Https without certificates / wallet??

Similar Messages

• SOAP Receiver with HTTPS(without certificate)

  Hi experts
  Receiver system not using any certificate.  Without certificate How PI can send message through HTTPS using SOAP.
  How to choose HTTPS transport protocol. (Here Target Url have Https://.....)
  Here I am using PI7.1 EHP1.
  I configured Receiver SOAP CC as
  Transport protocol as HTTP
  Taget Url https://api-demo.e-xact.com/transaction
  It will work? if not how to enable Https in SOAP receiver
  but I am getting below error In adapter
  Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Thank you
  Srini

  Hi Srini,
  The main reasons for this error "Peer certificate rejected..." be appearing are the following:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi711/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
  3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
  (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio

• HTTPS without certificates in SOAP sender adapter

  Hi,
  I am using SOAP to PROXY sync scenario.
  The HTTP security level at the sender SOAP adapter has been chosen as "HTTPS with client authentication" and the SELECT SECURITY PROFILE parameter is uncheck.(No certificates has been referred)
  The interface is working fine in PRODUCTION.
  But when I am trying to develop the same kind of interface in DEV using "HTTPS with client authentication" the webservice is not executed, However when I change the SECURITY LEVEL to "HTTP" It is working fine.
  Please suggest me how to resolve it.
  Please note that no certificates has been used in the PRODUCTION.
  I have also referred help.sap, but unable to find the solution.
  Thanks,
  Nitin

  Nitin,
  Could u please suggest me where do I need to maintain the userID and PAssword in PI server.
  It is maintained in the ABAP stack - su01.
  The userID I am using to invoke the webservice already exists in PI server.
  Do I need to maintain the userID in any specific location in PI server.
  I guess both of us are talking about the same place of maintaining the users
  Have you tried using SOAPUI (or similar tool)? Are you getting any error messages?
  regards,
  Neetesh

• HTTPS Without client authentication shows error of Certificate

  Hi Experts,
  I am trying to develop a SOAP to RFC scenario where in SOAP sender HTTP security level - HTTPS Without Client Authentication is selected.
  I have downloaded WSDL from Sender agreement and trying to test web service from SOAPUI.  Now as per my understanding simply placing request to HTTPS:<host>:<port>:XISOAPAdapter/....   with correct user should work and this scenario shouldn't need any certificates.
  However in SOAPUI and even in RWB SOAP Sender, I am receiving error that - Client Certificate required.
  Any comments on why would it be happening ?    In fact whatever option in HTTP Security level I select, error remains same. In NWA is there any other configuration to be done to make this work ?
  Is below understanding right ?
  -- >> HTTPS Without client authentication will not need certificate exchange and simply user authentication will do
  Thanks..
  regards,
  Omkar.

