HTTPS with client auth

Similar Messages

• Does Flex HttpService support https with client authentication

  Hi,
  We have a set of backend services available over https with client auth (cert based). We need to use mxml HttpService to access these backend services. Does HttpService support ssl with client auth?
  Another question is, for Https does flex share the browser keystore and certstore or uses its own?
  Thanks,
  Debashis

  Yes , a flex HTTPService can access services on https://.  But if I remember correctly , to use an https:// service , the swf has to be served on an https.  Example ,
  Served from https:// ... --> Can access https:// ...
  Served from https:// ... --> Can acess https:// ...
  Served from https:// ... --> CANNOT access https:// ...
  Served from https:// ... --> CANNOT access https:// ...
  Since Flex has the browser do the connecting , the browser handles the keystore stuff , not Flex. I think.

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• HTTPS with Client Authentication not available in EHP1?

  Hi Guys,
  I am not seeing this option in PI 7.1 EHP1.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  any help would be appreciated
  Thanks,
  Srini

  Hi Srinivas,
  I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
  But you have an option sender agreeement for security. Please see this help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
  Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
  Regards,
  ---Satish

• HTTPS with Client Authentication in SOAP sender Adapter

  Hi All,
  In SOAP Sender communication channel. When I generate WSDL with “HTTP Security Level = HTTP:” it works when third party tries to send data to XIwebservice.
  But when I tried with “HTTPS with Client Authentication” option its giving error
  “InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.”
  Please guide how to use “HTTPS with Client Authentication” option, and what all configuration need to apply in XI & in third party to use this.
  Regards

  Rohan,
  With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
  You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
  So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
  Regards
  Ravi Raman

• Https with client authentication handshake_failure

  Hi everyone. I hope anyone could help me. I have a client class 1 certificate from verisign (digital id) which is needed for https service request. I have installed it on Internet Explorer and it works fine:
  1) Internet Explorer ask me to trust in https server certificate.
  2) I accept the server certificate
  3) Internet Explorer ask me for select which client certificate send to server.
  4) I select my verisign client certificate
  5) Https server returns an xml with the response of the service.
  Now I have to implement this behaviour in Java. I have exported the client certificate to a .pfx file from Internet Explorer. Now I use this file directly as my key store. Then I used Internet Explorer to export server certificate as a .cer file and imported it into cacerts. The fact is that no matters what kind of transformation on the client certificate nor what validations i disable: I always get "Received fatal alert: handshake_failure" exception when trying to do in.readLine() (where in comes from BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));).
  I couldn't guess that connecting to a https server with client certificate was so difficult. I have read lots of examples and documentation, that always drive me to implement the same code.
  Sincerely, I don't use to ask in forums when having the first problems, but this time I'm really frustrated.
  Thanks in advance for any answer.

  Hi Rana da,
  If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
  Have a look at below link
  Sender SOAP Adapter: HTTPS with Client Authentication

• HTTPS With Client Authentication

  Hi,
  I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
  java.security.AccessControlException: client certificate required
  In the the transaction scim the following can be seen:
  [Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
  [Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
  [Thr 5061]     out: sssl_hdl = 1117534b0
  [Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]      in: sssl_hdl = 1117534b0
  [Thr 5061]      in: cred_hdl = 116cfc110
  [Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
  [Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001  peer=XX.XX.XX.XX:2310
  [Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
  [Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]          status = "resumed SSL session, NO client cert"
  The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
  Sender Communication Channel, 
  Transport Protocol: HTTP,
  Message Protocol: Soap 1.1,
  Adapter Engine: Central Adepter Engine,
  HTTPS with Client Authentication,
  Keep Headers
  Any ideas?
  Kind regards,
  John

  Hi Peter,
  If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
  It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
  All the best,
  John

• SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config

  Hi All,
  I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs.  Double authentication (client- server) sertificate shall be used.
  Testing simple HTTP and XI user name/password works fine.
  Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
  But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
  I also doesn't know how to disable asking for name/password.  I am using XI 7.0.
  Please advise.
  Thanks,
  Nataliya

  Hi Nataliya,
  Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify  option "HTTP with Client Authentication. 
  One more thing HTTP Security level option is always available in Sender Adapter.
  For more clarity about HTTPS find below link.
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
  security. Then go to sender agreement there you need to give key store entry.

