on 07-06-2015 5:04 PM
Friends,
.net is the client will consume SAP WebService using certificate based authentication.
I have setup SAP Web Service settings as shown in attached image.
Our AD infrastructure setup that when the user logon to PC they get their certificate on their user profile , and I verified it under certmgr.msc , Personal--> Certificates.
I am thinking to ask the .net guy to read the certificate from this location and send it to sap. Now the question is when I create certrule in SAP , what certificate I have to import on to SAP for mapping? is this certificate from the .net server certified by CA or user personal certificate?
User certificate from the user machine: has the below details:
E = johns@test.org
CN = John smith
OU = Users
OU = USA
OU = HQ
DC = org name
DC = org
Root Certificate from the server has the belwo details:
CN = Orgname Root Certificate Authority
DC = orgname
DC = org
Thanks
Krishiv
Hey Krish,
At the very least, need to go to SMICM and setup the HTTPs port.
you need to make sure that the consumer of the web service uses the HTTPs port from SAP.
You also need to go to SM30 table VUSREXTID and make sure there is a mapping for the SAP user ID to the certificate. So if the user in SAP is named "JSMITH" and the cert is "CN=John Smith" there needs to be a mapping for that in the table.
Also, there are some profile params in SAP that need to be set in terms of making the HTTPs port work. You should be able to find those pretty easily on SAP help.
NICK
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nick,
Thanks for reply.
****At the very least, need to go to SMICM and setup the HTTPs port.
This setting was there already.
******you need to make sure that the consumer of the web service uses the HTTPs port from SAP.
When the do the reference to the WebService in .net code , they are referring the https based port only. Other then that is there any thing else they need to perform .net server IIS side?
****You also need to go to SM30 table VUSREXTID and make sure there is a mapping for the SAP user ID
For testing purpose I have mapped one user id as you mentioned , John Smith = JSMITH.
*****Also, there are some profile params in SAP that need to be set in terms of making the HTTPs port work
SAP https already configured, and all the parameters looks like promising.
I still have questions like:
When the .net user call SAP WebService , do they need to pass any certificate to SAP or simply they call the WebService since SAP WebService is configured as x.509, the certificate info comes as part of the SOAP header?? I am not sure about this part.
I already provided them SAP CA certified certificate to IIS server folks to install on their machine.
Do I need to install certs on SAP , if I have to which cert? is that IIS CA certified cert ?
Thanks again for your time.
Thanks
Krish
Hey Krish,
You will need to make sure your HTTPs cert is signed by your internal CA. Or some CA. And that CA must be in STRUSTSSO2, and the browser of who ever is consuming the web service.
as far as the consumer of your web service, you need to find out what ID they are using on the .NET side to make the call to your web service. that ID needs to exist in SU01 and be mapped to the x.509
Thanks Nik for the quick response.
My HTTPs cert means , the SAP ECC cert certified by CA, is that correct?
The CA signed cert added in STRUST.
Browser side also added the same manually for the testing purpose.
We are using the same user id (SU01) from .net side and SAP side.
The id JSMITH exists same both ends and mapped the JSMITH to X.509 in table (the above CA certified cert from SAP) .
is there any thing else I am missing or miss interpreted ?
The only out standing question is, how the .net code send the certificate from the browser to SAP to verify , this one piece I am not clear on the concept, Please can you elaborate bit more on this?
So that I can go ahead and get started the testing.
Thanks
Kris
Hey Kris,
I think that only you or the folks on the .net side can answer that question.
We have folks that consume web services too, but they use an embedded ID/pass.
You'll have to get them to show you their detailed trace logs to see what's happening.
I guess you could enable debugging in SMICM, then tail the /usr/sap/<SID>/DVEBMGS00/work/icmhttp.log and /usr/sap/<SID>/DVEBMGS00/work/dev_icm to at least see something
There are some web service admin tcodes out there too. and a lot of stuff SOAmanager...
NICK
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.