Calling-webservices From Abap via Https

8/10/2019 Calling-webservices From Abap via Https

1/7

Getting Started Newsletters Store

Products Services & Support About SCN Downloads

Industries Training & Education Partnership Developer Center

Lines of Business University Alliances Events & Webinars Innovation

Log On Join UsHi, Guest Search the Community

Activity Communications Actions

Browse

thomas.jung

0 Tweet 0

Introduction

I have written several times on the topic of WebServices from the ABAP content:

ABAP WebServices: Logon Language Processing

WebService Navigator Page for ABAP and Java

WebServices: A real world implementation experience

Publishing ABAP WebServices to an External UDDI Server

Develop a Web Service that sends an Email - in ABAP

BSP a Developers Journal Part XIV - Consuming WebServices with ABAP

BSP a Developers Journal Part XIII: Developing ABAP WebServices

You would think that I would run out of things to write about on WebServices. But it seems like every time we do a new

project using the technology, I learn something new. Maybe that is why I enjoy working with WebServices so much. Well

his week was no different. A college of mine, Chris Cassidy, had a project where he needed to call a WebService from

ABAP. So far so good. However the WebService he was going to be calling (written in .Net) required HTTPS and Basic

Authentication. This was something we had never done before (and I had never written about). We were able to work

hough the setup with a few minor problems along the way. Thanks to Chriss excellent note taking, I can now share

hose details and learnings here today.

.Net Side - Setup

I dont want to focus too much on the development from the .Net Side. I will give you a little background however. We

were developing a .Net WebService that would call MSSQL stored procedures in our shop f loor MES system. This call

would actually be triggered out of our 46C R/3 system from an User Exit in the QM Inspection Lot Maintenance

Application. This way when Usage Decisions are made in R/3 we will update the Shop Floor system (by passing through

R/3 to our 640 Standalone WebAS system) in real time. Given that this was very important Quality data, we wanted to

make sure that the data was secure. We also needed the user who authenticated to the WebService to have its

credentials passed through to the SQL Server database. This caused us to have to require SSL (HTTPS) for the

WebService communication. We have an internal Certificate Server at our company. We needed to setup the Root

Certificate for this internal CA on the Web Server that was going to host the WebService. We also needed to go into IIS

for this WebService and force it to require Secure Communications. The following are some screen shots of the

configuration we did in IIS:

IIS Configuration - Authentication

Calling WebServices from ABAP via HTTPS

Posted by Thomas Jungin thomas.jungon May 13, 2005 12:18:52 PM

ShareShare 1LikeLike

Page 1 of 7Calling WebServices from ABAP via HTTPS | SCN

1/2/2015http://scn.sap.com/people/thomas.jung/blog/2005/05/13/calling-webservices-from-abap-via-...


2/7


3/7

The next tab (Logon/Security) is where we can setup our requirement for SSL (HTTPS) and that we are wanting to use

Basic Authentication. This is also where we choose the user name and password to use for the Basic Authentication.

Notice that when you choose Basic Authentication combined with SSL the SSL Client Certificate Detail Drop Down

forces in the value for SSL Client (Anonymous). You can not override this value. Remember this Client Certificate

because it becomes very important later on.

RFC Setup - Logon/Security

The final tab (Special Options) allows you set Compression, Timeout and Cookie options. Now I suggest the following

settings for HTTP Settings (compression). We turned on compression initially. However we were unable to call the

WebService through the ABAP proxy using Compression. We received an error that the first character of the HTML

stream contained an unknown Hex Value. Turning off compression quickly corrected this error. Im not sure if you should

be able to use compression or not. Perhaps this i s just a bug either in .Net or in our WebAS 640 SP10 system.

RFC Setup - Special Options

We thought it would be a good idea to test our RFC HTTP connection from SM59 before we even try to test our

WebService itself. Unfortunately we immediately received an error message. The details f rom the ICM log were as

follows:

Now I had to clip the right edge of the screen to get an image that conformed to the SDN limits. Dont worry though, you

arent missing much. A few hours of reading documents on SDN, the Service Marketplace, and through the Internet

(gotta love Google) lead us to better understand the nature of SSL C lient calls out of the ABAP WebAS. This is the way I




4/7

Average User Rating

(0 ratings)

My Rating:

understand it: In order to establish a Secure HTTP communication with a foreign system, SAP must verify the other

partys server certificate. To do this SAP must have access to the Certificate for the Trusted Root Authority that signed

he foreign Server certificate. This Certificate must then be associated to the profile used during Anonymous SSL (even

hough no actual client certificate from the WebAS is required). Remember that certificate setting from the RFC setup

hat I told you not to forget? This is where it comes into play.

