This document explains the detailed tasks to be performed during configuration of the receiver WS adapter supporting the https with client certificate. It also explains the issues faced and resolutions taken during the configuration approach.
In the figure 1, Sap PI is the Consumer and Sap ERP is the provider of the web service. The WS adapter at sap PI is used for sending messages to sap ERP. The transmission is https with client certificate authentication enabled.
The following steps needs to be performed
- Obtain the WSDL URL, userid and password of the Sap ERP system i.e, service provider system.
- Obtain the End point URL
- Enter the WSDL url in a web browser and see if it works.
- You can also test the end point of the webservice using Soap client such as SoapUI.
Go to transaction Strust of sap PI system and right click on the SSL client SSL Client (Standard) and create it. Now export the CSR request, either you copy it from the clipboard or save it as a file and send it to the CA of Sap ERP. The CA will sign the CSR and
send you the certificate in PKCS#7 format. Once you receive this you need to import it into the SSL client SSL Client (Standard) PSE.
Fig 2, STRUST
Configuration of Integration Objects
Configure the receiver communication channel as below with WSDL and end point url.
In the securities section, select Communication security as “HTTPS (Transport channel security)” and authentication method as “X.509 SSL Client certificate”.
Receiver Communication Channel
Fig 3, Receiver Communication Channel
In Receiver agreement ensure the correct PSE is chosen where the client certificate is loaded, in this it is “DFAULT” which indicates that
the certificates are uploaded in SSL client SSL Client (Standard).
Fig 4, Receiver Agreement
Debugging objects activation issues
Ensure the following checks are done to be certain that the configuration objects are generated without issues.
- Go to transaction SXI_CACHE to check whether the receiver agreement objects are created properly.
- Go to transaction SOAMANAGER and use the service interface name and check with the Consumer option and search. The Logical port will be displayed and additional tabs such as security web service addressing, messaging will have the respective values.
- Go to transaction SM59 and search for the logical port number (This would be a large alpha numeric string) identified using the above step in connection to HTTP connection to external Serv.
- Ping this and confirm if the connection works fine. For more information check the SMICM logs.
Test the interface and see the message flow without any issues.