cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Web Service SSO

Go to solution
Former Member

on ‎07-06-2015 5:04 PM

0 Kudos

Friends,

.net is the client will consume SAP WebService using certificate based authentication.

I have setup SAP Web Service settings as shown in attached image.

Our AD  infrastructure setup that when the user logon to PC they get their certificate on their user profile , and I verified it under certmgr.msc , Personal--> Certificates.

I am thinking to ask the .net guy to read the certificate from this location and send it to sap. Now the question is when I create certrule in SAP , what certificate I have to import on to SAP for mapping? is this certificate from the .net server certified by CA or user personal certificate?

User certificate from the user machine: has the below details:

E = johns@test.org

CN = John smith

OU = Users

OU = USA

OU = HQ

DC = org name

DC = org

Root Certificate from the server has the belwo details:

CN = Orgname Root Certificate Authority

DC = orgname

DC = org

Thanks

Krishiv

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-08-2015 4:25 PM
0 Kudos

Hey Krish,

At the very least, need to go to SMICM and setup the HTTPs port.

you need to make sure that the consumer of the web service uses the HTTPs port from SAP.

You also need to go to SM30 table VUSREXTID and make sure there is a mapping for the SAP user ID to the certificate.  So if the user in SAP is named "JSMITH" and the cert is "CN=John Smith" there needs to be a mapping for that in the table.

Also, there are some profile params in SAP that need to be set in terms of making the HTTPs port work.  You should be able to find those  pretty easily on SAP help.

NICK

Show replies
Show replies
Former Member
‎07-08-2015 9:43 PM
0 Kudos

Hi Nick,

Thanks for reply.

****At the very least, need to go to SMICM and setup the HTTPs port.

This setting was there already.

******you need to make sure that the consumer of the web service uses the HTTPs port from SAP.

When the do the reference to the WebService in .net code , they are referring the https based port only. Other then that  is there any thing else they need to perform .net server IIS side?

****You also need to go to SM30 table VUSREXTID and make sure there is a mapping for the SAP user ID

For testing purpose I have mapped one user id as you mentioned , John Smith = JSMITH.

*****Also, there are some profile params in SAP that need to be set in terms of making the HTTPs port work

SAP https already configured, and all the parameters looks like promising.

I still have questions like:

When the .net user call SAP WebService , do they need to pass any certificate to SAP or simply they call the WebService since SAP WebService is configured as x.509, the certificate info comes as part of the SOAP  header?? I am not sure about this part.

I already provided them SAP CA certified certificate to IIS server folks to install on their machine.

Do I need to install certs on SAP , if I have to which cert? is that IIS CA certified cert ?

Thanks again for your time.

Thanks

Krish

Former Member
‎07-09-2015 4:22 PM
0 Kudos

Hey Krish,

You will need to make sure your HTTPs cert is signed by your internal CA.  Or some CA.  And that CA must be in STRUSTSSO2, and the browser of who ever is consuming the web service.

as far as the consumer of your web service, you need to find out what ID they are using on the .NET side to make the call to your web service.  that ID needs to exist in SU01 and be mapped to the x.509

Former Member
‎07-09-2015 5:01 PM
0 Kudos

Thanks Nik for the quick response.

My HTTPs cert means , the SAP ECC cert certified by CA, is that correct?

The CA  signed cert added in STRUST.

Browser side also added the same manually for the testing purpose.

We are using the same user id (SU01) from .net side and SAP side.

The id JSMITH exists same both ends and mapped the JSMITH to X.509 in table  (the above CA certified cert from SAP) .

is there any thing else I am missing or miss interpreted ?

The only out standing question is, how the .net code send the certificate from the browser to SAP to verify , this one piece I am not  clear on the concept, Please can you elaborate bit more on this?

So that I can go ahead and get started the testing.

Thanks

Kris

Former Member
‎07-09-2015 5:31 PM
0 Kudos

Hey Kris,

I think that only you or the folks on the .net side can answer that question.

We have folks that consume web services too, but they use an embedded ID/pass.

You'll have to get them to show you their detailed trace logs to see what's happening.

I guess you could enable debugging in SMICM, then tail the /usr/sap/<SID>/DVEBMGS00/work/icmhttp.log and /usr/sap/<SID>/DVEBMGS00/work/dev_icm to at least see something

There are some web service admin tcodes out there too. and a lot of stuff SOAmanager...

NICK

Answers (0)

Ask a Question