We will start off by getting our Trusted Root Certificate. Remember that I said early we have our own certificate server

(which is fairly common these days as I understand). Therefore I know that my browser (IE) has this certificate in it as

well. From Tools->Internet Options->Content Tab->Certificates->Trusted Root Certification Authorities Tab, I can access

and download the certificate that I need.

Now I need to load this certificate that I just downloaded into SAP and associate it to the SSL Client (Anonymous)

profile. You can do this work from t ransaction STRUST.

Now I would like to tell you that after uploading the certificate, the RFC destination connected just fine and we left work

early that day to head over to the local watering hole. Unfortunately that was not the case. The connection continued to

fail with the same error message. In fact we spent another 4 hours playing with settings, reading, and retrying without

any luck. Well past sundown I f inally stumbled across an OSS note I wish I had found hours ago. It was OSS Note

510007. It had detailed instructions on how to setup SSL on the SAP WebAS. However it was the very last line of this

Note that was so important:

Bear in mind that the changes m ade in the trust manager wi l l only take effect after you restart the appl icat ion

server or at least the ICM (transaction SMICM, Admin istratio n -> ICMAN -> Exit Soft).

Sure enough, we restarted the ICM and everything started working just fine. I would have never guessed that I needed

o restart the ICM just to add a certificate!

Closing

Hopefully I have been able to share another small piece of the very large WebServices puzzle. And maybe if you read

his weblog, you might be able to avoid the very frustrating afternoon that we experienced trying to setup the SSL

connection.

10681 Views




5/7

0 Tweet 0ShareShare 1LikeLike

16Comments

Like (0)

John HeutmekersAug 17, 2005 4:30 AM

Thomas: (again) a very helpfull weblog

Like (0)

Mar 14, 2007 3:24 PM

Really helpful! I have the same problem and I will try your solution tomorrow. I think it saves me a lot of

time! Thanks!

Like (0)

Chandra ShekharNov 14, 2007 11:32 PM

Hi Buddy,

Have been going through your documents. Found them very elloborated and helping.

While following ur document for configuring Webservice ADS on ABAP. While testing my ADS

connection in SM59 I am getting ICM_HTTP_SSL_ERROR (only when I use SSL Client Certificate

(Default & Anonymus) both.

Later I realized that may be the problem is with my SSL Client (PSE or Cert).

Can you just help us to provide any alternate on the same to resolve the issue.

My ultimate goal to achieve is I need to display Adobe forms in MSS in EP 7.0 with ESS / MSS 1.0

SP8.

Regards,

Nitin Gupta

[email protected]

[email protected]

Like (0)

Thomas JungNov 15, 2007 3:51 AM (in response to Chandra Shekhar)

Well you havent really told me much about the problem. However my recommendation is to

find the ADS setup and configuration guide from SAP. This has the step by step instructions

for configuring SSL for the ADS (different from this approach I took in the blog because you

are working with ABAP calling to Java).

Like (0)

Alexandre de SousaNov 30, 2007 10:16 AM

Hi Thomas,

First of all, congratulations for your excellent bl ogs. They are very helpful.

Im trying to call a external WebService from ABAP via HTTPS without Basic Authentication and I

followed all the steps that you mention on the blog to configure it, except the part that your configure

the user and password. The RFC connection (HTTPS) is just working fine, but (theres always a but)

when I test the proxy client I get the following error:

- WSDoAllReceiver: Request does not contain required Security header

This rings any bell to you?

What am I doing wrong or what I miss in configuration?

Can you give a direction on this?

Thanks in advance.

Alexandre

Thomas JungDec 3, 2007 11:43 AM (in response to Alexandre de Sousa)

No I have never gotten that error. I will need to make some assumptions. Since the error

says that the request doesnt contain the security header, I have to assume that the message

is being issued by the receiving system.

My guess, based upon the reference to Security Header, is that this webservice is requiring

more than just HTTPS. It is also looking for document level security. You will need to look at

adding a security profile to the Logical Port that you use for this service proxy.




6/7

Like (0)

However all this is just a guess based upon an error message that likely comes from some

external system. The best bet is to talk to the service provider and see what all of their

requirements are.

