Skip to Content

This document explains the steps involved to configure the secured connection to external web service using X.509 certificate. The document gives more insight on the configuration of external certificate and its usage in SAP XI/PI integration directory. image

Scenario details:

  • SAP R3 sends a request to XI using synchronous R3 Proxy.
  • XI maps this request to the web service request structure and sends the request to third party external web service using soap adapter via HTTPS protocol.
  • Third party wants the communication to be secured and hence X.509 certificate needs to be used by XI to call the HTTPS url and achieve transport layer security.

XI IR object development for the proxy and web service are not explained in the document. The Visual Admin configuration part and SOAP receiver adapter is explained in this document.

Prerequisites:

  • The IR objects for proxy interface are created in XI Integration repository and respective proxy has been created in R3 system.
  • The WSDL file has been imported in XI integration repository and corresponding request and response structures mappings have been created in IR.
  • ID objects e.g. Integration scenario, receiver determination, interface determination, receiver agreement (sender agreement is not required in sender proxy) are created in XI ID.
  • External partner has provided a self signed or a CA authenticated certificate along with the password(Certificate used here is X.509 certificate in .p12 format)
  • The SAP cryptographic libraries are installed as mentioned in the SAP installation guide.
  • The Key store and SSL services are enabled.

The .p12 file (and password) provided by external partner contains server client key pair which are required for authentication at runtime when XI calls the external webservice,.Extertnal partner provided key pair files need to be imported in XI java key store (as the java adapter engine is used to call the external webservice via SOAP adapter which is on Java stack).

1) If the client certificate is signed by Certificate authority eg. VeriSign, Thawte, Geo Trust etc., import the root certificate in XI Java server’s TrustedCAs key store via Visual admin or NWA. The CA certificate should be placed in TrustedCAs store; XI server checks the authenticity of certificate by checking the root certificate in Trusted CAs key store at runtime. In this example the certificate is signed by VeriSign CA i.e. root certificate. This root certificate is imported in TrsutedCAs key sore (root certificate can be downloaded from the respective CA’s website). If the client certificate is self signed, install it again in the trusted certificates store. Below are the steps to import certificate via visual admin. Same steps can be performed in higher version of XI via Net weaver administrator.

Login to Visual Administrator of XI server.

image

Expand tree for node Server 0 -> Services. Under Key Storage Service, open view TrustedCAs.

image

Load certificate VeriSign_Class_3_Public _Primary_Certification_Authority – G5.crt (root certificate)

image

Restart the Key Storage service.

2) Convert the .p12 file certificate in .pfx format. Below are the steps to convert .p12 file into .pfx: Open MS Internet Explorer. Go to: Tools -> Internet Options -> Content -> Certificates -> Personal -> Import -> Navigate to the external partner provided file -> Provide the password (Provided by the external partner)

 image

image

 

image

image

image

Select the imported certificate entry -> Export -> Select “export the private key” -> Select “Personal Information exchange” -> Give any password (this password will be used in Visual Admin/NWA while loading the certificate in key store view.) -> Give the file name and path to save the exported certificate

image

image

image

image

image

image

image

Load the exported certificate in XI Visual Admin. Go to Visual Admin -> Under Key Storage Service -> Open service_ssl key store view. Click on Load.

image

Import certificate ExternalPartnerPFXCert.pfx

image

Enter the password.

 image

Restart the Key Storage service.

3) Create SOAP receiver communication channel for calling receiver side external webservice. Enter HTTPS url in the target url input field. Enter the key store view and key store entry values in the Channel configuration (Enter the key store view where the certificate was imported in the step 1 above). Enter the action correctly and activate the channel.

image

Test proxy interface: Go to R3 system (where sync proxy has been created). Access the proxy interface and click on test.

image

Enter proper test data and execute the proxy. Proxy sends data to SAP XI, XI maps this data to webdservice wsdl request structure.

image

The response from external sync web service corresponding to the source data is sent back to the R3 system proxy synchronously.

image

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Bhavesh Kantilal
    Hello,

    The blog describes setting up Client Authentication for the SOAP Adapter or calling a webservice that require Client Authentication.

    The title of the blog though is misleading as it can be confused with Advanced WS topics like WS-Security etc.

    Another note worth adding is that the same process applies to all scenarios /  Java adapters that need Client Authentication.

    Regards,
    Bhavesh

    (0) 
    1. S Khade Post author
      Thanks Bhavesh.

      The ultimate goal of the settings is to have secured connection to the external webservice and hence the title is given.

      I will work on the other comment and will include it in the contents.

      (0) 

Leave a Reply