  Hello Omkar,
  What you are trying to do is Consume a SOAP->RFC scenario (synchronous) from SOAP UI and you want that to be secure. With this requirement, just having the certificates alone is not sufficient (sorry for late response..i just came across this post when i was searching something else )
  1)How did you generate the certificate and the private key? Because Key Generation plays a Big Part in it. The Key should have been signed by a CA. Though its not signed by a CA, a trick which would work is, at the time of Key generation, provide the Organization Name as SAP Trust Community and Country as DE.
  2) At the time of Key Generation definitely it shall ask for a password. You remember that.
  3) Export the Private Key as PCKS12 format and the certificate as Base64 format and have it in your local system, (shall be used later in SOAP UI and NWA)
  Here follows the major part
  4) Open NWA and go to Configuration Management->Authentication
  5) Go to Properties Taband click Modify
  6)  Under Logon Application select the check box "Enable Showing Certificate Logon URL Link on Logon Page" and save it.
  7) Now go to the Components Tab.
  8) Search for client_cert Policy Configuration name and Edit it it. Make sure the following Login Modules are maintained in the same Order
  ==> Name: com.sap.engine.services.security.server.jaas.ClientCertLoginModule
         Flag : Sufficient
  ==> Name: BasicPasswordLoginModule
         Flag: Optional
  9) Now Select the name com.sap.engine.services.security.server.jaas.ClientCertLoginModule and you can see lots of entries under the Login Module Options. Remove them all and add anew entry (case sensitive). Save it.
  ==>Name: Rule1.getUserFrom
         value : wholeCert
  10) Now search for the Policy Configuration name sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter
  and edit it.
  11) Under the Authentication stack select the template client_cert against the used template label. and save it
  12)If you are using AXIS Adapter, do the steps 11 for the Policy Configuration name sap.com/com.sap.aii.axis.app*XIAxisAdapter.
  13) Now in NWA navigate to Operation management->Identity Management
  14) Search for the user PIISUSER (or any user id which you thing has good amount of authorizations to access the service)
  15)Click Modify and go to the TAB Certificates and upload the certificate (not the private key) which you downloaded in step 3.
  16) With this setup what you have done is you have created proper certificate, enabled certificate based logon for SOAP and AXIS adapter and associated the certificate with a user id.
  17) usually in Dual stack PI, we will have the same certificate added to the server pse in strustsso2 tcode. But since its single stack, just make sure in the cert and keys you add this certificate to teh Trusted CAs and also to the Server Keystore.
  18) Now in SOAP UI Right Click on the Project Name->Select Show Project View->Under the WS Security Configurations->Go to Keystore and certificates and add the Private Key
  19) In SOAP UI under the operation name, in the Request, in stead of providing user credentials, choose the private key name against the SSL Keystore entry.
  20) Before you execute the scenario  make sure you have chosen the HTTPS url and https port is proper. Usually its 443, but some customers configure their own port.
  Scenario should work now. Else if you track it using XPI Inspector, you can find out easily at which step it has gone wrong.
  Good Luck!!
  Best Regards,
  Sundar

• HTTPs without client authentication, error while posting through Altova

  Hi Experts
  I am doing a SOAP- XI-Proxy synchronous scenario where i have to use HTTPs without client authentication for the first time in my system.
  I have made the scenario and WSDL out of it.
  When i am trying to test it through Altova, i am getting the following error:
  <?xml version="1.0"?>
  <!-- see the documentation -->
  <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
      <SOAP:Body>
          <SOAP:Fault>
              <faultcode>SOAP:Server</faultcode>
              <faultstring>Server Error</faultstring>
              <detail>
                  <s:SystemError xmlns:s="http://sap.com/xi/WebService/xi2.0">
                      <context>XIAdapter</context>
                      <code>ADAPTER.JAVA_EXCEPTION</code>
                      <text><![CDATA[
  java.security.AccessControlException: https scheme required
      at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:918)
      at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3.process(ModuleLocalLocalObjectImpl0_3.java:103)
      at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:296)
      at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0_0.process(ModuleProcessorLocalLocalObjectImpl0_0.java:103)
      at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:187)
      at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:496)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
      at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
      at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
      at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
      at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
      at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
      at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
      at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
      at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
            ]]></text>
                  </s:SystemError>
              </detail>
          </SOAP:Fault>
      </SOAP:Body>
  </SOAP:Envelope>
  i saw a few discussion on web but nowhere the solution was provided.
  the url is
  http://abc.sap.point:1234/XISOAPAdapter/MessageServlet?channel=:system:communicationchannel&amp;version=3.0&amp;Sender.Service=x&amp;Interface=x%5Ex
  i changed it to https also but in that case it was not even posting the request.
  i have set the sender adapter like this
  is there any setting that i am missing.
  What is the setting the i need to do in SM59.
  Please help me getting through this.
  Your help is highly appreciated. Thanks in advance.
  Neha

  HI Neha,
  1. Enable the https service in the ICM: you can follow the way to do it like is pointed out in the page 4 of this document (PI 7.1 and PI 7.0 has the same smicm abap transaction) http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66?overridelayout=t…
  2. Generate the certificate. Use the STRUST transaction. Chech this document SSL Configuration in SAP ABAP AS and JAVA AS – Step-by-step procedure
  Hope this helps.
  Regards.