Like (0)

Bhavesh KantilalAug 6, 2009 8:22 AM

Thomas,

The last line at your blog "Bear in mind that the changes made in the trust manager will only take effect

after you restart the application server or at least the ICM (transaction SMICM, Administration ->ICMAN -> Exit Soft). "

solved a issue that was troubling me for sometime! :-) Its surprising that after loading a cert in

STRUST, restart of ICM process is needed. Coming from the Java World and having used Certs with

Visual Admin of XI extensively, I find this surprising. But hey it works :-D Thanks Again!

Like (0)

Thomas JungAug 6, 2009 9:04 AM (in response to Bhavesh Kantilal)

You will be happy to know then that the restart is no longer necessary as of NetWeaver

7.02/7.20. When youload a certificate in STRUST, upon save the ICM is notified of the new

certificates.

Like (0)

Murray NicholasAug 31, 2009 11:27 PM

Thomas, thanks for this. Its confirmed the first part of my set up which is no progressing. Im trying toset up my PI Web AS as both a client and a server to talk to a Siebel box. I need client-authenticated

SSL connections between and I have a corporate Certificate Authority to sign my own certificates.

Ive set up the server PSE and exported the certificate request, signed it and imported the response

(there was an issue importing this from a file but saving to a file then pasting the content in worked).

I can now launch the https://server:port/path/pingservice successfully but I get a message back saying

my browser doesnt trust the issuing authority for the certificate because that authority is my SAP PI

server, not the corporate CA which I used to sign the certificate request. All my keys are marked "self

signed".

Have I missed something?

Like (0)

Thomas JungSep 1, 2009 4:28 AM (in response to Murray Nicholas)

Did you at some point in the past have self signed certificates for the server PSE? If so did

you delete those? Did you restart the ICM after loading the new server PSE? Im not sure

why else your externally signed certificate wouldnt be coming through. The fact that yousdige you had an issue importin from a f ile, might be cause for concern. Ive never had a

problem importing a certificate from a file.

Like (0)

Murray NicholasSep 1, 2009 11:44 PM (in response to Thomas Jung)

Never had a previous PSE - I only just got the cryptolib installed last week. I do

have the advantage at the moment of being able to completely blow away the PSE

and start again but I need something in there on which to build a certificate request

dont I?

My version of SAP PI STRUST tells me it has notified the ICM after I import

certificates so I hadnt tried to restart it. I did this morning but, with STRUST still

elling me my "Own Certificate" is self signed, that didnt make a difference.

The import of the certificate response failed with an error saying the response could

not be analysed. I found an SAP Note which said that this may occur if you import

from a local file bigger than about 4000bytes. However, copying the same file fromnotepad to the clipboard and then pasting it into the import screen with the clipboard

button works (according to the note and in my experience).

Absent some flash of inspiration to the contrary Ill destroy my PSE tomorrow and try

again from scratch now I have the rest of the methodology seemingly right.

Like (0)

Colin BrainOct 4, 2010 7:57 AM

Thanks for (another) useful Blog, but is it possible to consume a remote web service from ABAP using

a SAML token? I have found documentation for this using PI, but not direct from AS ABAP.

Thanks




7/7

Follow SCNSite Index Contact Us SAP Help Portal

Privacy Terms of Use Legal Disclosure Copyright

Like (0)

Thomas JungOct 5, 2010 8:02 AM (in response to Colin Brain)

I will fully admit, I am not an expert on SAML at all. I can tell you that there is some SAML

support in the standalone AS ABAP as of NetWeaver 7.0 Enhancement Package 2. As to

more details on what exactly this covers, you will probably have to wait until more information

is available at TechEd or once the BS7i2010 ramp-up starts.

Like (0)

Derek ColleyDec 20, 2010 6:10 AM

Great blog, thanks!

Like (0)

Tomas BurgerFeb 11, 2011 6:50 AM

Hello Thomas,

well, what described above works for me, as long as I create logical port in LPCONFIG. However when

I create logical port via SOAMANAGER, it doesnt work. Obviously that option to take "anonymous

client" (whatever it is) is missing there...

If I got it right, LPCONFIG is as obsolete as WSCONFIG, right? So I would prefer to go with

SOAMANAGER instead, only if it would work...

Any idea?

Thanks, Tom

Like (0)

Balu KavaturuMay 30, 2013 11:52 PM

Good Blog , Solved a problem quickly which i had spent like hours.


Documents

Calling-webservices From Abap via Https