2021 Dec 07 1:56 PM
Hi, i am trying to download a file via hyperlink which directly leads to dialog for download/open that file. File is .zip (zip contains xml file), file : link
I am trying to use CL_HTTP_CLIENT->create_by_destination (i set up RFC in SM59 type G, tested with no error )
host = https://report.financnasprava.sk
prefix = /ds_dphs.zip
But the response is definitely not the .zip file i am trying to download. Response:
<html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.https.com//report.financnasprava.sk:80/ds_dphs.zip?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYzODg4OTU1NCwiaWF0IjoxNjM4ODgyMzU0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycXY3bGtiNHBjbDlpNHZjZXMwMHZxMGEiLCJuYmYiOjE2Mzg4ODIzNTQsInRzIjoxNjM4ODgyMzU0MTY3MTYyfQ.wXv9PCqZ32VVgCJByydnQXvES5KVDVQZNyKjKFazkYc&sid=68fc4e12-575e-11ec-9ab4-cfde9affef56');</script></body></html>
I am not sure where the problem might be but that "Loading.." in response is a bit confusing.
Here is the code i am using everything ends with sy-subrc = 0.
CALL METHOD cl_http_client=>create_by_destination
EXPORTING
destination = 'DS_DPHS'
IMPORTING
client = l_client
EXCEPTIONS
argument_not_found = 1
destination_not_found = 2
destination_no_authority = 3
plugin_not_active = 4
internal_error = 5.
CALL METHOD l_client->send
EXPORTING
timeout = 0
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
http_invalid_timeout = 4.
CALL METHOD l_client->receive
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
OTHERS = 4.
l_content = l_client->response->get_data( ).
s_content = l_client->response->get_cdata( ).
2021 Dec 20 4:55 PM
In your case, the error is due to the certificate subject CN=edane.financnasprava.sk but the accessed domain is report.financnasprava.sk. Consequently, there's a mismatch, which you can see in the SMICM trace (trace level 2 to see a little bit better).
I could make it work only after defining the below parameter, as explained in note 2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client
icm/HTTPS/client_sni_enabled = TRUE
Including Juraj conclusion: with older kernel (Kernel 721 / 722, with sufficient patch level, see note 2384290 - SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients), set this parameter:
ssl/client_sni_enabled = TRUE
2021 Dec 07 3:20 PM
The link goes to a redirection URL. You get the ZIP at the indicated redirection URL.
2021 Dec 07 7:26 PM
So this is the redirection URL right ?
http://www.https.com//report.financnasprava.sk:80/ds_dphs.zip?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ...
but i am not sure which part of it i should use or / and how should i edit the RFC. Can you please provide some more informations ? When i try that url in my browser (or part of it like http://www.https.com//report.financnasprava.sk:80/ds_dphs.zip ) i get redirected to some advertisment / eshops
2021 Dec 07 8:21 PM
oops
This URL is really surprising (in the wrong way). https://superuser.com/questions/888283/why-is-https-www-google-com-getting-redirected-to-http-www-ht....
Please check your SM59 destination twice, seems that you forgot to type the colon character (https//report.financnasprava.sk/ds_dphs.zip is wrong).
2021 Dec 08 9:01 AM
I checked destination, there is a colon after https
host = https://report.financnasprava.sk
Just for testing purpose I tried to change rfc destination to the following, with this settings i get proper response (html web site)
host = financnasprava.sk or www.financnasprava.sk
prefix =
- Defaul client SSL
When i tried the following, i get ICM_HTTP_SSL_ERROR
host = https://report.financnasprava.sk OR report.financnasprava.sk
prefix = /ds_dphs.zip
- Defaul client SSL
2021 Dec 17 8:03 AM
Hi Juraj, just add parameter through RZ10.
icm/HTTPS/client_sni_enabled = TRUE
and it will works.....
2021 Dec 17 6:50 PM
Hi Tibor, i tried it but it didnt work, still i get response:
<html><head><title>Loading...</title></head><body><...
2021 Dec 17 7:30 PM
Sorry, didn't see your last answer.
So host this way is fine (financnasprava.sk or www.financnasprava.sk)
Your SSL error is simply due that you didn't upload the Web site certificates to STRUST in the Default client SSL (go to the Web site with your Web browser, click on the "https lock", you should find 3 (usually) certificates that you need to download and upload in STRUST; usually it takes 5 minutes if you're authorized to manage STRUST).
