SSL (http https) security in SAP

Hello. Can you help me??
It is a scenario, that we have to enable a secure meassage communication.
An encryption have to be used and may be authorization(log and pass) or digital certificates. Can u help me or just point the most information.
Thanks a lot.

Configuring the SAP Web AS for Supporting SSL-SSL
Regards
Kasi

Similar Messages

A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

cookies.squite answer is Today at 5:15 PM .
New profile, same problem.
We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
(3) different virus scanners, no hard core problems.
Suspect how I have something in Windows setup that no one else is using?

Https call from SAP SOAP client tool

Hi,
in order to call a webservice via https using the SAP SOAP client tool, I've done the following:
1. The Client cert field filled with my personal certificate from IE (pcert.pfx)
2. The Trust store field left as it was (cacerts file of the jre).
When calling the service I am getting
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
Very likely this is caused by setting 2.
Could anybody advise how to get an X.509 certificate of trusted root CAs? Any chance to export from IE or would one have to get that from a CA? File types required are ppfx or p12, which is strange since these contain private keys.
Much appreciated.
Rene Funke

Hi Rene,
You need to include the full certificate chain in the p12 file. i.e. private cert and root CA cert. IE will not export the full certificate path with the private certificate unless it was imported into IE with this flag set. You could use Firefox to generate the pks12 file. It will include the full certificate path.
This private certificate (p12 file) should then be added to the truststore in XI.
Also, .p12 (pkcs#12) file format defines a file format commonly used to store private keys with accompanying public key certificates - not just private keys.
Hope this helps.
Bryan

SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config

Hi All,
I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs. Double authentication (client- server) sertificate shall be used.
Testing simple HTTP and XI user name/password works fine.
Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
I also doesn't know how to disable asking for name/password. I am using XI 7.0.
Please advise.
Thanks,
Nataliya

Hi Nataliya,
Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify option "HTTP with Client Authentication.
One more thing HTTP Security level option is always available in Sender Adapter.
For more clarity about HTTPS find below link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
security. Then go to sender agreement there you need to give key store entry.

Http security/webservice security

Hi Experts,
Here my interface is RFCPISOAP synchronous. I am sending the service request to http://test..... /Score.asmx?
This target system is expecting the communication with security. They told PI need to send Http security for http://test..... /Score.asmx?
. I need to send the security information on http level not on soap level. ..
My client provided some code like this for security
How to use this code for header level security
BAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCLIEggiuYIIIqgYJKoZIhvcSAQICAQBuggiZMIIIlaADAgEFoQMCAQ6iBwMFACAAAACjgge7YYIHtzCCB7OgAwIBBaESGxBWQ04uRFMuVk9MVk8uTkVUoi4wLKADAgECoSUwIxsESFRUUBsbc2Vnb3RuNDE2Ny52Y24uZHMudm9sdm8ubmV0o4IHZjCCB2KgAwIBF6EDAgFGooIHVASCB1AwJAaYLuHYd2t3ATGp6i99AD3m3xnv1Hi1URvWr7dbfi/sqgBY7/
thank you
Srini
Edited by: srinivasreddy p on Dec 1, 2011 12:36 PM

Hi,
that looks like to a SSL certificate. Ask a confirmation to your client.
see this sap help:
[http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bb457e28674be10000000a421937/frameset.htm]
[http://help.sap.com/saphelp_nwpi711/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm]
on SDN, you will find some other docs and blogs.
regards
Mickael

Setting up a https connection between SAP CRM and genesys gplus adapter

Hello All-
We are integrating SAP CRM with genesys mysap gplus adapter. We are struck in setting up a https connection between sap and gplus adapter.
Can anyone here help me out in this like how to get the SSL Protocol, keystore, keystore password,truststore and truststore password.
Information abt Adapters server certificate. Do we need to configure the adapter for the proxy also?
Any additional comment will help. Thanks in advance!

Hello Vinod,
Please refer the following OSS notes 564085.
Please reward if helpful.
regards,
Muralidhar Prasad.C

