Skip to Content

SOAP Sender – HTTPS Certificate Based Authentication

The following illustrations are with an intention to provide an insight & clarity on ‘How to Set-UP certificate based authentication for SOAP Sender Adapter in SAP PI’. This could be treated as a continuity of this How to use Client Authentication with SOAP Adapter by ‘Rahul Nawale’. This blog focuses on step-by-step procedure for enabling certificate based authentication for a party using SOAP adapter in SAP PI.

Entities Involved:
  • SAP PI 7.1;
  • SOAP Sender Adapter;
  • SAP User Management;
  • SAP NetWeaver Administrator;
Key Words & Extensions:
  • .crt/.cer (X.509 certificate extensions), NWA (NetWeaver Administrator), CA (Certifying Authority)
Assumptions:
  • Understanding of SSL connectivity;
  • Configuration of we service & WSDL generation is already completed;
  • Private Key enabled certificate loaded into sending party’s key store & linked to your scenario;
  • Public Key enabled certificate shared with PI consultant;
  • Able to handle SAP PI Key Store Manager safely;
  • Able to handle SAP PI NWA safely;
  • A service user is already created & available for testing the scenario;
  • Firewalls are opened between source & PI systems;
Introduction:

There are 4 sections in implementing this scenario.

Section-1: Key pair generation & obtaining public key certificate for loading into SAP PI;
Section-2: Creation of service user account in SAP PI;
Section-3: User mapping of the public key certificate on the service user;
Section-4: Configuring the SOAP sender channel to handle SOAP request & response messages;

Procedure:
Section-1:
  • Generate key pair.
  • Load private key certificate to sender key store.
  • Request & receive the public key enabled certificate from the publisher along with root certificates. (Sender, in my case Siebel)
Section-2:

A new service user account needs to be created in SAP PI.
Not sure, how to create one? Refer Section 2 HERE.

Section-3:

Open SAP PI Net weaver administrator. (http://hostname:port/nwa)
Navigate to ‘Identity Management’ as in the enclosed screen:

Identity Management - View2

Map the public key enabled certificate (as provided by your sender) to the newly created service user as shown in the enclosed screen:

Identity Management - View1

To import the certificate, click ‘Modify’ & select the certificate & click upload in the screen you ‘ll find as enclosed below:

Upload Screen

The ‘CA certificate’ should be extracted from the public key enbaled certificate & loaded into ‘Trusted CAs’ of java key store in NWA & also in ‘STRUST’ transaction code at ABAP stack. This task is mandatory.

Section-4:

Configure the SOAP sender channel as in the screen below:

SOAP Sender Channel Screen

Conversion parameters are subject to your requirement. In the above graphic, it is configured as required for my scenario.

HTTPS with Client Authentication enabled scenario is set-up successfully now. Test your interface. If everything as given above is followed properly, your scenario must work. Good Luck.

Want this scenario to test from your local machine? Check SOAP UI Tool – SOAP HTTPS Client Authentication out!

Credits: Srikanth Srinivasan, Rene Jaspers

8 Comments
You must be Logged on to comment or reply to a post.
  • Hi Srikanth,

    thanks for the helpful blog. That’s excatly what I was looking for a while.
    Unfortunately I don’t get the tab “Certificate” for the service user as described in section 3. Every other tab is available, but not this one.
    Any idea what could be the reason for that?

    Regards,
    Juergenn

      • In NWA at Configuration Management -> Securtiy -> Authentication I’m useing the template ‘client_cert’ for component sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter. This template contains the ClientCertLoginModule with flag ‘SUFFICIENT’.
        That’s what you mean? It doesn’t work with this setting… Any other hints?

        Regards,
        Juergen

          • Hi Srikanth Srinivasan,

            it was my fault, the UME property ‘ume.logon.allow_cert’ wasn’t set TRUE.
            I changed it and get the tab ‘Certificate’ now.
            Thank you again.

            Regards,
            Juergen

          • We have a requirement SOAP sender HTTPS With Client Authentication, or two-way SSL. The SSL Configuration is done at PI level. When i try to connect

            HTTP Security Level : HTTP (SUCCESS)

            HTTP Security Level : HTTP Without Client Authentication (SUCCESS)

            HTTP Security Level : HTTP with client Authentication (ERROR: client certificate required)

            SOAPUI was used for the client service.

            java.security.AccessControlException: client certificate required

            Can you please tell me how to set the client certifcate. How do you got success with this?