SSL/HTTPS with JSSE

Similar Messages

• How to use HTTPS with JSSE URLConnection in servlet

  Hi, I have a servlet that calls another servlet using the URLConnection class. This seems to work very well if I am using http. However when trying to call it using https using JSSE I get the following error:
  "javax.net.ssl.SSLHandshakeException: untrusted server cert chain."
  The following is the code that I am using in the servlet:
            java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
            System.getProperties().put("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
            this.servlet = new URL(servletURL);
            URLConnection conServlet = servlet.openConnection();
  Both of these servlets are under IIS on my machine. I am able to execute each of the servlets from the browser using https directly. Does this sounds like an SSL certifcate problem or is that something in the Java code? Any ideas greatly appreciated.

  Hi,
  Perhaps you can create your own trust manager. I've found this example in another newsgroup: (please note that this example trusts everyone, but you can modify the trust manager as you wish)
  if (putUrl.startsWith("https"))
    //set up to handle SSL if necessary
    System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
    System.setProperty("javax.net.debug", "ssl,handshake,data,trustmanager");
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    //use our own trust manager so we can always trust
    //the URL entered in the configuration.
    X509TrustManager tm = new MyX509TrustManager();
    KeyManager []km = null;
    TrustManager []tma = {tm};
    SSLContext sc = SSLContext.getInstance("ssl");
    sc.init(km,tma,new java.security.SecureRandom());
    SSLSocketFactory sf1 = sc.getSocketFactory();
    HttpsURLConnection.setDefaultSSLSocketFactory (sf1);
  m_url = new URL (putUrl);
  class MyX509TrustManager implements X509TrustManager {
  public boolean isClientTrusted(X509Certificate[] chain) {
    return true;
  public boolean isServerTrusted(X509Certificate[] chain) {
    return true;
  public X509Certificate[] getAcceptedIssuers() {
    return null;
  }Hope this helps,
  Kurt.

• SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config

  Hi All,
  I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs.  Double authentication (client- server) sertificate shall be used.
  Testing simple HTTP and XI user name/password works fine.
  Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
  But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
  I also doesn't know how to disable asking for name/password.  I am using XI 7.0.
  Please advise.
  Thanks,
  Nataliya

  Hi Nataliya,
  Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify  option "HTTP with Client Authentication. 
  One more thing HTTP Security level option is always available in Sender Adapter.
  For more clarity about HTTPS find below link.
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
  security. Then go to sender agreement there you need to give key store entry.

• Https with JSSE

  Hi,
  I am trying to write a simple client to connect to a https server.
  I have a .crt and a .key files generated with openssl for the server.
  As I understand I need to use those somehow to make a connection to the server. Otherwise I will always get "unable to find valid certification path to requested target".
  How can I do that.
  PS: If that's not the problem, plz, tell me what is then.
  Thank you.

  hi,
  user URL( "https","www.verisign.com","443","",new
  com.sun.net.ssl.internal.www.protocol.https.Handler()); to create url.
  thanks
  kiran
  "Junaid" <[email protected]> wrote in message
  news:3cc84396$[email protected]..
  >
  I'm writing an Https client, running within WebLogic. Can I use Sun's JSSEimplementation
  instead of WebLogic's? I set the Sun JSSE provider at position 1, as wellas setting
  the protocol handler to Sun's implementation. However my client program(running
  within WebLogic) still seeems to be using WebLogic's SSL (and https)implementations.
  Is there a way to NOT use WebLogic's SSL implementation?
  Thanks!

• Enable SSL/https on ApEx Embedded PL/SQL Gateway/11g?

  Hi,
  I'm a newbie to ApEx. And I notice that most of ApEx applications are run on "http" instead of "https". Aren't you concerned about its security? What's your take on SSL/https with ApEx?
  I understand that it takes several steps to set it up on Oracle HTTP Apache server (ie: set up Oracle Wallet Manager, go to a certificate authority to get obtain a certificate, configure Oracle HTTP Server...etc). But does it work on Embedded PL/SQL Gateway (ie: runs XML DB HTTP instead of a separet Apache web server)?
  Any experience/suggestions/ideas?
  Thanks much,
  Helen

  Here is the Oracle documentation:
  [http://download-uk.oracle.com/docs/cd/B19306_01/appdev.102/b14259/xdb22pro.htm#CHDCAHDH]
  Here is a little more friendly post:
  [http://wiki.shellprompt.net/bin/view/Apex/SSLandAPEXxdbHttp?TWIKISID=6fa6f4a0bbb698921c333d6d0c859970]
  Friendly post originally from:
  Can the embedded PL/SQL gateway handle SSL?
  -Richard

• Error in scenario "FILE to HTTP(with SSL)" - HTTP client code 110 reason.

