SSL/HTTPS with JSSE
I'm writing an Https client, running within WebLogic. Can I use Sun's JSSE implementation
instead of WebLogic's? I set the Sun JSSE provider at position 1, as well as setting
the protocol handler to Sun's implementation. However my client program (running
within WebLogic) still seeems to be using WebLogic's SSL (and https) implementations.
Is there a way to NOT use WebLogic's SSL implementation?
Thanks!
hi,
user URL( "https","www.verisign.com","443","",new
com.sun.net.ssl.internal.www.protocol.https.Handler()); to create url.
thanks
kiran
"Junaid" <[email protected]> wrote in message
news:3cc84396$[email protected]..
>
I'm writing an Https client, running within WebLogic. Can I use Sun's JSSEimplementation
instead of WebLogic's? I set the Sun JSSE provider at position 1, as wellas setting
the protocol handler to Sun's implementation. However my client program(running
within WebLogic) still seeems to be using WebLogic's SSL (and https)implementations.
Is there a way to NOT use WebLogic's SSL implementation?
Thanks!
Similar Messages
-
How to use HTTPS with JSSE URLConnection in servlet
Hi, I have a servlet that calls another servlet using the URLConnection class. This seems to work very well if I am using http. However when trying to call it using https using JSSE I get the following error:
"javax.net.ssl.SSLHandshakeException: untrusted server cert chain."
The following is the code that I am using in the servlet:
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.getProperties().put("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
this.servlet = new URL(servletURL);
URLConnection conServlet = servlet.openConnection();
Both of these servlets are under IIS on my machine. I am able to execute each of the servlets from the browser using https directly. Does this sounds like an SSL certifcate problem or is that something in the Java code? Any ideas greatly appreciated.Hi,
Perhaps you can create your own trust manager. I've found this example in another newsgroup: (please note that this example trusts everyone, but you can modify the trust manager as you wish)
if (putUrl.startsWith("https"))
//set up to handle SSL if necessary
System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
System.setProperty("javax.net.debug", "ssl,handshake,data,trustmanager");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
//use our own trust manager so we can always trust
//the URL entered in the configuration.
X509TrustManager tm = new MyX509TrustManager();
KeyManager []km = null;
TrustManager []tma = {tm};
SSLContext sc = SSLContext.getInstance("ssl");
sc.init(km,tma,new java.security.SecureRandom());
SSLSocketFactory sf1 = sc.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory (sf1);
m_url = new URL (putUrl);
class MyX509TrustManager implements X509TrustManager {
public boolean isClientTrusted(X509Certificate[] chain) {
return true;
public boolean isServerTrusted(X509Certificate[] chain) {
return true;
public X509Certificate[] getAcceptedIssuers() {
return null;
}Hope this helps,
Kurt. -
SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config
Hi All,
I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs. Double authentication (client- server) sertificate shall be used.
Testing simple HTTP and XI user name/password works fine.
Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
I also doesn't know how to disable asking for name/password. I am using XI 7.0.
Please advise.
Thanks,
NataliyaHi Nataliya,
Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify option "HTTP with Client Authentication.
One more thing HTTP Security level option is always available in Sender Adapter.
For more clarity about HTTPS find below link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
security. Then go to sender agreement there you need to give key store entry. -
Hi,
I am trying to write a simple client to connect to a https server.
I have a .crt and a .key files generated with openssl for the server.
As I understand I need to use those somehow to make a connection to the server. Otherwise I will always get "unable to find valid certification path to requested target".
How can I do that.
PS: If that's not the problem, plz, tell me what is then.
Thank you.hi,
user URL( "https","www.verisign.com","443","",new
com.sun.net.ssl.internal.www.protocol.https.Handler()); to create url.
thanks
kiran
"Junaid" <[email protected]> wrote in message
news:3cc84396$[email protected]..
>
I'm writing an Https client, running within WebLogic. Can I use Sun's JSSEimplementation
instead of WebLogic's? I set the Sun JSSE provider at position 1, as wellas setting
the protocol handler to Sun's implementation. However my client program(running
within WebLogic) still seeems to be using WebLogic's SSL (and https)implementations.
