cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Which SAP PI Keystore View should be used for a self-sign HTTS scenario

Go to solution
former_member285279
Participant

on ‎04-17-2014 9:17 AM

0 Kudos

Hello Colleagues,

I have a question regarding a HTTPS scenario (SAP PI - Receiver) with self-sign SSL certificate.

Between SAP PI and receiver I have to exchange the public key.

In which SAP PI keystore view should the keys stored?

TrustedCAs

ICM_SSL_ ... _<SSL-Port>

...

Regards,

Jochen

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-17-2014 9:41 AM
0 Kudos

Hi Jochen,

In case of self signed certificate you have to maintain public key cert in both the places TrustedCAs and ICM_SSL_ ... _<SSL-Port>.

Thanks,

Krupa

Show replies
Show replies
former_member285279
Participant
‎04-17-2014 1:17 PM
0 Kudos

Many thanks to all for providing this great informations!

But, I need to know which is the right place for the public receicer (self-sign) certificate?

We have different Views under NWA Certificate and keys.

I created at ICM_SSL_ ... _<SSL-Port> at SAP PI the self-sign private and pulic key.

The SAP PI public key was provided to the receiver.

At last, I got the receive (self-sign) public key which I stored under ICM_SSL_ ... _<SSL-Port>.

Is this correct? Why I have store in both TrustedCAs and ICM_SSL_ ... _<SSL-Port>?

If I correct understand, the Views are folder only for organisation without any technical delimitation. Right?

Many thanks in advance!

Regards,

Jochen

Former Member
‎04-17-2014 2:14 PM
0 Kudos

Hi Jochen,

The certificate being a self-signed certificate, your PI system must recognize this as a valid certificate. Now, in your case, you are maintaining the self-signed SSL certificate in the ICM_SSL_<instance ID> keystore only, but if you do not maintain the public key inside the TrustedCAs key store; your PI system will not recognize the SSL certificate to be a valid one during certificate handshake between the client system and yours. I assume that in your system the trusted store is maintained as TrustedCAs.

Regards,

Kruparao

former_member285279
Participant
‎04-22-2014 8:47 AM
0 Kudos

Hi Kruparao,

many thanks for reply!

Along to Configuration of the AS Java Keystore Views for SSL

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/0189458d863132e10000000a421937/content.htm?frame...

we have to add all SSL stuff to "CM_SSL_ <instance_ID>_<port>"

The question is now, what is by a self-sign scenario to notice?

Different to a scenario with a Certification Authority (CA) (the SSL SAP PI key pair are sign by CA) you got an exported public key from the receiver system.

Where have this receiver public key to store for a SSL self-sign scenario?

Inside CM_SSL_ <instance_ID>_<port> or TrustedCAs?

I would say in CM_SSL_ <instance_ID>_<port> because the self-sign public receiver certificate is almost "SSL SAP PI key pair are sign by CA" for the SSL scenario.

What do you think or other guys?

Regards,

Jochen

Former Member
‎04-22-2014 9:35 AM
0 Kudos

Hi Joechen,

As long as your partner is using a self-signed certificate, you need to maintain the certificate in both TrustedCAs as well as ICM_SSL_<instance no>_<port>. Unless the self-signed certificate is identified as a trusted certificate, it will through trouble.

"The question is now, what is by a self-sign scenario to notice?"

Please could you elaborate the question.

Regards,

Krupa

former_member285279
Participant
‎04-22-2014 10:59 AM
0 Kudos

Hi Krupa,

sure! Excuse me for maybe poor explanation.

Scenario: SAP PI -- HTTP/SSL --> Receiver System

SAP Help describes under Configuration of the AS Java Keystore Views for SSL how you have to configure the SSL connectivity in the standard process with key pair certified by an Trusted Authority (CA). Regarding this, all configurations have to be done under "CM_SSL_ <instance_ID>_<port>". Root CA and intermediate CA for the key pair are contained in TrustedCAs.

Beside this "standard" configuration you are able to perform a SSL self-sign scenario with your partner system (receiver). Here you have perform as well all configurations under "CM_SSL_ <instance_ID>_<port>". But for trust your SSL connectivity you need, different to the "standard SSL scenario", the self sign certificate from the receiver system.

The question is now, where (which Key store view) you have to put the self-sign public key certificate from the receiver system?

My assumption was, I have to put the self-sign public key certificate from the receiver system as well under "CM_SSL_ <instance_ID>_<port>" and not under TrustedCAs.

What is for this special self-sign scenario correct, now?

It will only used for SSL.

Many thanks in advance!

Regards,

Jochen


Former Member
‎04-23-2014 6:08 AM
0 Kudos

Hi Jochen,

Yes, you have to maintain your receiver system self-signed public key certificate in ICM_SSL_ <instance_ID>_<SSL port>. If you face any issue during handshake try to add it in TrustedCAs. So your PI system will recognize the SSL certificate during certificate handshake.

Regards,

Krupa

former_member285279
Participant
‎04-23-2014 7:50 AM
0 Kudos

Hi Krupa,

many thanks for clarify this point.

Add the receiver system self-signed public key certificate in ICM_SSL_ <instance_ID>_<SSL port>, this is was I did in the past and it works without any problems.

Regards,

Jochen

Answers (2)

Answers (2)

engswee
Active Contributor
‎04-17-2014 9:34 AM
0 Kudos

Hi Jochen

You can use an appropriate default views that is already provided. The link from SAP Help provides more details on each default view. You can use TrustedCAs

https://help.sap.com/saphelp_nwpi71/helpdata/en/e9/a1dd44d2c83c43afb5ec8a4292f3e0/frameset.htm

You can also create your own key storage views if you prefer.

https://help.sap.com/saphelp_nwpi71/helpdata/en/53/b221e3b466b346860715a550ca987d/content.htm

Rgds

Eng Swee

Show replies
Show replies
Former Member
‎04-17-2014 9:25 AM
0 Kudos

Hi

Check this. This will help

Show replies
Show replies
Ask a Question