Configure the HTTP_AAE receiver communication channel with SSL
In this blog I would like to discuss how to configure Java based HTTP adapter (HTTP_AAE) receiver communication channel configuration by using HTTPS URL.
Business requirement: Currently we are using SAP PI 7.31 Java only system, we need to send the data to customer by using java based HTTP (HTTP_AAE) adapter with HTTPS URL.
To use the HTTPS url we need to activate SSL and apply HTTPS certificate
Generate SSL:
Lo-gin to NWA->Configuration->Security->Certification and Keys
Select “Service_ssl” key store view then click on Create button
Provide the Entry name, Algorithm, Key length and valid date details and click on Next
Provide the details then click on Finish.
Download the entry which we created by clicking “Generate CSR Request” button.
Apply the certificate (After download we will send this to certificate authority like VeriSign or mail or ….. then they will add keys and send back to us).
Now we have 2 or 3 certificates (Root, Intermediate [optional, if any 3rd party person is there in the middle then we can get this certificate] and system certificates). Place all the certificate keys in one file [must be in order as Root, Intermediate and System certificate keys] then import the same file to PI server by clicking “Import CSR Response”
Then provide the certificate path
Activate SSL
NWA->Configuration->Security->SSL
Click on Edit then click on Add button in SSL Access points
Give PSE file path (File path is //usr/sap/<SID>/J<Instance_number>/sec)
Note: PSE file generates when we are installing the PI server, this file stores in the above path and this file contains system information.
Now SSL is active.
HTTPS certificate.
This is a separate certificate we need to generate and send to the certificate authority then apply the certificate (same like above process but here we need to apply the root, intermediate and system certificates separately).
Root certificate
And next update the Intermediate and system certificates on “Trusted CAs” tab
restart the server.
HTTP_AAE Receiver Communication Channel Configuration
My client provided 2 URLs, one is HTTP URL and the second one is HTTPS URL.
URLs are as follows
- http://tp.uat.AAAAAA.com:5555/invoke/FxPartnerDriverURL.Public/Publish?payloadType=INT-1.0&subject=Order&toOrgID=ZZZZZZZZZZZ
- https://tp.uat.BBBBBB.com:5443/invoke/FxPartnerDriverURL.Public/Publish?payloadType=INT-1.0&subject=Order&toOrgID=YYYYYYYYYY
In receiver HTTP_AAE communication channel with HTTP URL is normal, we just gives the HTTP server and URL details.
HTTPS URL Configuration:
HTTP_AAE communication channel with HTTPS URL
Use SSL: If we select this option means we are using HTTPS URL, if customer wants certificates then we can select certificate checkbox and provide the certificate details.
Let’s go to communication channel monitoring and ping the communication channel (HTTP)
Ping the communication channel in communication channel monitoring (HTTPS).
Conclusion:
I believe this blog would provide better understanding of how to configure the java based HTTP adapter receiver communication channel by using HTTP and HTTPS URLs.
References:
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/6d/c2b39dae45482e90d3352345cbf427/frameset.htm
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/cbb493cea80783e10000000a42189d/frameset.htm
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/015cc68d863132e10000000a421937/frameset.htm
Hi Venkata,
Thanks for the idea..
I have the same scenario and we are having problems with the certificates. The error is stating "
com.sap.aii.adapter.http.api.HttpAdapterException:
ERROR_SENDING_HTTP_REQUEST,
sun.security.validator.ValidatorException:
PKIX path building
failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find
valid certification path to requested
target
".
We already have the certificate .cer, .crt, .p7b, .p7c, root-ca.crt, sub-ca.crt.
1. From these 5 certificates do you know which are the root, intermediate and system certificates?
2. How do you combine them inorder?
3. These certificates was provided by our CA but we didn't use SAP to create a certificate to generate a CSR? So, are these 5 resulting certificates still valid in the HTTP_AAE receiver channel.
what is the scenario? test payload used?
How the ico works at runtime?
Good blog.
If you face "Ticket file NOT found" in the step SSL Activate, you just create a dummy file called Ticket in the path //usr/sap/<SID>/J<Instance_number>/sec.
See http://scn.sap.com/thread/3589970
Funny enough, the author had the same error as can be seen in the screenshot above, but he didn't mention anything about it...
Hi @Venkat Boppana,
Nice Blog.
I am trying to connect HTTPS URL ( external Server) via HTTP_AAE.
Do i need to select Use SSL( PI having HTTP server alone)
Please confirm.
Best Regards,
Suresh S
Yes you do… It’s the receiver which is https, not the sender, and thah’s why you configure it in the http receiver adapter.
Hi Venkat,
I see the client provided you the URLs to use, but I have a question, eg. if my scenario is as below,
Legacy->REST->PI->ECC
and PI is acting as provider and will expose the information from ECC, using the REST adapter
how do I create the URL so legacy system can consume it ?
Thanks in advance.
This blog is confusing, is it really required to make PO run on an SSL port itself if you just want to create connections to third-party SSL servers? (not the other way round, means no inbound SSL connections).