Skip to Content
Author's profile photo Former Member

Configuring WS Receiver with Client Certificates in PI 7.3


This document explains the detailed tasks to be performed during configuration of the receiver WS adapter supporting the https with client certificate. It also explains the issues faced and resolutions taken during the configuration approach.


  Fig 1, Landscape Overview

In the figure 1, Sap PI is the Consumer and Sap ERP is the provider of the web service. The WS adapter at sap PI is used for sending messages to sap ERP. The transmission is https with client certificate authentication enabled.




The following steps needs to be performed


  1. Obtain the WSDL URL, userid and password of the Sap ERP system i.e, service provider system.
  2. Obtain the End point URL
  3. Enter the WSDL url in a web browser and see if it works.
  4. You can also test the end point of the webservice using Soap client such as SoapUI.


Certificate generation


Go to transaction Strust of sap PI system and right click on the SSL client SSL Client (Standard) and create it. Now export the CSR request, either you copy it from the clipboard or save it as a file and send it to the CA of Sap ERP. The CA will sign the CSR and
send you the certificate in PKCS#7 format. Once you receive this you need to import it into the SSL client SSL Client (Standard) PSE.



Configuration of Integration Objects


Configure the receiver communication channel as below with WSDL and end point url.


In the securities section, select Communication security as “HTTPS (Transport channel security)” and authentication method as “X.509 SSL Client certificate”.

Receiver Communication Channel


Fig 3, Receiver Communication Channel

In Receiver agreement ensure the correct PSE is chosen where the client certificate is loaded, in this it is “DFAULT” which indicates that
the certificates are uploaded in SSL client SSL Client (Standard).



Fig 4, Receiver Agreement

Debugging objects activation issues


Ensure the following checks are done to be certain that the configuration objects are generated without issues.


  1. Go to transaction SXI_CACHE to check whether the receiver agreement objects are created properly.
  2. Go to transaction SOAMANAGER and use the service interface name and check with the Consumer option and search. The Logical port will be displayed and additional tabs such as security web service addressing, messaging will have the respective values.
  3. Go to transaction SM59 and search for the logical port number (This would be a large alpha numeric string) identified using the above step in connection to HTTP connection to external Serv.
  4. Ping this and confirm if the connection works fine. For more information check the SMICM logs.

Test the interface and see the message flow without any issues.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Andy Silvey
      Andy Silvey

      Hi Antony,

      that's a very nice blog.



      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Thanks Andy