Secured connection to external web service using SAP XI/PI
This document explains the steps involved to configure the secured connection to external web service using X.509 certificate. The document gives more insight on the configuration of external certificate and its usage in SAP XI/PI integration directory.
- SAP R3 sends a request to XI using synchronous R3 Proxy.
- XI maps this request to the web service request structure and sends the request to third party external web service using soap adapter via HTTPS protocol.
- Third party wants the communication to be secured and hence X.509 certificate needs to be used by XI to call the HTTPS url and achieve transport layer security.
XI IR object development for the proxy and web service are not explained in the document. The Visual Admin configuration part and SOAP receiver adapter is explained in this document.
- The IR objects for proxy interface are created in XI Integration repository and respective proxy has been created in R3 system.
- The WSDL file has been imported in XI integration repository and corresponding request and response structures mappings have been created in IR.
- ID objects e.g. Integration scenario, receiver determination, interface determination, receiver agreement (sender agreement is not required in sender proxy) are created in XI ID.
- External partner has provided a self signed or a CA authenticated certificate along with the password(Certificate used here is X.509 certificate in .p12 format)
- The SAP cryptographic libraries are installed as mentioned in the SAP installation guide.
- The Key store and SSL services are enabled.
The .p12 file (and password) provided by external partner contains server client key pair which are required for authentication at runtime when XI calls the external webservice,.Extertnal partner provided key pair files need to be imported in XI java key store (as the java adapter engine is used to call the external webservice via SOAP adapter which is on Java stack).
1) If the client certificate is signed by Certificate authority eg. VeriSign, Thawte, Geo Trust etc., import the root certificate in XI Java server’s TrustedCAs key store via Visual admin or NWA. The CA certificate should be placed in TrustedCAs store; XI server checks the authenticity of certificate by checking the root certificate in Trusted CAs key store at runtime. In this example the certificate is signed by VeriSign CA i.e. root certificate. This root certificate is imported in TrsutedCAs key sore (root certificate can be downloaded from the respective CA’s website). If the client certificate is self signed, install it again in the trusted certificates store. Below are the steps to import certificate via visual admin. Same steps can be performed in higher version of XI via Net weaver administrator.
Login to Visual Administrator of XI server.
Expand tree for node Server 0 -> Services. Under Key Storage Service, open view TrustedCAs.
Load certificate VeriSign_Class_3_Public _Primary_Certification_Authority – G5.crt (root certificate)
Restart the Key Storage service.
2) Convert the .p12 file certificate in .pfx format. Below are the steps to convert .p12 file into .pfx: Open MS Internet Explorer. Go to: Tools -> Internet Options -> Content -> Certificates -> Personal -> Import -> Navigate to the external partner provided file -> Provide the password (Provided by the external partner)
Select the imported certificate entry -> Export -> Select “export the private key” -> Select “Personal Information exchange” -> Give any password (this password will be used in Visual Admin/NWA while loading the certificate in key store view.) -> Give the file name and path to save the exported certificate
Load the exported certificate in XI Visual Admin. Go to Visual Admin -> Under Key Storage Service -> Open service_ssl key store view. Click on Load.
Import certificate ExternalPartnerPFXCert.pfx
Enter the password.
Restart the Key Storage service.
3) Create SOAP receiver communication channel for calling receiver side external webservice. Enter HTTPS url in the target url input field. Enter the key store view and key store entry values in the Channel configuration (Enter the key store view where the certificate was imported in the step 1 above). Enter the action correctly and activate the channel.
Test proxy interface: Go to R3 system (where sync proxy has been created). Access the proxy interface and click on test.
Enter proper test data and execute the proxy. Proxy sends data to SAP XI, XI maps this data to webdservice wsdl request structure.
The response from external sync web service corresponding to the source data is sent back to the R3 system proxy synchronously.