SOAP Sender – HTTPS Certificate Based Authentication

The following illustrations are with an intention to provide an insight & clarity on ‘How to Set-UP certificate based authentication for SOAP Sender Adapter in SAP PI’. This could be treated as a continuity of this How to use Client Authentication with SOAP Adapter by ‘Rahul Nawale’. This blog focuses on step-by-step procedure for enabling certificate based authentication for a party using SOAP adapter in SAP PI.

Entities Involved:

• SAP PI 7.1;
• SOAP Sender Adapter;
• SAP User Management;
• SAP NetWeaver Administrator;

Key Words & Extensions:

• .crt/.cer (X.509 certificate extensions), NWA (NetWeaver Administrator), CA (Certifying Authority)

Assumptions:

• Understanding of SSL connectivity;
• Configuration of we service & WSDL generation is already completed;
• Private Key enabled certificate loaded into sending party’s key store & linked to your scenario;
• Public Key enabled certificate shared with PI consultant;
• Able to handle SAP PI Key Store Manager safely;
• Able to handle SAP PI NWA safely;
• A service user is already created & available for testing the scenario;
• Firewalls are opened between source & PI systems;

Introduction:

There are 4 sections in implementing this scenario.

Section-1: Key pair generation & obtaining public key certificate for loading into SAP PI;
Section-2: Creation of service user account in SAP PI;
Section-3: User mapping of the public key certificate on the service user;
Section-4: Configuring the SOAP sender channel to handle SOAP request & response messages;

Procedure:

Section-1:

• Generate key pair.
• Load private key certificate to sender key store.
• Request & receive the public key enabled certificate from the publisher along with root certificates. (Sender, in my case Siebel)

Section-2:

A new service user account needs to be created in SAP PI.
Not sure, how to create one? Refer Section 2 HERE.

Section-3:

Open SAP PI Net weaver administrator. (http://hostname:port/nwa)
Navigate to ‘Identity Management’ as in the enclosed screen:

Map the public key enabled certificate (as provided by your sender) to the newly created service user as shown in the enclosed screen:

To import the certificate, click ‘Modify’ & select the certificate & click upload in the screen you ‘ll find as enclosed below:

The ‘CA certificate’ should be extracted from the public key enbaled certificate & loaded into ‘Trusted CAs’ of java key store in NWA & also in ‘STRUST’ transaction code at ABAP stack. This task is mandatory.

Section-4:

Configure the SOAP sender channel as in the screen below:

Conversion parameters are subject to your requirement. In the above graphic, it is configured as required for my scenario.

HTTPS with Client Authentication enabled scenario is set-up successfully now. Test your interface. If everything as given above is followed properly, your scenario must work. Good Luck.

Want this scenario to test from your local machine? Check SOAP UI Tool – SOAP HTTPS Client Authentication out!

Credits: Srikanth Srinivasan, Rene Jaspers