SOAP Sender – HTTPS Certificate Based Authentication
The following illustrations are with an intention to provide an insight & clarity on ‘How to Set-UP certificate based authentication for SOAP Sender Adapter in SAP PI’. This could be treated as a continuity of this How to use Client Authentication with SOAP Adapter by ‘Rahul Nawale’. This blog focuses on step-by-step procedure for enabling certificate based authentication for a party using SOAP adapter in SAP PI.
- SAP PI 7.1;
- SOAP Sender Adapter;
- SAP User Management;
- SAP NetWeaver Administrator;
Key Words & Extensions:
- .crt/.cer (X.509 certificate extensions), NWA (NetWeaver Administrator), CA (Certifying Authority)
- Understanding of SSL connectivity;
- Configuration of we service & WSDL generation is already completed;
- Private Key enabled certificate loaded into sending party’s key store & linked to your scenario;
- Public Key enabled certificate shared with PI consultant;
- Able to handle SAP PI Key Store Manager safely;
- Able to handle SAP PI NWA safely;
- A service user is already created & available for testing the scenario;
- Firewalls are opened between source & PI systems;
There are 4 sections in implementing this scenario.
Section-1: Key pair generation & obtaining public key certificate for loading into SAP PI;
Section-2: Creation of service user account in SAP PI;
Section-3: User mapping of the public key certificate on the service user;
Section-4: Configuring the SOAP sender channel to handle SOAP request & response messages;
- Generate key pair.
- Load private key certificate to sender key store.
- Request & receive the public key enabled certificate from the publisher along with root certificates. (Sender, in my case Siebel)
A new service user account needs to be created in SAP PI.
Not sure, how to create one? Refer Section 2 HERE.
Open SAP PI Net weaver administrator. (http://hostname:port/nwa)
Navigate to ‘Identity Management’ as in the enclosed screen:
Map the public key enabled certificate (as provided by your sender) to the newly created service user as shown in the enclosed screen:
To import the certificate, click ‘Modify’ & select the certificate & click upload in the screen you ‘ll find as enclosed below:
The ‘CA certificate’ should be extracted from the public key enbaled certificate & loaded into ‘Trusted CAs’ of java key store in NWA & also in ‘STRUST’ transaction code at ABAP stack. This task is mandatory.
Configure the SOAP sender channel as in the screen below:
Conversion parameters are subject to your requirement. In the above graphic, it is configured as required for my scenario.
HTTPS with Client Authentication enabled scenario is set-up successfully now. Test your interface. If everything as given above is followed properly, your scenario must work. Good Luck.
Want this scenario to test from your local machine? Check SOAP UI Tool – SOAP HTTPS Client Authentication out!
Credits: Srikanth Srinivasan, Rene Jaspers
thanks for the helpful blog. That's excatly what I was looking for a while.
Unfortunately I don't get the tab "Certificate" for the service user as described in section 3. Every other tab is available, but not this one.
Any idea what could be the reason for that?
Refer to Rahul Nawale blog's to know who to enable it.
That's what you mean? It doesn't work with this setting... Any other hints?
I couldnt guess anything at the moment for it, but I can check on it. Sorry.
it was my fault, the UME property 'ume.logon.allow_cert' wasn't set TRUE.
I changed it and get the tab 'Certificate' now.
Thank you again.
Thanks for keeping me posted.
We have a requirement SOAP sender HTTPS With Client Authentication, or two-way SSL. The SSL Configuration is done at PI level. When i try to connect
HTTP Security Level : HTTP (SUCCESS)
HTTP Security Level : HTTP Without Client Authentication (SUCCESS)
HTTP Security Level : HTTP with client Authentication (ERROR: client certificate required)
SOAPUI was used for the client service.
java.security.AccessControlException: client certificate required
Can you please tell me how to set the client certifcate. How do you got success with this?
Have you tried to follow the other blog on how-to use SOAPUI?
I've succesfully configured the certificate authentication in Soap sender adapter using my self-signed certificate by my own CA.
But the are a few additional steps that I want to share to complete this post, you can find in my blog all the steps.