Is there a way to NOT use WebLogic's SSL implementation?
Thanks! -
Enable SSL/https on ApEx Embedded PL/SQL Gateway/11g?
Hi,
I'm a newbie to ApEx. And I notice that most of ApEx applications are run on "http" instead of "https". Aren't you concerned about its security? What's your take on SSL/https with ApEx?
I understand that it takes several steps to set it up on Oracle HTTP Apache server (ie: set up Oracle Wallet Manager, go to a certificate authority to get obtain a certificate, configure Oracle HTTP Server...etc). But does it work on Embedded PL/SQL Gateway (ie: runs XML DB HTTP instead of a separet Apache web server)?
Any experience/suggestions/ideas?
Thanks much,
HelenHere is the Oracle documentation:
[http://download-uk.oracle.com/docs/cd/B19306_01/appdev.102/b14259/xdb22pro.htm#CHDCAHDH]
Here is a little more friendly post:
[http://wiki.shellprompt.net/bin/view/Apex/SSLandAPEXxdbHttp?TWIKISID=6fa6f4a0bbb698921c333d6d0c859970]
Friendly post originally from:
Can the embedded PL/SQL gateway handle SSL?
-Richard -
Error in scenario "FILE to HTTP(with SSL)" - HTTP client code 110 reason.
Hi friends,
Our scenario is as follows:
We are trying to send XML file from our SAP-XI to external tool "COMMunix XC" (a multi-protocol EDI platform tool).
We have configured " FILE TO HTTP(with SSL)" scenario (trying to connect HTTPS/port)
1. We have created RFC destination of type G and refered the same RFC in Communication channel (Adapter type: HTTP)
2. We have send the SSL Server certificate to other party and ensure that they have imported at thier end.
3. We have included the certificates from other party in our SAP XI STRUST under SSL Client (Standard) node.
4. We have tried " CONNECTION TEST " in the RFC destination created in type G (in STEP 1) and it shows the GREEN TICK at bottom, no other message nor any error message
When we trigger the communication we recieve the error: HTTP client code 110 reason in SXMB_MONI.
Please let us know if we have missed out some step.
What does error message indicate,
Regards,
RehanHi Rehan,
I see that the PROCTIMEOUT was already at a very high value.
Does this occur for messages of a particularly large size? If yes, you could increase the parameter
icm/HTTP/max_request_size_KB = 2097152
This would need to be done in the sender/receiver system as well as XI.
Otherwise you could try reproducing the issue and checking the dev_icm log in the work directory, or go to SMICM -> Goto -> Display trace file
check for errors like NIECONN_REFUSED or "no service for protocol HTTPS" which can often be related to this type of issue.
Kind regards,
Sarah -
Http client------ XI (via HTTP with SSL),
hi forum,
we have a http client that sends a http erquest to XI, by using sap/xi/adapter_plain
service, i mean plain http adapter
but for scurity reasons i need HTTPS communication,
can u tell me how to enable HTTPS (HTTP with SSL) communiaction in the same scenario,
http client------>XI (via HTTP with SSL)hi sudeep,
u need to create a comm ch of adapter type http n set the security level there.
refer this for help:
http://help.sap.com/saphelp_nw04/helpdata/en/14/80243b4a66ae0ce10000000a11402f/frameset.htm
[reward if helpful]
regards,
latika. -
ERROR http: 5: Unable to initialize ssl connection with server, aborting co
HI EXPERTS,
one of my database give me below error when i start its dbconsole. and after failure it give me meassge
TZ set to Asia/Karachi
Oracle Enterprise Manager 10g Database Control Release 10.2.0.4.0
Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
https://test:5500/em/console/aboutApplication
Starting Oracle Enterprise Manager 10g Database Control ..............................................................
........ failed.
Logs are generated in directory /u01/oracle/product/10.2/cnichol_cpuplt/sysman/log
and in trace file name "emdctl.trc" below error is logged.
