Certificate in HTTP adapter

Similar Messages

• HTTP adapter, SSL and wildcard certificate

  Hi,
  I am developing a B2B integration solution using BizTalk Server. The protocol used to communicate with the partner’s server is HTTPS and so it uses SSL.
  The certificate the partner is using to establish SSL connections is provided by GeoTrust but it is a wildcard certificate, issued to *.*.*.company.com
  The server I am trying to contact to is on a domain of the form: a.b.c.company.com (which seems to match the wildcard).
  When I try to open an HTTPS connection to the server (either through Internet Explorer, a .Net Windows Application or BizTalk), the connection cannot be established because the certificate is said to not be trusted. For example, Internet Explorer shows a pop-up message saying that:
  - The certificate is issued from a valid CA
  - The certificate date is valid
  - The name of the certificate is NOT matching the name of the site. This means that the certificate is issued for a domain different that the one we are accessing to. So it seems that the wildcard system is not working for this certificate? Is that possible if they aquire a wrong type of certificate by mistake? or is multipart wildcard certificate (*.*.*) not supported?
  Anyway even if their certificate is not 100% valid, they refuse to change it as their other partners work with that and they won't change to a proper certificate just for us...
  In .Net 2.0 code, it is easy to circumvent any certificate validation by setting the delegate ServicePointManager.ServerCertificateValidationCallback to a callback method with something like:
  ServicePointManager.ServerCertificateValidationCallback = delegate(Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)  { return true; };
  Nevertheless, I need to achieve this sort of circumvention with BizTalk Server 2006 and I would like to know if anyone ever did that.
  I am aware that I can write my own custom HTTP Adapter but I need this urgently so I thought of asking this forum's community first. Maybe someone as a quicker way than writing a custom adapter such as some "hack" (registry keys, custom class... ) or knows of an existing custom adapter already doing the job.
  Thanks in advance,
  Best regards,
  Francois Malgreve

  The certificate needs to be installed as a explicitly trusted certificate in the store under the computer a/c on the BzTalk machine and then it'll work. Refer
  https://thinkintegration.wordpress.com/2011/12/02/biztalk-https-adapter-and-certificate-configurations/ for the steps.
  Regards.

• HTTP Adapter outbound (SSL) processing

  I am trying to send a XML message (an Invoice) from XI to an external Customer via HTTP Adapter.
  The site I am posting the message to is SSL.
  I have installed the Customer's Certificate via STRUST under SSL Client (Standard) and can see it in the
  certificate list.
  Within the Communication Channel for HTTP Adapter I have tried Addressing Type of URL
  and also with a HTTP (SM59) destination.  Both do not work.
  The setting used for both are
  host : workflw.externalcustomer.xxx.com  Service: 443
  Path : /SubmitInvoiceUAT/SubmitInvoice.asmx/SubmitCXML
  HTTP Proxy : internetproxy.mycompany.com
  Proxy Servuce : 80
  SSL Active : SSL Client Certificate ANONYM SSL Client(Anonymous).  As no client cert is used for logon
  I have attempted a connection test within SM59 for the HTTP Destination and I receive the error
  ICM_HTTP_SSL_ERROR.
  1) If the SSL Client Certificate ONLY for logon then how does XI know what cert to encyrption with?.
  2) Should Verisign/Thawte etc CA certs be also installed in STRUST ?
  Does that "public" key for encryption need to be placed anywhere (eg STRUST) or will XI just do
  3) this when it does the handshake with the external HTTPS site it is posting to ?
  4) Also the transaction STRUST may (or may not depending on how the documentation is interpreted) need the installation of some certs into its PSE (Personal Security Environment).  But exactly what they mean is a mystery.  I have created what I thought was the servers cert but cannot see to create a dev.connector.boc.com named certificate.  Perhaps that is not needed.
  Here is the help <a href="http://help.sap.com/saphelp_nw70/helpdata/en/e8/1f1041a0f6f16fe10000000a1550b0/frameset.htm">SAPHelp on  PI HTTPS Config</a>
  5) Also OSS note 510007 it advises to check a number of settings.  I have had a look at what I can ..namely via transaction RZ10  and I can see one parameter and should that be changed to include a HTTPS ? .i,e  currently it is set to     <i>icm/server_port_0  PROT=HTTP,PORT=80$$,PROCTIMEOUT=3600</i>

  Hello
  As a process you have done well. I suspect the problem could be with " SSL Client Certificate  ". Check weather the SSL Client Certificate  is Valid version.
  Best practice.
     Alway when we are communicating with HTTP outbound. It is better to have a STANDALONE ftp location for both SENDER and RECEIVE xml DATA transfter files.
           I hope I answered your question. It was nice answering your question. Feel free to reach SDN if you have any questions.
  Regards

• File fetch from external souce...  http adapter, file adapter, or...