  Hi friends,
  Our scenario is as follows:
  We are trying to send XML file from our SAP-XI to external tool "COMMunix XC" (a multi-protocol EDI platform tool).
  We have configured " FILE TO HTTP(with SSL)" scenario (trying to connect HTTPS/port)
  1. We have created RFC destination of type G and refered the same RFC in Communication channel (Adapter type: HTTP)
  2. We have send the SSL Server certificate to other party and ensure that they have imported at thier end.
  3. We have included the certificates from other party in our SAP XI STRUST under SSL Client (Standard) node.
  4. We have tried " CONNECTION TEST " in the RFC destination created in type G (in STEP 1) and it shows the GREEN TICK at bottom, no other message nor any error message
  When we trigger the communication we recieve the error: HTTP client code 110 reason in SXMB_MONI.
  Please let us know if we have missed out some step.
  What does error message indicate,
  Regards,
  Rehan

  Hi Rehan,
  I see that the PROCTIMEOUT was already at a very high value.
  Does this occur for messages of a particularly large size?  If yes, you could increase the parameter
     icm/HTTP/max_request_size_KB = 2097152
  This would need to be done in the sender/receiver system as well as XI.
  Otherwise you could try reproducing the issue and checking the dev_icm log in the work directory, or go to SMICM -> Goto -> Display trace file
  check for errors like NIECONN_REFUSED or "no service for protocol HTTPS" which can often be related to this type of issue.
  Kind regards,
  Sarah

• Http client------ XI  (via HTTP with SSL),

  hi forum,
  we have a http client that sends a http erquest to XI, by using sap/xi/adapter_plain
  service,  i mean plain http adapter
  but for scurity reasons i need HTTPS communication,
  can u tell me how to enable HTTPS (HTTP with SSL) communiaction in the same scenario,
  http client------>XI  (via HTTP with SSL)

  hi sudeep,
  u need to create a comm ch of adapter type http n set the security level there.
  refer this for help:
  http://help.sap.com/saphelp_nw04/helpdata/en/14/80243b4a66ae0ce10000000a11402f/frameset.htm
  [reward if helpful]
  regards,
  latika.

• ERROR http: 5: Unable to initialize ssl connection with server, aborting co

  HI EXPERTS,
  one of my database give me below error when i start its dbconsole. and after failure it give me meassge
  TZ set to Asia/Karachi
  Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  https://test:5500/em/console/aboutApplication
  Starting Oracle Enterprise Manager 10g Database Control ..............................................................
  ........ failed.
  Logs are generated in directory /u01/oracle/product/10.2/cnichol_cpuplt/sysman/log
  and in trace file name "emdctl.trc" below error is logged.
  ERROR http: 5: Unable to initialize ssl connection with server, aborting connection attempt
  ERROR ssl: nzos_Handshake failed, ret=29024
  and trace file named "emagent.trc" give below error
  2010-10-04 19:12:25 Thread-88238992 ERROR http: 11: Unable to initialize ssl connection with server, aborting connection attempt
  2010-10-04 19:12:25 Thread-88238992 ERROR pingManager: nmepm_pingReposURL: Cannot connect to https://test:5500/em/upload/: retStatus=-1
  2010-10-04 19:12:38 Thread-88238992 ERROR upload: Error in uploadXMLFiles. Trying again in 300.00 seconds.
  dbconosle URL is
  https://test:5500/em/console/aboutApplication
  Operating system is Redhat linux AS 5.3
  what is the possible cause of this failure any one can guide me.
  thanx in Advance
  regards,
  Edited by: AMIABU on Oct 4, 2010 7:28 AM

