Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP connect to WAS's HTTPs service with mutual authentication

beta_beta
Explorer

‎2021 Jun 23 7:32 AM

0 Likes
1,743

Hi SAP Expert,


We are configuring the RFC connection in SM59 to connect to the WAS server with HTTPS with

mutual authentication.

SAP had imported the WAS server's root, INTERMEDIATE and private certs,

WAS had import the SAP server's ROOT,INTERMEDIATE and private certs,

In the icm log, we can see

[Thr 772] Certificate verification result:
[Thr 772] Certificate:
[Thr 772] Subject: OID.0.9.*
[Thr 772] Verification result:
[Thr 772] Status: Successful
[Thr 772] DirectlyTrusted: Successful

Then the Server requested client authentication [ssl3_decode_certificate_request], server sent several CA certs,

we can sure the certs are imported into SAP, we had imported them into SSL server and SSL client Standard.

but currently we are facing the issue as below:

[Thr 772] CCL[SSL]: Cli-00000004: Server sent 5 trusted CA name(s) for client authentication [ssl3_decode_certificate_request]
[Thr 772] CCL[SSL]: Cli-00000004: Cannot perform client authentication: Have no certificate fitting to CA names received from server [ssl3_send_client_certificate]
[Thr 772] CCL[SSL]: Cli-00000004: Sending message with empty certificate list [ssl3_send_client_certificate]
[Thr 772] CCL[SSL]: Cli-00000004: Sending empty Certificate message. [tls1_empty_cert_list]

Please help to check the issue, thanks.

5 REPLIES 5
Read only

Isaias_SAP
Product and Topic Expert
Product and Topic Expert

‎2021 Jun 24 5:48 PM

0 Likes
1,465

Hello,

Use the transaction STRUST to identify what PSE has the correct client certificate, that will be accepted by the remote system for SAP to authenticate itself.

Then, go to the SM59 destination and switch to the "logon & security" tab.

Scroll down, and there you will have the option to choose which client certificate should be used on this destination. Make sure that the correct client PSE is set there.

Regards,

Isaías

Read only

beta_beta
Explorer
In response to Isaias_SAP

‎2021 Jun 28 6:37 AM

0 Likes
1,465

Hi,

I have exported web server's certificate and SAP 's certificate, then imported to each other.

In SM59 i am using "SSL client default" , i can sure that the certificate was imported into there.

Read only

Isaias_SAP
Product and Topic Expert
Product and Topic Expert
In response to Isaias_SAP

‎2021 Jun 28 12:36 PM

0 Likes
1,465

Hello,

If possible, please upload an ICM level 3 trace captured while simulating the issue.

This should help us identify what is happening.

Regards,

Isaías

Read only

beta_beta
Explorer
In response to Isaias_SAP

‎2021 Jun 30 6:16 AM

0 Likes
1,465

Hi Isaias,

Thanks, we have fixed the issue.

We upload the SSL Client standard cert also into the WAS server, then connection is fine.

Read only

Isaias_SAP
Product and Topic Expert
Product and Topic Expert
In response to Isaias_SAP

‎2021 Jun 30 12:20 PM

0 Likes
1,465

Hello,

Thank you for sharing the good news! 🙂

Please mark the question as closed 😉

Best regards,

Isaías