Https access to Sap Content Server 620 with R/3 46C

We are trying to access the Sap Content Server 620 via Https.
We do not want to administer it via HTTPS, (as we know CSADMIN doesn't support Https in rel. 46C as for note 712332). We want to do in way that the users when do check-in/out of originals these go across the
network using Https instead Http.
According note 712330 it should be possible.
Anyone already did it ?
Any suggestions ?
NOte 506314 is not clear. We are in doubt how we applyed it.
What we did:
0)activate the SSL on the Sap COntent Server Web Site, requiring and installing a CA certificate.
1)On the R/3 server in tx OAC0 with %HTTPS filled up the
two boxes with "%HHTPS
required"
1)unpacked the Sap criptolibrary and copied all the files (including those in ntintel subdirectory created during the unpacking) under c:\Programmi\Sap\Frontend\Sapgui on a frontend PC.
2)set the env. variable SAPHTTP=c:\Programmi\Sap\Frontend\Sapgui on
Frontend PC
3) from c:\Programmi\Sap\Frontend\Sapgui we created both the SAPSSLC.pse and the SAPSSLS.pse file with the command :
3) from c:\Programmi\Sap\Frontend\Sapgui we created both the
SAPSSLC.pse and the SAPSSLS.pse file with the command :
sapgenpse get_pse -noreq -p C:\Programmi\SAP\FrontEnd\SAPgui\<PSE-NAME>
CN=localhost
4) we run the test: saphttp https://itmif069
from the frontend to the server where the Content Server is (itmif069). We recive the error:
trc file: "dev_http", trc level: 2, release: "620"
Fri Oct 08 12:26:46 2004
[2256] sccsid: @(#) $Id: //bas/620/src/krn/ftp/http.c#26 $ SAP
[2256] HTTP Start : argc - 2 a0 - saphttp
[2256] https//itmif069
[2256] SECUDIR=C:\Programmi\SAP\FrontEnd\SAPgui
<<- SapSSLSetTraceFile()==SAP_O_K
=================================================
= SSL Initialization
SapISSLComposeFilename(ssl_lib): using default "sapcrypto.dll"
SapISSLComposeFilename(server_pse): using default "SAPSSLS.pse"
SapISSLComposeFilename(client_pse): using default "SAPSSLC.pse"
SapISSLComposeFilename(anon_pse): using default "SAPSSLA.pse"
= found SAPCRYPTOLIB 5.5.5C pl16 (Jun 10 2004) MT-safe
= found SECUDIR environment variable
= using SECUDIR=C:\Programmi\SAP\FrontEnd\SAPgui
= secudessl_Create_SSL_CTX(): PSE "SAPSSLA.pse" not found,
=      using PSE "SAPSSLC.pse" as fallback
= The Server SSL_CTX
=    provides this ordered list of 9 ciphersuites:
=       1. SSL_RSA_WITH_RC4_128_SHA
=       2. SSL_RSA_WITH_RC4_128_MD5
=       3. SSL_RSA_WITH_3DES_EDE_CBC_SHA
=       4. SSL_RSA_WITH_DES_CBC_SHA
=       5. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
=       6. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
=       7. SSL_RSA_EXPORT_WITH_RC4_40_MD5
=       8. SSL_RSA_WITH_NULL_SHA
=       9. SSL_RSA_WITH_NULL_MD5
= Success -- SapCryptoLib SSL ready!
=================================================
<<- SapSSLInit(, read_profile=0)==SAP_O_K
ERROR => [2256] URI https//itmif069 [http.c       774]
ERROR => [2256] Connect to Host Port 443 error: NIECONN_REFUSED
[http.c       777]
We do not know if the criptolibrary ha to be instyalled to the R/3 server to.
We do not know if the CA certificate instalelled on the Sap COntent Server web site has to be installed on the R/3 server too.
Any suggestion ?
Regards

Caro Mauro,
I'm more or less in the same situation right now.
Taking into account that you ask for help on this subject last 2004 Oct. I suppose that you have probably solved the problem.
Please can you help me with the solution implemented.
Find below my current work e-mail adress
[email protected]
Thanks in advance,
Best regards, Xavier Grau.

Enable SSL/https on ApEx Embedded PL/SQL Gateway/11g?

Hi,
I'm a newbie to ApEx. And I notice that most of ApEx applications are run on "http" instead of "https". Aren't you concerned about its security? What's your take on SSL/https with ApEx?
I understand that it takes several steps to set it up on Oracle HTTP Apache server (ie: set up Oracle Wallet Manager, go to a certificate authority to get obtain a certificate, configure Oracle HTTP Server...etc). But does it work on Embedded PL/SQL Gateway (ie: runs XML DB HTTP instead of a separet Apache web server)?
Any experience/suggestions/ideas?
Thanks much,
Helen

Here is the Oracle documentation:
[http://download-uk.oracle.com/docs/cd/B19306_01/appdev.102/b14259/xdb22pro.htm#CHDCAHDH]
Here is a little more friendly post:
[http://wiki.shellprompt.net/bin/view/Apex/SSLandAPEXxdbHttp?TWIKISID=6fa6f4a0bbb698921c333d6d0c859970]
Friendly post originally from:
Can the embedded PL/SQL gateway handle SSL?
-Richard

How to make tomcat 5 support SSL (https)?