  Hi - Hopefully this is a straight-forward question. I need to fetch a file from an external source (vendor) using a url that they provided us. Secondly, the url and file change each run. Here is the scenario:
  #1.
  - our side (PI 7.11) calls their webservice A to tell them to generate a report, and a report handle id is passed back to us (this part works)
  - our side (PI 7.11) calls their webservice B with that report id to get a https url string (this part works). E.g. return url is https://pvab70barp.companyb.com/reports/ODbsPPSBIQxPs/u1/u1_1307128013471215.csv
  - our side (PI 7.11) then needs to go fetch the contents of that file... again, the file is over at their site
  #2.
  The next time we run this we would get an entirely different url string
  So to solve #1, it seems to me that the HTTP adapter can be used (can it be used though given the url is https?). I don't think FILE adapter can be used as I believe it needs the file to reside on the local file system.
  To solve #2, it appears some dynamic configuration of the url is needed. Is their an easy way?
  If anyone has thoughts on these then I would appreciate hearing back from you with your comments. I have not worked with either of these adapters yet.
  Thanks,
  Keith

  1) You can use http or https connection to connect remote server.   HTTPS is not an issue. You create RFC destination of type H and there provide login credentials such as client certificates. Use that destination name in the http receiver adapter to use https.   Looks like to read the file that is on the http server, you might want to use Java proxy to achieve this. Simple HTTPS communication would not read the file. Or request the client to share it in the network shared drive. so that we can use File adapter to pulll the file.
  2) Yes you can use dynamic configuration in the mapping for the dynamic HTTPS URL.

• How to configure HTTPS in the receiver HTTP adapter ?

  Hi Guys,
  How to configure HTTPS in the HTTP receiver adapter and where i need to mention the QOS=BE in the receiver adpter.
  any suggestions or help would be appreciated
  Thanks,
  Srini

  You would need make sure that SSL is enabled on the ABAP stack . I rememver seeing a blog on SDN that shows how this is to be done.
  Once you have SSL enabled in the ABAP stack ( you would also need to install the cryptographic libraries as a part of this exercise) , you would be able to use HTTPS and also provide the necessary digital certificates etc.
  I have tried this with SOAP adapters etc but havent with the HTTP adapter but I dont see why this should be any different.
  Regards,
  Bhavesh

• Regarding encryption/decryption in sender HTTP Adapter...

  Hi experts,
            I have  a doubt that ... is there any possible ways to encrypt/decrypt the username, password  using sender side Plain HTTP adapter.
  Regards,
  Sasitharan

  hi
  You can use those adapters to define transport level security(HTTPS/FTPS) and message level security (encryption).
  hi check this thread for refernce:
  How to use the Private/Public Keys from the Key Store
  Also check this document on encryption in adpaters:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/482aae19-0301-0010-3485-8efd618818d0
  Check security settings section of this page:
  http://help.sap.com/saphelp_nw04/helpdata/en/da/7a2f41b239a831e10000000a1550b0/content.htm
  Check thiss blog as well:
  /people/varadharajan.krishnasamy/blog/2007/05/11/how-to-use-digital-certificates-for-signing-encrypting-messages-in-xi
  regards
  chandrakanth

• XI message with Attachment using Http Adapter

  Hi ,
  We are using XI/PI 7.0 with Sp09 and Sender Application is SRM and Receiver is Ariba MarketPlace.
  We are trying to Send PO with Attachments like Word, PDF etc from SRM to Ariba using Https adapter and from SRM we are using ABAP Proxy. When I did the testing with out any special config, I was able to send the attachments (I can see word doc as part of the payload-attachment) to XI from SRM but this attachment is not going through https adapter from XI to Ariba?
  I have read some posts on this but I could not find the answer for my situation. One of the solution is that we can use SOAP adapter but we don't want to use Soap for some reasons.
  Please give your thoughts.
  Thanks in Advance.
  -Laxman

  > Thanks for your replies, I am little confused, based
  > on your references http can't support attachments.
  That is true.
  > Also sap help link says Http adapter doesn't support
  > attachments and XI adapter also doesn't support.
  That is not true. XI adapter (in fact we do not talk of an adapter) supports attachments.
  > It means Proxy also shouldn't support because proxy is
  > nothing but XI adapter.
  This is true, ABAP or Java Proxy are like XI adapter. Therefore it supports attachments.
  > But When I send PO with attachments from SRM using
  > Proxy connection I was able to pass through XI. So
  > how proxy was able to send the attachments and this
  > is contradicts to the help documentation.
  The online help is wrong.
  > We don't want to use SOAP because we are already
  > using https adapter and this scenario is in
  > production also if we go with SOAP then we have to
  > re-import the digital certificate in Java Engine for
  > SSL. Attachments are the new enhancement only.  
  I do not see another solution besides using SOAP adapter in so-called non-SOAP mode. Yes you have to reimport the certificates to J2EE stack.
  Regards
  Stefan

• HTTP-ADAPTER with HTTPS =  ICM_HTTP_SSL_ERROR

  Hi,
  we are trying to sending data via HTTPS with the HTTP-Adapter. Therefor we create a RFC_Destination with SM59. For HTTP it works fine but after changing to HTTPS we receive a ICM_HTTP_SSL_ERROR. 
  The server on the other side expect authentification via User/Pwd on port. Also we added an entry in STRUST for CN=anonymous in STRUST.
  Any idea whats wrong ?

