topic Re: HTTPS Communication Setup: ITS with third party Java Web Application in Application Development and Automation Discussions

HTTPS Communication Setup: ITS with third party Java Web Application

Former Member — Fri, 27 Sep 2013 20:56:54 GMT

Hello,

I have a Java web application which communicates with an ITS service over HTTP. The application communicates over port 80XX.

My profile parameters are as follows:

I have the ITS service come up on the browser successfully over HTTPS.

I have succesfully installed the SAP Crytopgraphic library and have created a system PSE certificate and server certificate.

The error thrown on my Java stack is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We dont have a BASIS consultant in our team and I am a techno-functional application developer in the team. So I was hoping to get some help from experts on the forum on this issue.

Thanks

Arup

Re: HTTPS Communication Setup: ITS with third party Java Web Application

Former Member — Fri, 27 Sep 2013 21:31:53 GMT

Let me get this straight. You want to call the ITS service hosted on AS ABAP from your custom Java application by using HTTPS? If so, your problem is that your application server hosting your Java application doesn't trust the SSL certificate of AS ABAP.

Re: HTTPS Communication Setup: ITS with third party Java Web Application

Former Member — Sun, 29 Sep 2013 17:12:52 GMT

Hey Samuli,

You are right about the trust issue about the certificates. Now my question is, the Java application that I am running is independent of SAP and runs from Tomcat. So, what is the process to import the SAP certificates into the web application? Is the security to be handled at the Tomcat level? If so, how?

Thanks,

Arup

Re: HTTPS Communication Setup: ITS with third party Java Web Application

Former Member — Sun, 29 Sep 2013 19:20:41 GMT

The user must authenticate via a method supported by SAP.

How does the user authenticate to your java application? Is user/ role based access rights needed?

Ideal is that the user authenticated (strongly) via something which can be reused, otherwise you will have to use trust chains or generic services.

I think you need to provide more infos about your scenario.

Cheers,

Julius

Re: HTTPS Communication Setup: ITS with third party Java Web Application

Former Member — Mon, 30 Sep 2013 07:35:39 GMT

Hi,

You need to add your ABAP SSL CA certificates to the Java keystore used by your Tomcat server. Following post in stackoverflaw.com can give you a glimpse how to do it:

http://stackoverflow.com/questions/6497183/adding-a-foreign-servers-self-signed-certificate-to-the-trusted-certificates-of

Regards,

José M. Prieto

Re: HTTPS Communication Setup: ITS with third party Java Web Application

Former Member — Mon, 30 Sep 2013 22:33:24 GMT

Thanks Jose and Julius for the replies..

Let me step back and get the scenario straightened out.

To start with I want to ensure that the user from my Java based application can log on to an SAP system securely. I did some checking on our system and we are not using a Tomcat based secure communication.

What we are trying to ensure is we can securely log on to an SAP system using HTTPS.

To ensure this we have login/accept_sso2_ticket = 1 and login/create_sso2_ticket =2 set.

We are trying to establish communication from our Java Application to a specific ITS service.

To give you an example the URL is https://XX.XX.XX.XX:1443/sap/zavowm_lm01/?sap-client=800&sap-Password=123456&sap-language=EN&sap-user=amukherjee

Now to setup this communication what settings do I need to maintain on the SAP end to allow this. I have already gone through tons of SAP documentation but haven't been able to figure it out yet.

Re: HTTPS Communication Setup: ITS with third party Java Web Application

Former Member — Tue, 01 Oct 2013 17:12:58 GMT

Hi Arup,

First of all you need to set up the logon procedure at your ICF service (transaction SICF) and then you should be able to log in accordingly. Just for your reference you should take a look following SAP online help page which explains exactly how to set up logon procedures and the options you have.

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/d3/2bb3405226bc4ee10000000a1550b0/frameset.htm

I would say in your particular scenario the easiest way you can achieve this is by using HTTP basic authentication over HTTPS so credentials will be sent out encrypted over the wire. You can also have other options like:

SAP Logon Tickets, however you will need to get such tickets at your Java application side somehow and send it out on each requests.
SAML, this is only supported as of newer SAP NetWeaver versions and you need also a SAML infrastructure in pace (IdP, etc.)

Please take a look at that help page to get a better understanding what choices you have.

Regards,

José M. Prieto

Re: HTTPS Communication Setup: ITS with third party Java Web Application

Former Member — Tue, 01 Oct 2013 22:07:02 GMT

Hello Jose,

Thanks for the reply. I tried out different combinations of Login mechanisms. Tried the basic authentication over HTTPS too.

However, it still keeps complaining about the javax.net.security issue..

Thanks,

Arup

Re: HTTPS Communication Setup: ITS with third party Java Web Application

Former Member — Wed, 02 Oct 2013 05:51:10 GMT

Hi Arup,

Of course you still should get the error at your Java app side. The instructions I pointed you out is for setting up the authentication mode at your ICF service side only. However you still need to build up a keystore at your Tomcat side so that it can validate the certificate chain sent by the HTTPS server at your ABAP side.

So let's recap. For me the logical steps you should follow are:

Set up HTTPS at your ABAP side. As far as you pointed out this is done and working.
Set up the authentication method at your ICF service (endpoint of your HTTP request). You can refer to the SAP documentation I attached to you at help.sap.com. I suggested the simplest way in your scenario is maybe the use of HTTP basic authentication (assuming your HTTP requests are not going through public and unsecured networks). Nonetheless this is something you should think of as well.
Set up your Tomcat server in such a way is able to validate the certificate chain out of the certificate being sent by your HTTPS server (this case an ABAP system) during the SSL handshake. Basically this the same as to say that your Tomcat must trust on same CAs who signed the certificate issued for your ABAP. Here the link to that stackoverflow.com post I attached in my first post can give you some clue but I'm not a real expert on Tomcat. Anyway for sure there are tons of links at Google on how to set this up.

After this you should be able to communicate to your ICF service from The Java app on Tomcat over HTTPS.

Regards,

José M. Prieto