Hi,
is there a way to make tomcat support SSL (https)?
i using: Apache 1.3.33
with : Tomcat 5.0.28-1.00RC2
and : jakarta-tomcat-connectors-jk-1.2.6
JDK: j2sdk1.4.0_04
Many thanks
Anatolia

Thanks very much Sherbir,
But JSSE is integrated into the Java 2 SDK, Standard Edition, v 1.4 and above!
here is what i'm facing:
the documentation says:
>
It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.
I'm running running Tomcat as a Servlet/JSP container behind Apache 1.3.33 web server.
So all SSL requests are handled by apache web server, but the problem I'm facing is that if i request any jsp page using https (ssl) i get plain text and it's not handled by tomcat!
i have a test page called test.jsp:
<html>
<head>
<title>JSP test page</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>2 x 2 = <%= 2 + 2 %>
</p>
</body>
</html> If I request this page using normal http request I get my results fine:
2 x 2 = 4
but if i request the page using https (ssl) I get a clear plain text of my jsp file content like this:
<html>
<head>
<title>JSP test page</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>2 x 2 = <%= 2 + 2 %>
</p>
</body>
</html> Now how do I fix this problem and make apache passes the jsp file to tomcat if the request was https (ssl) and not send me cleartext of my file content!
Many thanks
Anatolia

Https / Security Question

I made an applet which connects to an https server. I want to ensure that a rogue applet cannot call the servlet the same way my real applet can. If a rogue applet could get in, I would have to write additional code to perform login authentication before executing the remainder of the servlet.
I was wondering if the login authentication is necessary or not because maybe the HttpsURLConnection is satisfactory enough to prevent unauthenticated calls???
I have the following code demonstration below.
APPLET
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
import javax.net.ssl.HostnameVerifier;
import java.net.URL;
import java.net.HttpURLConnection;
import java.io.ObjectOutputStream;
import java.io.ObjectInputStream;
import java.util.TreeMap;
import java.util.Iterator;
public class AppletTest {
   public final static void main( String[] args ) {
      try {
         final Object[] oArr = new Object[]{"paramForServletA", "paramForServletB"};
   //    final URL url = new URL( "http://localhost/servletPath/MyServlet" );
   //    final HttpURLConnection servletConnection = ( HttpURLConnection ) url.openConnection();
         final URL url = new URL( "https://mySite.com/servletPath/MyServlet" );
         final HttpsURLConnection servletConnection = ( HttpsURLConnection ) url.openConnection();
         servletConnection.setHostnameVerifier(
            new HostnameVerifier() {
               public boolean verify( final String urlHost, final SSLSession ssls ) {
                 return true;
         servletConnection.setDoInput( true );
         servletConnection.setDoOutput( true );
         servletConnection.setUseCaches( false );
         servletConnection.setDefaultUseCaches( false );
         servletConnection.setRequestProperty( "Content-type", "application/octet-stream" );
         // Read the object to the servlet
         final ObjectOutputStream outputToServlet = new ObjectOutputStream( servletConnection.getOutputStream() );
         outputToServlet.writeObject( oArr );
         outputToServlet.flush();
         outputToServlet.close();
         // Read the input from the servlet.
         final ObjectInputStream inputFromServlet = new ObjectInputStream( servletConnection.getInputStream() );
         final Object result = inputFromServlet.readObject();
         inputFromServlet.close();
         System.out.println( "Data: " +(String)result );
      catch ( Exception e ) {
         System.out.println( "Could not establish Connection : " + e.toString() );
}SERVLET
public final class MyServlet extends HttpServlet {
   public void doPost( HttpServletRequest request, HttpServletResponse response ){
     ObjectInputStream inputFromApplet = new ObjectInputStream( request.getInputStream() );
     Object[] args = ( Object[] ) inputFromApplet.readObject();
     //etc...
     ObjectOutputStream outputToApplet = new ObjectOutputStream( response.getOutputStream() );
     outputToApplet.writeObject( data );
     outputToApplet.flush();
     outputToApplet.close();
}If I call this with a HttpURLConnection I can see the data returned, which is bad since I may be a rogue applet. If I call it with an HttpsURLConnection I get the following message:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate foundIs the HttpsUrlConnection good enough, or should additional measures be taken?

Authentication via HTTPS might involve putting a
certificate on the client where your applet is
running.Are you saying a signed applet? Or is this a
completely different thing?Completely different thing. When you install SSL on your server, you get a certificate from Verisign or somebody else in the trust business, and the idea is that the certificate verifies to your client, via SSL, that your server is really your server and not some other pirate box pretending to be your server.
Likewise you could install a certificate on your client. That certificate would then verify to you that your client was really your client and not some other pirate box. Client certificates aren't used much, because it's a hassle to create them and get them installed on your client, but they do exist.