• How to invalidate the client part of a HTTPS Session with client auth

  Hi to everybody here,
  I'm having an issue with HTTPS and client authentication related with how SSLHandshake works and the behavior of the client browser. I hope you can help.
  I'm setting up a web application that ask for a valid session in order to allow access to the application. If the user has no valid session, he's redirected to the login form, and if the auth process is ok, the user gets a session and is redirected again to the secured pages.
  We are in the way to create a new login service with client certificates, so the user identificates himself with a certificate valid on the application server.
  We have an application server with a secure listener in port 8443. It's configured to request client certificates so we can access to the certificate and validate it and create a session for the user automatically. The user just type his pin code in the browser, no passwords at all. This process is working and sessions are created. The problem comes up when we are trying to log the user out.
  We invalidate the session using a logout.jsp, but if the user goes to the secured pages again, we have observed that the authentication takes place automatically and the user can see the secured pages, so he thinks the logout.jsp doesn't work.
  My questions are: can we access to delete or modify the client browser ssl part in order to reset the https connection established against our application server? Are there any other ways to avoid this behavior?
  Thanks in advance.
  Miss.

  An enduser presents a certificate from a CAC for authentication to our website.
  They pick the Cert off the inserted CAC and submit it. Get logged into the application successfully.
  The user removes the card form the reader and the SSO session times out.
  In the same browser the user clicks log in with CAC and is not prompted for the cert this time the browser just goes ahead and presents the cached cert even though the card is no longer in the reader. The user logs in successfully.
  The desired behavior would be to prompt the user for for a cert again obviously.
  I am wondering how to turn this off as well.

• How to make call to Sender Soap Adapter using HTTPS with Client Aut

  Hello everyone, I have spent some time trying to get this to work. We downloaded a trail certificate from SAP and installed it on our machine and I created a webservice that works great. I tested the HTTPS without client authentification and it works great, as soon as I change it to use with Client Authentification I can't get it to go through. I am using Soap Sonar to test the certificates. To get the certificate I called the url with firefox then saved the certificate in my trust store, from there I import it to soap sonar as a signed certificate, but I am getting the error  <Exception>Object contains only the public half of a key pair. A private key must also be provided.</Exception>  I assume I am doing something way wrong, is there a way to get the certificate with both public and private key pair, or a way to test this that I can't seem to find in documentation or blogs?
  I def award points
  Cheers
  Devlin

  Hi
  I think This link is useful to u
  http://www.sapag.co.in/SAP-XI-SOAP-Adapter-FAQ'S.html
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/40611dd6-e66e-2910-f383-e80fb44f9cd4
  Thanks
  Santosh

• HTTPS with Client Authentication in SOAP sender Adapter --SSL

  We have an interface SOAP to file..which was working fine...now we  recently switched to F5 load balancer and hence we were asked to chnage the settings in Communication channel.
  After changing the communication channel to u201CHTTPS with Client authenticationu201D..client trggerd the some data but nothing seems to be coming in PI..
  No trace in communication channel either.where else can we check for the incoming data ?
  Is there any other setting required? why the data s not coming to PI?
  Regards

  Hi,
  here is the flow: Bank>F5-->PI.
  when the Bank client send the message
  they are  getting the message below. Could you please tell me what could be the reason?
  <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
  <!-- Call Adapter
  -->
  <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
  <SAP:Category>XIAdapterFramework</SAP:Category>
  <SAP:Code area="MESSAGE">GENERAL</SAP:Code>
  <SAP:P1 />
  <SAP:P2 />
  <SAP:P3 />
  <SAP:P4 />
  <SAP:AdditionalText>com.sap.aii.af.ra.ms.api.DeliveryException: Invalid SSL message, peer seems to be talking plain!</SAP:AdditionalText>
  <SAP:ApplicationFaultMessage namespace="" />
  <SAP:Stack />
  <SAP:Retry>M</SAP:Retry>
  </SAP:Error>
  regards

• Using SSL with client auth from a JNLP-launched app

  We have an application that is launched by JNLP, and which needs to make a mutually authenticated SSL connection to a server. The client cert and trusted certs that it needs to do this are stored in the Sun\Java\Deployment\security directory where JNLP knows to look for them. And Java WebStart itself seems to be able to use these certs just fine. However, our app seems blithely unaware of the location of the keystore/truststore unless we explicitly set the system properties javax.net.ssl.keystore and truststore. But we don't want to do that (it could be different for different users), and we shouldn't have to do that. So the question is, how can we use the same KeyManager/TrustManager that Java WebStart itself is using? Are they somehow available for the JNLP-launched app to use?
  Failing that, is there a way for a JNLP-launched app to query the deployment properties? There are a bunch of properties to direct the behavior of Java WebStart (see [http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/properties.html]), such as deployment.user.security.trusted.cacerts. These don't seem to be System properties. Can the app see them, or are the "private" to Java WebStart itself?