  oracle@bcm-laptop:~$ emctl
  Oracle Enterprise Manager 11g Database Control Release 11.2.0.1.0
  Copyright (c) 1996, 2009 Oracle Corporation.  All rights reserved.
     Oracle Enterprise Manager 10g Database Control commands:
          emctl start | stop dbconsole
          emctl status | secure | setpasswd dbconsole
          emctl config dbconsole -heap_size <size_value> -max_perm_size <size_value>
         emctl status agent
         emctl status agent -secure [-omsurl <http://<oms-hostname>:<oms-unsecure-port>/em/*>]
         emctl getversion
         emctl reload | upload | clearstate | getversion agent
         emctl reload agent dynamicproperties [<Target_name>:<Target_Type>]....
         emctl config agent <options>
         emctl config agent updateTZ
         emctl config agent getTZ
         emctl resetTZ agent
         emctl config agent credentials [<Target_name>[:<Target_Type>]]
         emctl gensudoprops
         emctl clearsudoprops
  Blackout Usage :
         emctl start blackout <Blackoutname> [-nodeLevel] [<Target_name>[:<Target_Type>]].... [-d <Duration>]
         emctl stop blackout <Blackoutname>
         emctl status blackout [<Target_name>[:<Target_Type>]]....
  The following are valid options for blackouts
  <Target_name:Target_type> defaults to local node target if not specified.
  If -nodeLevel is specified after <Blackoutname>,the blackout will be applied to all targets and any target list that follows will be ignored.
  Duration is specified in [days] hh:mm
          emctl getemhome
          emctl ilint
  Em Key Commands Usage :
  emctl config emkey -emkeyfile <emkey.ora path> [-force] [-sysman_pwd <sysman password>]
  emctl config emkey -emkey [-emkeyfile <emkey.ora path>] [-force] [-sysman_pwd <sysman password>]
  emctl config emkey -repos [-emkeyfile <emkey.ora path>] [-force] [-sysman_pwd <sysman password>]
  emctl config emkey -remove_from_repos [-sysman_pwd <sysman password>]
  emctl config emkey -copy_to_repos [-sysman_pwd <sysman password>]
  emctl status emkey [-sysman_pwd <sysman password>]
  Secure DBConsole Usage :
  emctl secure dbconsole -sysman_pwd <sysman password> [-passwd_file <abs file loc>]
       [-host <slb hostname>] [-sid <service name>] [-reset] [-secure_port <secure_port>]
       [-root_dc <root_dc>] [-root_country <root_country>] [-root_state <root_state>] [-root_loc <root_loc>]
       [-root_org <root_org>] [-root_unit <root_unit>] [-root_email <root_email>]
       [-wallet <wallet loc>] [-wallet_pwd <wallet pwd>] [-trust_certs_loc <certs loc>]
  emctl secure status dbconsole
  Register Targettype Usage :
  emctl register oms targettype [-o <Output filename>] <XML filename> <rep user> <rep passwd> <rep host> <rep port> <rep sid> OR
  emctl register oms targettype [-o <Output filename>] <XML filename> <rep user> <rep passwd> <rep connect descriptor>

• How to make tomcat 5 support SSL (https)?

  Hi,
  is there a way to make tomcat support SSL (https)?
  i using: Apache 1.3.33
  with : Tomcat 5.0.28-1.00RC2
  and : jakarta-tomcat-connectors-jk-1.2.6
  JDK: j2sdk1.4.0_04
  Many thanks
  Anatolia

  Thanks very much Sherbir,
  But JSSE is integrated into the Java 2 SDK, Standard Edition, v 1.4 and above!
  here is what i'm facing:
  the documentation says:
  >
  It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.
  I'm running running Tomcat as a Servlet/JSP container behind Apache 1.3.33 web server.
  So all SSL requests are handled by apache web server, but the problem I'm facing is that if i request any jsp page using https (ssl) i get plain text and it's not handled by tomcat!
  i have a test page called test.jsp:
  <html>
  <head>
  <title>JSP test page</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body>
  <p>2 x 2 = <%= 2 + 2 %>
  </p>
  </body>
  </html> If I request this page using normal http request I get my results fine:
  2 x 2 = 4
  but if i request the page using https (ssl) I get a clear plain text of my jsp file content like this:
  <html>
  <head>
  <title>JSP test page</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body>
  <p>2 x 2 = <%= 2 + 2 %>
  </p>
  </body>
  </html> Now how do I fix this problem and make apache passes the jsp file to tomcat if the request was https (ssl) and not send me cleartext of my file content!
  Many thanks
  Anatolia

• Connecting to https with jdk1.5 throwing InvalidAlgorithmParameterException

  Hi,
  My current system has jdk1.3, weblogic7.1 and axis1.1.
  I have a simple class in java which I use to connect to https://*.jsp.
  Here is the sample code.
  System.setProperty("javax.net.ssl.trustStore","/usr/local/client.keystore");
  System.setProperty"java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());   
  System.setProperty("java.security.egd", "file:/dev/urandom");
  URL url = new URL("https://xyz.com/index.jsp");
  InputStreamReader isr = new InputStreamReader(url.openStream());
     char[] buf = new char[1024];
      int nread;
      while ((nread = isr.read(buf, 0, buf.length)) > 0)
        System.out.print(new String(buf, 0, nread));
      System.out.flush();This code works well in jdk1.3 with jsse.jar, jnet.jar, jcert.jar in the classpath and a keystore which has a trusted entry for https://xyz.com/
  I use the first 4lines of the code in a Axis Client to transfer SOAP msgs in https protocol.
  Now I am migrating to JDK1.5, WebLogic9.1 and Axis1.3.
  I have the same keystore. I do not have jsse.jar, jnet.jar, jcert.jar because jdk1.5 has JSSE.
  This same set of code is giving exception in JDK1.5.
  Any Solution?
  Thanks
  Senthil
  Here is the exception from the stack trace
  Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trust
  Anchors parameter must be non-empty
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptionAlerts.java:166)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1443)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1426)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
  at java.net.URL.openStream(URL.java:1007)
  at axistest.URLReader.main(URLReader.java:24)
  Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:56)
  at sun.security.validator.Validator.getInstance(Validator.java:146)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:105)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:167)
  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)