ERROR http: 5: Unable to initialize ssl connection with server, aborting connection attempt
ERROR ssl: nzos_Handshake failed, ret=29024
and trace file named "emagent.trc" give below error
2010-10-04 19:12:25 Thread-88238992 ERROR http: 11: Unable to initialize ssl connection with server, aborting connection attempt
2010-10-04 19:12:25 Thread-88238992 ERROR pingManager: nmepm_pingReposURL: Cannot connect to https://test:5500/em/upload/: retStatus=-1
2010-10-04 19:12:38 Thread-88238992 ERROR upload: Error in uploadXMLFiles. Trying again in 300.00 seconds.
dbconosle URL is
https://test:5500/em/console/aboutApplication
Operating system is Redhat linux AS 5.3
what is the possible cause of this failure any one can guide me.
thanx in Advance
regards,
Edited by: AMIABU on Oct 4, 2010 7:28 AMoracle@bcm-laptop:~$ emctl
Oracle Enterprise Manager 11g Database Control Release 11.2.0.1.0
Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved.
Oracle Enterprise Manager 10g Database Control commands:
emctl start | stop dbconsole
emctl status | secure | setpasswd dbconsole
emctl config dbconsole -heap_size <size_value> -max_perm_size <size_value>
emctl status agent
emctl status agent -secure [-omsurl <http://<oms-hostname>:<oms-unsecure-port>/em/*>]
emctl getversion
emctl reload | upload | clearstate | getversion agent
emctl reload agent dynamicproperties [<Target_name>:<Target_Type>]....
emctl config agent <options>
emctl config agent updateTZ
emctl config agent getTZ
emctl resetTZ agent
emctl config agent credentials [<Target_name>[:<Target_Type>]]
emctl gensudoprops
emctl clearsudoprops
Blackout Usage :
emctl start blackout <Blackoutname> [-nodeLevel] [<Target_name>[:<Target_Type>]].... [-d <Duration>]
emctl stop blackout <Blackoutname>
emctl status blackout [<Target_name>[:<Target_Type>]]....
The following are valid options for blackouts
<Target_name:Target_type> defaults to local node target if not specified.
If -nodeLevel is specified after <Blackoutname>,the blackout will be applied to all targets and any target list that follows will be ignored.
Duration is specified in [days] hh:mm
emctl getemhome
emctl ilint
Em Key Commands Usage :
emctl config emkey -emkeyfile <emkey.ora path> [-force] [-sysman_pwd <sysman password>]
emctl config emkey -emkey [-emkeyfile <emkey.ora path>] [-force] [-sysman_pwd <sysman password>]
emctl config emkey -repos [-emkeyfile <emkey.ora path>] [-force] [-sysman_pwd <sysman password>]
emctl config emkey -remove_from_repos [-sysman_pwd <sysman password>]
emctl config emkey -copy_to_repos [-sysman_pwd <sysman password>]
emctl status emkey [-sysman_pwd <sysman password>]
Secure DBConsole Usage :
emctl secure dbconsole -sysman_pwd <sysman password> [-passwd_file <abs file loc>]
[-host <slb hostname>] [-sid <service name>] [-reset] [-secure_port <secure_port>]
[-root_dc <root_dc>] [-root_country <root_country>] [-root_state <root_state>] [-root_loc <root_loc>]
[-root_org <root_org>] [-root_unit <root_unit>] [-root_email <root_email>]
[-wallet <wallet loc>] [-wallet_pwd <wallet pwd>] [-trust_certs_loc <certs loc>]
emctl secure status dbconsole
Register Targettype Usage :
emctl register oms targettype [-o <Output filename>] <XML filename> <rep user> <rep passwd> <rep host> <rep port> <rep sid> OR
emctl register oms targettype [-o <Output filename>] <XML filename> <rep user> <rep passwd> <rep connect descriptor> -
How to make tomcat 5 support SSL (https)?
