Skip to Content

Client Certificate based authentication while using ABAP Web Service for communication between ERP and SAP NET Weaver PI

This blog attempts to make its readers understand the security configurations that are required in an SSL Client Certificate based authentication scenario while implementing Web Services between an SAP ERP system and an SAP NetWeaver  PI system in a simple yet precise way.

It should be noted that the below provided content is a sample demonstration of a scenario and should only be inculcated/reproduced by the reader based on his understanding of the similarity of the intended scenarios.

Pre-requisites/Scenario Information

  • Web Service based communication between the Client and the Server.
  • Transport Channel Security SSL – Client certificate based authentication.

    ~     Case 1: Client: ERP; Server: SAP PI


                    Client: ERP-SOAMANAGER configurations.

                    1. Consumer Proxy configuration should have the relevant SSL Client PSE of transaction STRUST.

                    2. Authentication parameter should be set to sapsp:HTTPX509

                         (As depicted in the figure)


                   Server side SAP PI Web Service Sender adapter security configurations.

                   1. Communication Security should be HTTPS – Transport Channel Security.

                   2. Authentication Method – X.509 SSL Client Certificate

                         (As depicted in the figure)


  ~     Case 2: Client: SAP PI; Server: SAP ERP

                   Server side ERP SOAMANAGER configurations.

                   1. Communication Security as SSL

                   2. Transport Channel Authentication – X.509 SSL Client Certificate

                         (As depicted in the figure)


                  Client side SAP PI Web Service receiver adapter configurations

                 1. Communication Security should be HTTPS – Transport Channel Security

                 2. Authentication Method – X.509 SSL Client Certificate

                    (As depicted in the figure)


Implementation Steps:

1. For case 1, Log on to the consumer system ie SAP ERP and start the transaction STRUST.

2. Navigate to the relevant PSE in the available structure/tree of PSE folders, in this case SSL Client Standard PSE.


3. Expand the folder of the PSE – SSL Client Standard as depicted and double click on the corresponding entry.

4. Click on the Create Certificate request icon to copy the certificate request.


5. Copy the certificate request and store it in the buffer. This needs to be signed by the CA of the PI system (provider system), preferably in PKCS#7 format or as expected in the ERP system.

6. The signed certificate now needs to be imported into the same PSE of the STRUST transaction of the consumer system.

7. To do this, click on the Import Certificate Response icon – copy the response received in Step 6 and save it.


8. It can be observed that the issuer name is changed to the CA of the Provider system which has signed the Client Certificate of the Consumer System after Step 7.

9. Add this certificate to the certificate list and save the PSE. Perform a Distribute All from the Menu icon PSE – Just in Case..! 🙂

10. This certificate of the concerned PSE can now be used following the steps documented in the Pre-requisites to perform a WS call authenticated by the Client Certificate.
11. For Case 2, the above steps need to performed keeping in mind that the consumer system would be the SAP PI system and the Provider system would be ERP system.             

Other Configurations – If needed: Mapping the certificate name to an SAP user in the system.

1. Ex: Copy the relevant PSE’s certificate name (adjacent to the field Owner) being used in the scenario.

2. Start the Transaction EXTID_DN. An “Assignment of External ID to Users” screen shows up with the list of certificates, associated SAP user names and Status of Entry.

3. Click on the New Entries icon following which, a New Entries screen appears which can be used to add the these entries.

4. Click on the pen adjacent to the field External ID. A new window opens.

5. Provide the certificate name extracted from Step 1 and confirm the entry.

6. Provide the relevant entries for any empty fields. Enter the name of the SAP user which will be used at run time to login to the field user.

7. Save the mapping and be sure to check the Activated box to make the X.509 mapping as active.

This concludes the steps for Client Certificate Authentication in an ABAP WS environment.

You must be Logged on to comment or reply to a post.
      • Hi Vivek,

        I need to make the signature. I adjusted in SAP – ABAP PROXY, loaded the certificate through transaction of STRUST, In SOA MANAGER adjusted logical port, everything works, data I obtain in the form of xml, but it is impossible the signature, prompt please as to me to make, and on steps.

        Thanks in advance.

  • Hi Nikolay,

    First of all Apologies from my side as i did not see your message until today ! 🙁
    Are you referring to digitally signing a signature ?

    I hope optimistically that by now you would have sorted out your issue. In any case, shall be happy to help you !

    Br, Vivek