2021 Dec 17 10:35 PM
Hi Juraj,
in SM59 we haven´t certificate unless you have to use their API. Simple file download works pretty without CA. SM59 -> Type is G. In technical settings try target host: report.financnasprava.sk; Server No.: 443; path prefix: /ds_dphs.zip. Tab Logon security: Security Options: SSL Active and select DFAULT SSL Client (Standard). Special Options TAB Status of HTTP Version select HTTP 1.1.
In tr. RZ10 add these 3 or 4 parameters if need:
icm/HTTPS/client_sni_enabled = TRUE
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
wdisp/ssl_ignore_host_mismatch = TRUE (not sure it must have)
and at last mandatory RESTART SAP App SERVER to force ICM changes
after this finally click Connection Test on SM59 - and see in header content type is zip file
2021 Dec 20 11:34 AM
Hi Tibor, i exactly followed your guide but when I test RFC i am getting ICM_HTTP_SSL_ERROR. The only thing that is different from you (probably) is that i am using proxy host and service in sm59. And u said that u didnt install any certificate in STRUST so am not sure where the problem might be.
2021 Dec 20 1:13 PM
HTTPS without uploading the certificates in STRUST? I didn't know that it could work...
And what if you upload the certificates in STRUST?
2021 Dec 20 1:27 PM
Hi Sandra, i went to report.financnasprava.sk and download certificate to my PC, then upload it to STRUST under client SSL standard but still have ICM_HTTP_SSL_ERROR
2021 Dec 20 1:34 PM
Proceed with all the certificateS of the certification chain.
2021 Dec 20 2:19 PM
I downloaded OpenSSL to download cert chain, it was 3 certificates, i uploaded them into STRUST under client SSL standard (actually i uploaded only 2 of them, 1 already existed), still same error.
2021 Dec 20 3:20 PM
I have checked the ICM trace and there is error. It is wierd because i implemented wdisp/ssl_ignore_host_mismatch = TRUE as Tibor suggested.
so i went to edane.financnasprava.sk and again downloaded cert chain, but error is still there
based on below, i still should see the error message but communication should continue, but in my case, communication is stopped. (there is not other error message after this one)
NOTE: The wdisp/ssl_ignore_host_mismatch = 1 will ignore the mismatch error, but it will not solve it. Therefore, the error message will still be visible in the traces, but the system will not stop the communication because of the error.
2021 Dec 20 4:22 PM
You don't need OpenSSL, you can download each certificate directly from your Web browser and install in STRUST in 10 clicks.
I tried on my system. I could make it work only after defining the below parameter, as explained in note 2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client
icm/HTTPS/client_sni_enabled = TRUE
EDIT: forgot to say that the error is due to the certificate subject CN=edane.financnasprava.sk but the accessed domain is report.financnasprava.sk. Consequently, there's a mismatch, which you can see in the SMICM trace (trace level 2 to see a little bit better).
2021 Dec 20 4:55 PM
In your case, the error is due to the certificate subject CN=edane.financnasprava.sk but the accessed domain is report.financnasprava.sk. Consequently, there's a mismatch, which you can see in the SMICM trace (trace level 2 to see a little bit better).
I could make it work only after defining the below parameter, as explained in note 2124480 - ICM / Web Dispatcher: TLS Extension Server Name Indication (SNI) as client
icm/HTTPS/client_sni_enabled = TRUE
Including Juraj conclusion: with older kernel (Kernel 721 / 722, with sufficient patch level, see note 2384290 - SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients), set this parameter:
ssl/client_sni_enabled = TRUE
2021 Dec 22 4:55 PM
Thank you and Tibor for help, i finally make it work. I read your suggested note and found out, i need to implement the note 2384290 (because we are on 722 kernel version), so the parameter i was missing in RZ11
ssl/client_sni_enabled = TRUE
2022 Jan 31 12:08 PM
2021 Dec 22 4:58 PM
I imported the cert chain for both domains edane.financnasprava.sk and report.financnasprava.sk . So i am not sure why the system is trying to compare CN=edane.financnasprava.sk to CN=report.financnasprava.sk and not CN=edane.financnasprava.sk