• SAP PI SOAP Sender Adatper using HTTPS Without Authentification

  Dears experts,
  I have a requirement where i need to implement the next flow:
  POS (Java code to web service soap) ---> (SOAP HTTPS - SAP PI - XI) --->ECC (XI)
  So, have configured my SOAP sender adapter as:
  Transport protocol: HTTP
  Message protocol: SOAP 1.1
  HTTP Security Level: HTTPS without Client Authentication
  But as i have read i see that Basis team should configure this to permit HTTPS into PI, but i would like to do it by my self...
  Following a lot of forums, manuals, etc... I have configured the transaction STRUST importing the certificated that i attached to you (PRTG Demo Certificate), succesfully in my server... and i tried to find how to configure netweaver but in this i didnt find it...
  Then i tried again using SOAP UI but when i sent the message to HTTPS://www.piserver.com:50001 i still getting error without connection...
  Wed Jun 25 18:27:13 CDT 2014:ERROR:An error occurred [Connection to https://piserver:50001 refused], see error log for details
  Can you help me to end this, please?...
  Best regards,
  Azael

  Hi,
  The certificates should be installed under TrustedCA's in NWA (Netweaver Administrator). Aside from that, you should be posting to either:
  https://host:port/XISOAPAdapter/MessageServlet?channel=p:s:c where p=party, s=service and c=channel
  or
  https://host:port/XISOAPAdapter/MessageServlet?senderParty=FP&sen
  derService=FS&interface=IF&receiverParty=TP&receiverService=TS&in
  terfaceNamespace=IFNamespace
  Hope this helps,
  Mark

• LDAP database without certificate

  hi
  Is there any type of eap protocol in ACS 4.1 works without certificates and compatible with LDAP database.
  thanks

  Hi,
  PEAP(EAP-GTC) works with LDAP, compatibility table,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/overvw.htm#wp858207
  Configure ACS for PEAP authentication.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml
  And when it comes to configure client, generally I have seen with Intel clients, you have an option to uncheck "Validate Server Certificate" under "PEAP Server" section if you do not want to install CA root certificate on every client, after you have selected Authentication type as PEAP and authentication protocol as GTC under "PEAP User" section.
  Regards,
  Prem

• HTTPS without client authentication

  Hi Friends,
  In SOAP adapter, we have three options for HTTP
  HTTP without SSL
  HTTP with SSL (= HTTPS) without client authentication
  HTTP with SSL (= HTTPS) with client authentication
  Please let me know if I use  "HTTP with SSL (= HTTPS) without client authentication" ,  is it Transport Layer Sceurity of Message level Security?
  Please answer only if you are confident. No guess please!!!
  Thanks,
  Sandeep Maurya

  Hi,
  Please let me know if I use  "HTTP with SSL (= HTTPS) without client authentication" ,  is it Transport Layer Sceurity or Message level Security?
  HTTPS is used to encrypt the traffic between the client and the Web server. SSL encrypt the segments of network connections at the Transport Layer end-to-end.
  Don't get confused with the Client Authentication (with / without), as SSL is already being used in both the forms and the network is secured.
  Regards,
  Neetesh

• Https without a lock

  I went to a youtube site "https://www.youtube.com/watch?v=EASmyA6F29s" and the favicon shows https without a lock. I thought this should not occur in firefox 22 according to the documentation
  Why is https being shown without a lock symbol as it clearly is not secure? See enclosed diagram.

  There is mixed content on that page.<br />
  Firefox only blocks active mixed content and if other mixed content like images are present then you still get the globe instead of the padlock.<br />
  You can see that in the Web Console (Firefox/Tools > Web Developer;Ctrl+Shift+K) as red lines.

• RADIUS with IAS without certificate ?

  Is it possible to configure a WLC to use Microsoft IAS without issuing a certificate ?

  No. IAS can only do PEAP and EAP-TLS, both of which require a server side certificate. You could use your own CA to issue this certificate. For a walk through of IAS, go to http://www.dweezlenation.com
  HTH,
  Steve

• 802.1x Without Certificates

  I have the following setup:
  5508 WLC
  ISE 1.2
  The wireless network is copletely seperate from the corporate network & is purely used for Internet Access.
  The users connect in 2 different ways:
  Guest Access by means of a Guest Portal (Guest SSID)
  802.1x Pointing to Internal Users on the ISE box. (Corporate SSID)
  All Mobile devices connect fine to the corporate SSID, the problem is with Laptop users.
  At this stage, In order for the users to connect to the Corporate SSID, i need to manually set up the Wireless connection and remove the
  "Verify The Server's Identity by validating the certificate" tick box under PEAP settings.
  Is there any way to bypass/rectify this, (This is only used for Internet, hence the Customer will not install a CA server)
  I need the users to connect to the Corporate SSID without manually setting up the Wireless Connction.

