNG

If you want to use a pfx certificate you also need a CA root. Upload your root.cer from your workstation and click on “Add to Certificate List”. Save your setting. Now you have successfully integrated your certificates.

5. Restarted the ICM services to load the new PSE file

This is also a little bit tricky; every time you change something in STUST on the PSE files you must restart the ICM.

/wp-content/uploads/2008/10/restart_icm_services_121992.png

Go to transaction SMICM and restart the services via “Exit Soft”.

6. Create the RFC connection

RFC_1.png

Set connection type to G and enter your address and path.

RFC_2.png

Set SSL to active and select your client certificate from the list.

Don´t forget to set your proxy settings! Be sure that the application server could establish a connection to the external server.

Note

Be careful with the names in the certificate. They mustn´t include special characters like ö,ü,ä. You will get an error like this:

/wp-content/uploads/2008/10/umlaute_121995.png

A few days ago I´ve got  another error while refreshing a certificate:

ERROR: Incomplete certification path — NEED certificate of “Root-CA”!

/wp-content/uploads/2008/10/sapgenpse1_121996.png

sapgenpse2.PNG

Error while creating the PSE

In newer releases you have to provide (option -r <root-CA.cer>) also the root-CA while you create the PSE:

sapgenpse1_1_new_edit.PNG

sapgenpse2_new.PNG
Creating PSE with option -r

References

Closing

At least I hope I could collect the knowledge you need for setting up a SSL connection with *.pfx certificates and avoid a lot of mistakes you can made while setting up this connection.

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Michael Jones
    This post is awesome. We’ve found difficult to install a pfx certificate until we read it. Now we have https in our system working properly 😉
    (0) 
  2. Marc Arnold
    Hi Jens,
    great blog, this was very helpful to setup an additional client certificate on the ABAP stack for the first time!
    cheers
    Marc
    (0) 
  3. Norberto Moser
    Hi Jens,
    great blog. I tried to configure my system as you suggest: I’ve converted the *.p12 into a PSE with sapgense and I’ve created the RFC connection. But when I test the connection the result is ICM_HTTP_SSL_ERROR.

    In the ICM monitor these are the message:
    [Thr 11] Thu May 26 16:02:57 2011
    [Thr 11] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
    [Thr 11] session uses PSE file “/usr/sap/SV5/DVEBMGS10/sec/SAPSSLHTTPS1.pse”
    [Thr 11] SecudeSSL_SessionStart: SSL_connect() failed
    secude_error 536875072 (0x20001040) = “received a fatal SSLv3 handshake failure alert message from the peer”
    [Thr 11] >> Begin of Secude-SSL Errorstack >>
    [Thr 11] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer
    WARNING in ssl3_output_cert_chain: (12354/0x3042) No hierarchy certificate in FCPath
    WARNING in reduce_FCPath_by_Issuer: (12354/0x3042) No hierarchy certificate in FCPath
    [Thr 11] << End of Secude-SSL Errorstack
    [Thr 11] SSL_get_state() returned 0x000021d0 “SSLv3 read finished A”
    [Thr 11] Server’s List of trusted CA DNames (from cert-request message):
    [Thr 11] #1 certificate
    [Thr 11] #2 certificate
    [Thr 11] SSL NI-sock: local=ip peer=ip2
    [Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=6000000000652010)==SSSLERR_SSL_CONNECT
    [Thr 11] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {0001007f} [icxxconn_mt.c 2012]

    Any suggestion?

    Norberto

    (0) 
    1. Jens Gleichmann Post author
      Hi Norberto,

      there are many reasons for an error during the handshake.
      1) First of all test if the certificate works in the browser
      2) set the trace level for the ICM to a higher level and reproduce the issue
      3) check if any other factors can have influence to your connection like firewalls, proxies, ACL´s etc. and check their logs
      4) Have you created the PSE via the root CA?

      Cheers,
      Jens

      (0) 
      1. Norberto Moser
        Hi Jens,
        thanks for your reply.
        I’ve installed the certificates on my PC to connect to the server to download the wsdl to generate the proxy client and they works.
        The certificate path of the serivice contains 3 certificates:
        1.Informatica Trentina S.p.A. Certification
          Service
           2. Informatica Trentina S.p.A. Certification
              Service
              3.ws-s.firma.intra.infotn.it
        The third one is the host of the service.

        I downloaded the second certificate in a file *.cer and I generated the pse with the command:
        sapgenpse import_p12 -v -z<pw > -r file.cer -p file.pse file.p12

        After these operation I created the client PSE as SSL Client, I create th RFC and I test it, but I’ve got the error message.

        Best regards,
        Norberto.

        (0) 
  4. Priyanka Porwal

    Hello Jens,

    I have configured the destination as you suggested. The private key is imported in STRUST and the destination test results in “you are being logged on”. However when I am calling from code after create_by_destination, I also need to append the query parameters. I am using following

     

        CALL METHOD lo_client->request->set_header_field
        EXPORTING
          name  = ‘~request_uri’
          value = lv_request_url.

     

    where lv_request_url points to the https:// URL that I need to call. However after send and receive as well, I receive the same response “you are being logged on”. Could you please help us in getting this corrected?

    Regards,

    Priyanka

    (0) 
  5. Pardeep Yadav

    Hi Jens,

     

    I have tried to perform the steps but while uploading the PSE from File the save as option is not coming .

     

    Please suggest shall I import it from PSE–>Import option.

    (0) 

Leave a Reply