WebSocket RFC is available for a while now. Continue reading, if
- you want to communicate from an external Java application to an ABAP-based system via this new protocol using the JCo library.
- you have an existing JCo setup using classic CPIC-based RFC and want to migrate.
Adjusting the destination
For specifying the destination, instead of providing properties for application server logon (jco.client.ashost, jco.client.sysnr) or message server logon (jco.client.mshost, jco.client.msserv, jco.client.r3name), the following properties must be provided:
- jco.client.wshost: the hostname of the target system
- jco.client.wsport: the port for HTTPS/WSS (WebSocket Secure) of the target system
Optionally, you can also specify
- jco.client.tls_client_certificate_logon: If set to 1 this property enables to logon at the backend via the X.509 client certificate that is used in the TLS handshake (mTLS). An associated user or mapping rule must be defined at the backend.
Extending the implementation
WebSocket RFC is based on TLS, thus a PKI infrastructure is required to be setup. To achieve that, following methods from the JCo interface DestinationDataProvider must be implemented:
SSLContext getSSLContext(String destinationName)
This method returns a javax.net.ssl.SSLContext instance to JCo, which is used to create the TLS session for a given destination. How such an instance is created is up to the application - we are going to describe a simple use case in which all keys and CAs are stored in a local p12 file (p12FilePath) and the password is read from a secured database.
SSLContext loadSSLContextFromFile() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException, KeyManagementException {
File p12File = new File(p12FilePath);
try (InputStream p12FileStream = new BufferedInputStream(new FileInputStream(p12File))) {
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] pwd = SecuredDatabaseConnection.readPassword();
ks.load(p12FileStream, pwd);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, pwd);
// delete the plain text password from the heap memory as soon as possible
Arrays.fill(pwd, (char) 0);
pwd = null;
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return sslContext;
}
(Optionally) If jco.client.tls_client_certificate_logon is used, the API below must be implemented additionally:
X509Certificate getClientCertificate(String destinationName)
This method must return the java.security.cert.X509Certificate instance of the client certificate used for logon. It must be the one provided in the SSLContext, which is used during the TLS handshake.
Setting up Trust
Creating the p12 File
Create a p12 file with a private key using a tool like keytool or OpenSSL. Create a CSR and import the CA response. Furthermore, import the CA certificate from the ABAP system which has been exported (see next section).
Configuring trust in ABAP
Navigate to transaction STRUST and select "SSL-Server Standard". Select the own certificate and export it. For more information, see also here. Also, import the CA certificate from the p12 file and add it to the certificate list, so that mutual trust can be established.
Using WebSocket RFC in BTP
If you use JCo in BTP in conjunction with the Destination Service and you want to use WebSocket RFC to call publicly exposed endpoints, you can skip the above "Extending the implementation" part. This integration is already implemented by SAP in the supported environments. You can follow the steps in the BTP Connectivity Service documentation on how to configure the Destination Service accordingly.