Hi,
is there a way to make tomcat support SSL (https)?
i using: Apache 1.3.33
with : Tomcat 5.0.28-1.00RC2
and : jakarta-tomcat-connectors-jk-1.2.6
JDK: j2sdk1.4.0_04
Many thanks
AnatoliaThanks very much Sherbir,
But JSSE is integrated into the Java 2 SDK, Standard Edition, v 1.4 and above!
here is what i'm facing:
the documentation says:
>
It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.
I'm running running Tomcat as a Servlet/JSP container behind Apache 1.3.33 web server.
So all SSL requests are handled by apache web server, but the problem I'm facing is that if i request any jsp page using https (ssl) i get plain text and it's not handled by tomcat!
i have a test page called test.jsp:
<html>
<head>
<title>JSP test page</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>2 x 2 = <%= 2 + 2 %>
</p>
</body>
</html> If I request this page using normal http request I get my results fine:
2 x 2 = 4
but if i request the page using https (ssl) I get a clear plain text of my jsp file content like this:
<html>
<head>
<title>JSP test page</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>2 x 2 = <%= 2 + 2 %>
</p>
</body>
</html> Now how do I fix this problem and make apache passes the jsp file to tomcat if the request was https (ssl) and not send me cleartext of my file content!
Many thanks
Anatolia -
Connecting to https with jdk1.5 throwing InvalidAlgorithmParameterException
Hi,
My current system has jdk1.3, weblogic7.1 and axis1.1.
I have a simple class in java which I use to connect to https://*.jsp.
Here is the sample code.
System.setProperty("javax.net.ssl.trustStore","/usr/local/client.keystore");
System.setProperty"java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.security.egd", "file:/dev/urandom");
URL url = new URL("https://xyz.com/index.jsp");
InputStreamReader isr = new InputStreamReader(url.openStream());
char[] buf = new char[1024];
int nread;
while ((nread = isr.read(buf, 0, buf.length)) > 0)
System.out.print(new String(buf, 0, nread));
System.out.flush();This code works well in jdk1.3 with jsse.jar, jnet.jar, jcert.jar in the classpath and a keystore which has a trusted entry for https://xyz.com/
I use the first 4lines of the code in a Axis Client to transfer SOAP msgs in https protocol.
Now I am migrating to JDK1.5, WebLogic9.1 and Axis1.3.
I have the same keystore. I do not have jsse.jar, jnet.jar, jcert.jar because jdk1.5 has JSSE.
This same set of code is giving exception in JDK1.5.
Any Solution?
Thanks
Senthil
Here is the exception from the stack trace
Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trust
Anchors parameter must be non-empty
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptionAlerts.java:166)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1443)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1426)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at java.net.URL.openStream(URL.java:1007)
at axistest.URLReader.main(URLReader.java:24)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:56)
at sun.security.validator.Validator.getInstance(Validator.java:146)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:105)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:167)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)I have se same problem.
I do a System.setProperty("javax.net.ssl.trustStore", <path_filetruststore>)
and I have the same error.
Can you tell me if you revolve this problem? how? -
SSL VPN with client, anyconnect.
I've set up a simple test on SSL VPN with client on a 3800.
It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
The underlying routing is fine.
Could you tell me where it is configured wrong?
Config is copied below.
thanks,
Han
=======
Current configuration : 3340 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable password cisco
aaa new-model
aaa authentication login default local
aaa session-id common
no network-clock-participate slot 1
crypto pki trustpoint TP-self-signed-3551041125
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3551041125
revocation-check none
rsakeypair TP-self-signed-3551041125
crypto pki certificate chain TP-self-signed-3551041125
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
quit
dot11 syslog
ip cef
multilink bundle-name authenticated
voice-card 0
no dspfarm
username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
archive
log config
hidekeys
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
end
interface Loopback1
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
ip local pool svc-poll 1.1.1.50 1.1.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface GigabitEthernet0/0 port 443
ssl trustpoint local
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context SSLVPN
ssl authenticate verify all
policy group default
functions svc-required
svc default-domain "test.org"
svc keep-client-installed
svc split dns "primary"
default-group-policy default
gateway SSLVPN
inservice
endUsing the SDM follow the below config example
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
HTH> -
How to configure Oracle 10g Advanced Security to use SSL concurrently with
How to configure Oracle 10g Advanced Security to use SSL concurrently with database User names and passwords
In Oracle Advanced Security Documentation it is mentioned that i can use SSL concurrently with DB user names and passwords. But when i configure the client certificate on the client my DB connection is getting authenticated using the certificate, which out passing user id or password.