  I have se same problem.
  I do a System.setProperty("javax.net.ssl.trustStore", <path_filetruststore>)
  and I have the same error.
  Can you tell me if you revolve this problem? how?

• SSL VPN with client, anyconnect.

  I've set up a simple test on SSL VPN with client on a 3800.
  It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
  but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
  The underlying routing is fine.
  Could you tell me where it is configured wrong?
  Config is copied below.
  thanks,
  Han
  =======
  Current configuration : 3340 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  enable password cisco
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  no network-clock-participate slot 1
  crypto pki trustpoint TP-self-signed-3551041125
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3551041125
  revocation-check none
  rsakeypair TP-self-signed-3551041125
  crypto pki certificate chain TP-self-signed-3551041125
  certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
  34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
  29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
  6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
  23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
  53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
  301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
  5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
  300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
  73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
  CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
  B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
  CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
  quit
  dot11 syslog
  ip cef
  multilink bundle-name authenticated
  voice-card 0
  no dspfarm
  username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
  archive
  log config
  hidekeys
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  end
  interface Loopback1
  ip address 1.1.1.1 255.255.255.0
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  ip local pool svc-poll 1.1.1.50 1.1.1.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 192.168.1.254
  ip http server
  no ip http secure-server
  control-plane
  line con 0
  logging synchronous
  line aux 0
  line vty 0 4
  scheduler allocate 20000 1000
  webvpn gateway SSLVPN
  ip interface GigabitEthernet0/0 port 443
  ssl trustpoint local
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context SSLVPN
  ssl authenticate verify all
  policy group default
     functions svc-required
     svc default-domain "test.org"
     svc keep-client-installed
     svc split dns "primary"
  default-group-policy default
  gateway SSLVPN
  inservice
  end

  Using the SDM follow the below config example
  http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
  The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
  HTH>

• How to configure Oracle 10g Advanced Security to use SSL concurrently with

  How to configure Oracle 10g Advanced Security to use SSL concurrently with database User names and passwords
  In Oracle Advanced Security Documentation it is mentioned that i can use SSL concurrently with DB user names and passwords. But when i configure the client certificate on the client my DB connection is getting authenticated using the certificate, which out passing user id or password.
  We want to connect to Oracle DB over SSL channel so that the data packets are not in clear text. Also we want the user to make a connection using user id and password.
  Basically we want SSL with out authentication.
  Need your expert advice

  Read the documentation (I have given following links assuming you are running a 32 bit architecture)
  Server installations:
  http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14316%2Ftoc.htm&remark=portal+%28Books%29
  Client installations:
  http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14312%2Ftoc.htm&remark=portal+%28Books%29
  You can find the required books (if not using 32 bit architecture) from
  http://www.oracle.com/pls/db102/portal.portal_db?selected=3

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• HTTPS with null cipher

  Hi,
  I have two OSB's communicating over SSL.
  How do I configure Weblogic to use a particular cipher during communication.
  I want the communication to use TLS_RSA_WITH_NULL_SHA, or any null cipher, so that
  the content can be scanned as it passed through a firewall.

  Hi Rana da,
  If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
  Have a look at below link
  Sender SOAP Adapter: HTTPS with Client Authentication

• HTTPS With Client Authentication

  Hi,
  I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
  java.security.AccessControlException: client certificate required
  In the the transaction scim the following can be seen:
  [Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
  [Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
  [Thr 5061]     out: sssl_hdl = 1117534b0
  [Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]      in: sssl_hdl = 1117534b0
  [Thr 5061]      in: cred_hdl = 116cfc110
  [Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
  [Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001  peer=XX.XX.XX.XX:2310
  [Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
  [Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]          status = "resumed SSL session, NO client cert"
  The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
  Sender Communication Channel, 
  Transport Protocol: HTTP,
  Message Protocol: Soap 1.1,
  Adapter Engine: Central Adepter Engine,
  HTTPS with Client Authentication,
  Keep Headers
  Any ideas?
  Kind regards,
  John

  Hi Peter,
  If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
  It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
  All the best,
  John