  Jacovr,
  The point of using 802.1X is to provide a means of security for the corporate users when connect to WiFi. First we need to cover the purpose of cert validation. Radius server sends the device cert to the client. The client then uses this cert to hash their logon and AD and pass it to the radius server wherethe radius server uses the private key.  To protect against a man in the middle attack the client can validate the certificate. If you choose not to, and many people do btw, you can unselect this. But know anyone running your SSID with FREERADIUS and the Hack can put your ID/Passwords at risk.
  This is a client configuration. Nothing you can do on the infrustructure side of this to bypass it. Here are a few ideas.
  1)I assume these corporate users have machines that are part of AD. If so you can push the WLAN profile with the specific WLAN settings automagically.
  2) If you dont have AD you can use a tool like Anyconnect and provide a profile via email a user can launch and will configure the WLAN profile.
  3) With ISE you can build a policy and push down a WLAN profilem but here again they need to connect the first time. I have seen users do a onboarding network for WLAN Profiles.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
  "Im like bacon, I make your wireless better"

• Receiver SOAP HTTPS channel certificate issue in SAP 7.31

  Hello SAP team,
  We have imported the Partners Https certificate in our NWA and have tried to click the check box of certificate authentication in communication channel .
  However we are still getting an error in CC " SSLcertificate exception : Peer certificate rejected by chain Verifier " .
  Could you you please tell us that what are we missing on  and why are we getting this issue .
  Regards,
  Ravi

  Hi Ravi
  Is the cert provided a self-signed cert or signed by a CA entity? If the latter, you need to import all the Certs in the chain of trust (intermediate and root) into Trusted CA key store too.
  You can normally get the CA certs directly from the CA's website, but if you are unsure, you can check with your partner.
  Rgds
  Eng Swee

• Youtube (https)security certificate issue

  Hi
  I'm using latest firefox version with and recently I'm facing this strange issue ... everytime I try to visit youtube, to be specific, when not logged in on any google accounts .. I can visit http://www.youtube.com but when I try to login, in which case it redirects to https:// and It shows the following error(check image url):
  https://imageshack.com/i/ezbe0c53j
  And if I try to add exception, it shows this screen(check image url):
  https://imageshack.com/i/hj41802cj
  (PS: Couldn't find upload option here so I had to use otherimage hosts)
  Also I tried changing windows time, adding auto time sync from windows site and also tried changing profile, disabling add on and testing and also tried removing cache/cookies from both google.com and youtube.com and so far nothing worked ... I can't seem to access youtube while logged in (https)
  Also its only youtube, no other website shows this security certificate error!
  please provide a solution to this asap, thanks!

  When you click Add Exception, you get a Google error page instead of a pop-up dialog? Or are you saying that after you added the exception, YouTube's home page won't load. That's mildly suspicious...
  If you return to the Add Exception dialog and use the View button, how does the certificate compare with the attached screen shot?

• Error  connecting https when certificate key 2048

  Hello,
  I've got the following exception when I tried connecting an HTTPS web server AND when the certificate key > 2048 bits:
  javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLProtocolException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
  The exception occurs when trying to handshake the certificate:
  com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateMsg.<init>
  I tried using jdk 1.4.2_08 and 1.5.0.
  Is somebody can help me? Is there a specific work around or library to use?
  Thanks for your help
  C�dric Braem
  http://www.internetVista.com

  hi ,
  R/3 and EP are running in cross domains.
  ex- R/3 india.ac,in:port/irj/portal
        EP europe.ac.in:port/irj/portal
  There is no web dispatcher for the portal and also for backend, there are no additonal SSL in the network
  It is java webdynpro causing the issue when i am trying to access my backend system from portal from talent management.
  A new iwndows appears with pop-up and poempts fro user id & password.
  Thanks & regards,
  rahul

• [WLAN] Use 802.1x with PEAP without Certificates?

  Hello there,
  is it possible to use 802.1x with PEAP authentication via MS-CHAPv2 without cheking for the servers certificate? I can't find an option to disable it

  On whitch device? You can set the autorithy certifacte to none or choose one from the list.
  ‡Thank you for hitting the Blue/Green Star button‡
  N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009