Configuring listener service in PI

Below configuration steps helps in configuring listener service in PI to allow automatic updates to External Cloud System seamlessly

Installing SAP Crypto library files

Set the system environment variable

SECUDIR = <drive letter>:\usr\sap\<SID>\DVEBMGS00\sec

Download the respective SAP Crypto library from Service Market Place using the below URL

https://websmp201.sap-ag.de/~form/handler?_APP=00200682500000000917&_EVENT=DISPLAY

Select the crypto file based on the OS and uncar the file

Example:  For Windows x64 bit system, download the CAR file shown below

UNCAR the file and copy the sapcrypto.dll, sapcrypto.lst and sapgenpse.exe files to the DIR_RUN directory.

Copy the file “ticket” to the path set for the system environment variable SECUDIR

Changing PSE Provider

In PI, if we are establishing the HTTPS communication for SOAP adapter, the PSE provider should be changed from ABAP to JAVA

To change the PSE provider, modify the parameter and set the value as below

ssl/pse_provider = JAVA

By changing the SSL Provide to JAVA, the below keys will be automatically created in the J2EE engine Key storage, after the restart

Required Profile parameters

Set the values for the parameters as shown below

Restart the SAP system after making all the above changes are made

Creating the SAP Cryptolib PSE

Login to the ABAP stack and call transaction STRUST. Create the PSE for SAP Cryptolib

Installing CA Signed certificate on the JAVA stack

Generating the CSR

Login to the NWA and navigate to the below path. Click on Certificates and Keys

Click on the ICM_SSL_<ID> view and delete all the certificates under it

Create an entry under the ICM_SSL_<ID> key store

In the Entry name, enter the name of the SSL key and select the check box “Store certificate”

In the below screen, fill in all the details

Note: The State/Province name should not be a short name. Complete name of the State or Province should be specified. For example, for California State, enter the State/Province name as “California” and NOT as “CA”

The Common Name is the host name. All communications are based on the CN name. If the system is allowed for external access, the system should have a public IP address and the host name should be maintained at the external DNS. This is required for the hostname and IP resolution.

If the actual host name of the server and the external address are different, then make sure the request to the external address is routing to the actual host name of the server.  From the SAP Server, ping the public IP, to see if the hostname and IP resolution is happening

Public and private keys are created

Once the keys are created, export the SSL view to PSE

To generate the CSR (Certificate sign request), Under the ICM_SSL_<ID> Key store, select the private key and click on the “Generate CSR Request”

Download the CSR and send the CSR to the CA signed authority

After receiving the signed certificate from the CA, select the ICM_SSL key and select the ssl certificate private key and click on Import CSR Response

Import the certificate response sent by CA by browse the certificate.

Export the View to PSE after importing the singed CA response.

Enabling certificate based authentication

Launch NWA, got to Configuration Management tab and click on Authentication. Go to properties, select the check box to enabling certificate logon

Under Configuration Management tab and click on Login Modules, search for “sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter”

Add “Client certificate” login module with value “Rule1.getUserForm = wholeCert” (Value is case sensitive). Move client certificate login module to top

Create a service user id in PI. Eg: pisrvuser

Upload the client certificate (cloud system certificate) to the user from User Management in NWA

Upload the same client certificate (used above), along with the root certificates, to certificate store in NWA

Restart PI System if certificate authentication is not working after the configuration as few changes to UME would require J2EE engine restart.