  Hi Sammer,
  - authentification is username/pwd.
  - SSL is active because of https
  - Service is set to the https-port of the server.
  I receive the following error in the log.
  [Thr 10] >> ---------- Begin of Secude-SSL Errorstack ---------- >>
  [Thr 10] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
  ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Class 3 Public Primary Certification Auth
  ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
  [Thr 10] << ---------- End of Secude-SSL Errorstack ----------
  [Thr 10]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
  [Thr 10]   SSL socket: local=10.172.11.11:41579  peer=195.14.237.44:3577
  [Thr 10] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1054e08b0)==SSSLERR_SSL_CONNECT
  [Thr 10] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00021653} [icxxconn_mt.c 1813]
  when I delete in STRUST all the certificates under  Client_certificate (standard/anonymus) I receive the same error msg. it also the same error when I am trying to connect to another server with https.
  regards bernd

• How to build the "Path Prefix" HTTP Adapter at run time

  Hi All,
  I have a scenario wherein I have to call the HTTP Url of a thiird party system from R/3 via PI.
  The third party url looks liike this:
  http://gis/ias/cgi-bin/siscgi.exe?request=batch&command=<requests><request><name>sis_neighbouring_knos_for_sambandh_service</name><buffer>20</buffer><same_premise_kno>123</same_premise_kno><l
  eft_kno>331</left_kno><gis_id>4019589</gis_id><priority>same_premise_kno,left_kno,right_kno,gis_id</priority></request></requests>&user_name=sambandh.sias&pa
  ssword=sambandhsias
  I have successfully created a HTTP Recevier comm channel and provided the following in the "Path Prefix"
  /ias/cgi-bin/siscgi.exe?request=batch&command=<requests><request><name>sis_neighbouring_knos_for_sambandh_service</name><buffer>20</buffer><same_premise_kno>123</same_premise_kno><l
  eft_kno>331</left_kno><gis_id>4019589</gis_id><priority>same_premise_kno,left_kno,right_kno,gis_id</priority></request></requests>&user_name=sambandh.sias&pa
  ssword=sambandhsias
  But If I need to pass the values inside the xml tags specified above e.g. "name" at run time, How do I do that?
  I have explored the "Apply URL Parameters" option in the HTTP Comm channel but it has fixed names for the HTTP URL parameter.
  Please let me know how is this possible hopefully without a UDF
  thanks,
  Piyush

  Hi Piyush,
  Have you checked the option of ASMA of the adapter?
  http://help.sap.com/saphelp_nw04/helpdata/en/43/64dbb0af9f30b4e10000000a11466f/content.htm
  Also see Note 1101338 - Dynamic configuration of HTTP adapter
  Regards
  Suraj

• Transaction code used to configure HTTP Adapter?.

  What transaction code we use to configure HTTP adaptor?.
  SMICM
  Is this correct?.

  Ash,
  Yes. Please see this weblog for some more help:
  /people/community.user/blog/2006/12/12/http-to-rfc--a-starter-kit
  Just go this url and click the first one for HTTP adapter presentation:
  https://www.sdn.sap.com/irj/sdn/advancedsearch?query=http%20adapter&cat=sdn_all#
  Also check this threads:
  in SMICM-->How to Activate HTTP Services
  SMICM services
  ---Satish

• UTF-8 encoding problem in HTTP adapter

  Hi Guys,
  I am facing problem in the UTF-8 multi-byte character conversion.
  Problem:
  I am posting data from SAP CRM to third party system using XI as middle ware. I am using HTTP adapter to communicate XI to third party system.
  in HTTP configuration i have given XML code as UT-8 in the XI payload manipulation block.
  I am trying to post Chines characters from SAP CRM to third party system. junk characters are going to third party system. my assumption is it is double encoding.
  I have checked the Xml messages in the Message monitoring in XI, i can able to see the chines charaters in XML files. But in the third party system it is showing as junk characters.
  Can you please any one help me regarding this issue.
  Please let me know if you need more info.
  Regards,
  Srini

  Srinivas
  Can you please go through the SAP Notes 856597 Question No.3 which may resolve your issue? Also have you checked SAP Notes 761608,639882, 666574, 913116, 779981 which might help you.
  ---Satish

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• IDOC [SAP R/3 ] TO SAP XI TO HTTP ADAPTER....