Unable to turn on SSL(https) on the remote server

Hi
I have a strange problem to make up the SSL work, here is the situation:
1- I have a Tomcat 7.0.26 with SSL enabled on my local machine(windows xp) and it works juste fine:
<Connector SSLEnabled="true" clientAuth="false"
               disableUploadTimeout="true" enableLookups="true" keystoreFile="webapps\keystore2.bin"
               keystorePass="subwoofer" maxThreads="150" port="8444" protocol="HTTP/1.1"
               scheme="https" secure="true" sslProtocol="TLS" />
2- I uploaded a .war file of my project and publish it on a remote machine(linux CentOs) in a Tomcat 7.0.26
3- The site works fine when there is no SSL enabled on the web.xml of my project
2- I tried to use just the same keystore and same configuration that I have been using in my local machine Tomcat server.xml
4- The problem is the SSL is working in local but not on the remote server, it is telling me Web page unavailable...
have I missed something? isnt it supposed to work because I'm really using the same configuration on both machines? or maybe something else on the remote machine is intercepting the https request who knows...
Thank you for clarifying for me
regards

Hi
I resolved it, it was a matter of a port number in the firewall, i should have opened the port before i can use it, thank you for trying to help me :)

Oracle AS 10gR2: create new oc4j instance supporting ssl/https

hi,
i've got an oracle application server 10.1.2 (infra and midtier).
in the midtier i want to add a new oc4j-instance which is possible via oracle enterprise manager 10g. after i've created the new oc4j-instance and deployed a war-file ("myapp") i can access a jsp of the deployed application with "http://myserver/myapp/test.jsp". now i want to enable ssl/https for my new oc4j-instance.
i did the following steps according to the manual (http://download-west.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm):
1) created certificate with keytool
2) added secure-web-site.xml (new oc4j-instance)
3) modified sever.xml (new oc4j-instance)
4) restarted new oc4j-instance
my test.jsp is still available with "http://myserver/myapp/test.jsp", but when i try to access it with "https://myserver/myapp/test.jsp" i get an error that the resource is not found. strange that when accessing test.jsp with http it is searched in the folder of my new oc4j-instance (%ORACLE_HOME%/j2ee/oc4jnew/...), but when i want to access the page through https the server looks for the jsp in the default oc4j "home" (%ORACLE_HOME%/j2ee/home/...).
what's the reason for that an how can i correct it?
regards,
matthias
Edited by: matthias on Apr 26, 2010 4:15 PM

You need to secure the HTTP Server and not the OC4J, remember that HTTP and WebCache are your frontends for any presentation layer, you need to modify ssl.conf and webcache in WebCache Admin page (in EM Console) to make them use ssl ports, as well as you want to use url with no port, you need to use port 443.
Greetings

Hitting a HTTPS url from SAP PI

Dear All,
Please let me know how to hit a HTTPS url using plain HTTP adapter in SAP PI. I was just provided with a url and user credentials.
Regards
Koti Reddy

Hi Koti,
Please perform the HTTPS settings mentioned in the below link before you start the using.
http://scn.sap.com/docs/DOC-26145
Regards,
Naveen

How to stop HTTP Security warning message in transactional iview

When I am trying to access ECC through transactional iview then I am getting HTTP security warning message i.e. This page contains both secure and nonsecure items. Do you want to display the nonsecure items?
I think it is because portal is accessable using HTTPS protocol and when we access ECC then it uses HTTP Protocol.
Pl help to resolve.

Hi AshuGrover_in,
First, welcome on SDN!
> I think it is because portal is accessable using HTTPS protocol and when we access ECC then it uses HTTP Protocol.
> Pl help to resolve.
This might very well be the root cause of the issue, and if it is, you know the resolution - make all systems accessible via https.
Anyhow, to examine the exact cause creating this message you could use tools like HttpWatch or something similar and record the client accesses to the server. If you originally have a GET to a https address, the first http request caused by the original request will throw this message.
Theoretically, on client side, you can switch off this message: Search for "switch off http https warning" on google and you will get all possible instructions for the different clients. Anyhow, a clean landscape design with complete https connections is the aim you should have.
Hope it helps
Detlev
PS: On SDN, if something helps, you might reward the answer, check it out.

Web Services with https Security without PI

Hi experts,
We wanna create Web Services in SAP CRM 7.0 without using the PI. The Requirement is, that we have to use https. I haven't found much (and no clear) Information about this isue.
Does anybody know if it is possible to use https and can you provide information how to do so?
Thanks and regards,
Sebastian

yes its possible.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0d0a250-ccd1-2c10-9e9f-b9d5cf259a6d?QuickLink=index&overridelayout=true
http://help.sap.com/saphelp_nw70ehp1/Helpdata/EN/e9/ae1b9a5d2cef4ea4b579f19d902871/content.htm
Way you create webservice from function module is same in ECC and CRM so if you google, you would find all required information.
Regards,
BJ

SSL (http https) security in SAP

Similar Messages

Maybe you are looking for