We want to connect to Oracle DB over SSL channel so that the data packets are not in clear text. Also we want the user to make a connection using user id and password.
Basically we want SSL with out authentication.
Need your expert adviceRead the documentation (I have given following links assuming you are running a 32 bit architecture)
Server installations:
http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14316%2Ftoc.htm&remark=portal+%28Books%29
Client installations:
http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14312%2Ftoc.htm&remark=portal+%28Books%29
You can find the required books (if not using 32 bit architecture) from
http://www.oracle.com/pls/db102/portal.portal_db?selected=3 -
Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1
Hello All,
We are currently building up a HTTPS message exchange with an external client.
Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
Now we have to configure the addtional Client Authentication.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
But what are the next steps to get this scenario successfully in place?
Many thanks in advance!
JochenHi Colleagues,
following Steps still have to be done:
- Mapping public key to technical user at Java Stack
As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
- Be sure CA root certivicate at Database under STRUSTSSO2
- Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
- use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
Many thanks to all for support!
Regards,
Jochen -
Hi,
I have two OSB's communicating over SSL.
How do I configure Weblogic to use a particular cipher during communication.
I want the communication to use TLS_RSA_WITH_NULL_SHA, or any null cipher, so that
the content can be scanned as it passed through a firewall.Hi Rana da,
If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
Have a look at below link
Sender SOAP Adapter: HTTPS with Client Authentication -
HTTPS With Client Authentication
Hi,
I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
java.security.AccessControlException: client certificate required
In the the transaction scim the following can be seen:
[Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5061] in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 5061] out: sssl_hdl = 1117534b0
[Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061] in: sssl_hdl = 1117534b0
[Thr 5061] in: cred_hdl = 116cfc110
[Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
[Thr 5061] SSL NI-sock: local=XX.XX.XX.XX:50001 peer=XX.XX.XX.XX:2310
[Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
[Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061] status = "resumed SSL session, NO client cert"
The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
Sender Communication Channel,
Transport Protocol: HTTP,
Message Protocol: Soap 1.1,
Adapter Engine: Central Adepter Engine,
HTTPS with Client Authentication,
Keep Headers
Any ideas?
Kind regards,
JohnHi Peter,
If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
All the best,
John
Maybe you are looking for
-
HT1420 how can I get a list of the computers authorized for iTunes?
I am trying to associate a new MacBook to my iTunes account. I am told that I have 5 computers already associated to the account. The option I am presented is to deauthorize all 5, then start over. Short of this, no other options are available. I
-
Beginner's question about naming helper classes
Hello, I am building a pretty basic multi-tier application. I want to reduce a much as possible the dependencies between the web tier and the ejb tier. Ideally I would like for the web tier to construct a request object (of class MyRequest) and send
-
How can obtain a row from an attribute
Hi, i´m doing a smart project and i need only one row, how can obtain it? The row i want obtain it from an attribute. Thanks,
-
Why do you have a lame Remo Mentor?
I am complaining about your Mentor ... for online bullying and telling my good friend that he is a scammer without any proofs or legitimate evidence on what he is telling against him. Also this guy is telling my friend that he is a gate crasher of Mo
-
Intercompany Purchase in SRM.
Hi Friends, Could you please provide some inputs on how to achieve the following? Basically we are trying to do intercompany purchase in SRM. Company X procure services from Company Y(Who are another subsidiary of X - i.e.Intercompany) via SRM. so fa