  Hi Friends...,
  i am new dimension for this sap xi. i want  send idoc  from sap r/3 to Http
  Adapter throw sap xi...
  please give details from scratch..
  i want to work on this ...
  thank you very much..,
  regards,
  sharath

  Hi,
  Check this links on how to configure receiver HTTP adapter.
  http://help.sap.com/saphelp_nw2004s/helpdata/en/43/64dbb0af9f30b4e10000000a11466f/content.htm
  and this link on how to process idocs using idoc adapter.
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b9/c5b13bbeb0cb37e10000000a11402f/content.htm
  Regards,
  Sudheer.

• Convert XML payload to HTML form data in Receiver HTTP Adapter

  Hi,
  I want to make a HTTP request ( Receiver HTTP Adapter ) to a servlet where I need to send the payload in HTML form format ( name=value ). As per the help document:
  A typical HTML form comprises named fields. When transferring a completed form to the server or a CGI program, the data must be transferred in such a way that the CGI script can recognize the fields that make up the form, and which data was entered in which field.
  The plain HTTP adapter constructs this format using a prolog and an epilog
  Has anyone done this before? I looked through all help documents and forums but in vain. I can resort to Java Mapping to do this but I do not want to re-invent the wheel if I can do it easily using HTTP Adapter Configuration. Please help.

  The parameters available in HTTP adapter for message header are:
  HeaderFieldFive     http://sap.com/xi/XI/System/HTTP
  HeaderFieldFour     http://sap.com/xi/XI/System/HTTP
  HeaderFieldOne     http://sap.com/xi/XI/System/HTTP
  HeaderFieldSix     http://sap.com/xi/XI/System/HTTP
  HeaderFieldThree     http://sap.com/xi/XI/System/HTTP
  HeaderFieldTwo     http://sap.com/xi/XI/System/HTTP
  HTTPDest     http://sap.com/xi/XI/System/HTTP
  TargetURL     http://sap.com/xi/XI/System/HTTP
  URLParamFive     http://sap.com/xi/XI/System/HTTP
  URLParamFour     http://sap.com/xi/XI/System/HTTP
  URLParamOne     http://sap.com/xi/XI/System/HTTP
  URLParamSix     http://sap.com/xi/XI/System/HTTP
  URLParamThree     http://sap.com/xi/XI/System/HTTP
  URLParamTwo     http://sap.com/xi/XI/System/HTTP

• How to send the payload to a jsp using receiver Http adapter?

  Hi experts,
  I have this scenario from Legacy to XI to external app server.I have a test jsp to execute that functionality .Its a jsp which has 1 textarea named "test" and when I click on the submit buton I get a response back.This way I am able to test this independently.Now from XI when I am executing my scenario I am getting status code '1250' and message as ' http request(test) is null'.Now in the scenario in http adapter I just provide the target host : ip of server ,
  service number : port no ,
  path: the container or the request handler. But this scenario fails and gives me the above erroneous response.Now Basically I am not able to get how to send the value to the textarea "test"? please provide help as soon as possible.Do we have to put the name of the jsp in the "path" in http adapter and use prolog as test=.I tried this but it doesnt work.
  Is there any way to check the URL that it forms after appending the querystring in the url ...?
  So please provide help on this or suggest a solution to [email protected] as soon as possible.....
  Thanx in advance.
  Akshata

  hey Shekhar,
  thanx for that prompt reply but I have configured the communication channel in the same manner as suggested by u.
  actually I have this jsp page http://xx.xx.xx.xx:8080/abcdef/try/efg.jsp where there is a textarea "test" which has to be filled and there is a submit button.When I test this http client i.e the above jsp page independently then it goes to handler
  http://xx.xx.xx.xx:8080/abcdef/trial/    And it gives a proper response message after clicking on the submit button.
  now I want to carry out the same using receiver http adapter. I need to pass the value for this inputfield names "test" on that jsp . so right now I have configyured the adapter as
  addressing type: url
  target host : xx.xx.xx.xx
  service no:8080
  path : here I have given the path of handler i.e /abcdef/trial I tried giving the jsp page also but logically I guess it should be the handler.
  content type: text/xml; charset=iso-8859-1
  xml code: UTF-8
  Mask special characters (URL escaping) checked.
  now since the name of the inputfield is "test" in the prolog I gave test=
  But it doesnt work I get this error "http request parameter [test] is null" in the response message  which I guess suggests that it is not able to send the value for the field"test" to that handler.Please suggest how to send this and tell me if there are any other configurations that I have to do in the receiver communication channel.
  Thanx ,
  Akshata