  HI:
  see also shine enterprise pattern.
  I have worked with it and it helps me and results spead up.
  it has a class which is named "code" and does encryption and ... by md5. it is incredibly secure! tey it.
  you can download it via links bellow:
  http://groups.google.com/group/j2sos.
  http://sourceforge.net/projects/shine-enterpris/
  it has also document

• SOAP Adapter - HTTPS w/ client authentication -SSL termination @ dispatcher

  Hi,
  We have a SOAP client sending SOAP message over SSL to PI. We are using client cert for authentication, but terminating SSL at web dispatcher. In this scenario, i) do we need to configure security for XISOAPADAPTER in Visual admin on PI and ii) do we need to set HTTPS with client authentication security option in SOAp Sender communication channel?
  My understanding is that since we are terminatinating SSL at web dispatcher (Server authentication happens between third-party gateway and our gateway and when web dispatcher terminates SSL, client cert for auth is passed via httpheader to PI where it is mapped to UME user with sufficient authorizations) we don't need to set the XISOAPADAPTER security (if it is end-to-end ssl we would i guess set up in V. Admin>Security provider service>clientcertloginmodule for XISOAPADAPTER) and we don't need to set the sender channel as https with client authentication ( it should just be http in SOAP sender channel).
  Is my understanding correct? I will really appreciate any clues?
  Thanks,
  Saurabh

  Hi saurabh
  follow these links to SAP note
  these will be helpful for you
  Note 856597 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 SOAP Adapter
  https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856597&_NLANG=E
  Note 856599 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 Mail Adapter
  https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856599&_NLANG=E
  Note 870845 - XI 3.0 SOAP adapter SSL client certificate problem
  https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=916664&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
  https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=870845&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
  regards
  Sandeep
  If helpful kindly reward points

• WS security, SSL and client auth

  Hello all,
  I need to secure a web service using SSL with client auth (client has a certificat issued by the web service provider wich he can use to access it... i suppose).
  Being a newbie i have no idea what are the options and how to implement them.
  If good tutos are available on the subject it would be nice.
  I also had another question: with a web service, what guarantee do i have that the client has consumed the web service and received the information he wants etc., it is critical for me to know that everything went ok...
  Cheers

  Hi
  One of the best books I found that covers security is located at:
  http://www.lulu.com/content/214643
  You will, or get you company to :), buy it (it's not expensive). It covers axis1.3, note that axis2 is out, but since your just starting with web services this will be a very good start on many of the concepts and how to implement them.
  Should you decide to use Axis give it's documentation and many tutorials a look, the main site is: http://ws.apache.org/axis2/
  Re: getting a guarantee, I might be wrong, but I do not see how this can be done with services and to be honest with any other type of application (especially the "received the information he wants" bit). The only way I can think one to do this is to include it as part of the SOP (standard operating procedure) for specific functionality in your application. The "it" would be an additional step that the user needs to do e.g. click an "accept" button that kicks of another "request" to the web service indicating that the initial request satisfied the users query - logically this request will need to contain some type of identifier that will enable you to map it to a previous request.

• How to use HTTPS with sender SOAP Adapter

  Hi,
  I am implementing a synchronous SOAP- proxy scenario and on the sender communication channel I have to use the Http Security Level as "HTTPS with client Authentication".
  Where from I get the certificates to be used in sender Agreement.
  Please give me a step by step approach to achieve this.
  Regards,
  Nitin

  Nitin,
  Kindly go through the below links ...
  http://help.sap.com/saphelp_nw04/helpdata/en/1f/7e2441509fa831e10000000a1550b0/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  Also, make a search on the SDN as this question has been answered many a times on the forum.
  Regards,
  Neetesh