HTTP and SSL

Technically Enabling SSL

A general prerequisite for using HTTPS is that the SAP Cryptographic Library is installed on the Application Server. In addition, the certificates (for example an X.509 certificate) used must have been issued by a company-internal Certification Authority (CA), or by an external trusted CA such as Thawte, Verisign, or TC Trustcenter.

Whenever a hardware or software component is to be enabled for SSL, the client and the server part of an HTTP connection have to be enabled differently.

HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network:

• Server authentication

  The HTTPS server identifies itself with a certificate that is to be verified by the client. To validate the HTTPS server's certificate, the HTTPS client must have a corresponding CA certificate that validates this certificate.

• Client authentication

  The HTTPS client identifies itself with a certificate that is to be verified by the server. To validate the HTTPS client's certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the client's certificate, the server maps the certificate to an actual system user executing the HTTP request.

More information: Configuring the Use of SSL on the AS Java

Configuring SSL for PI Communication

PI uses HTTP for technical communication and for most of the messaging communication (for example, for the XI protocol). For an overview of all communications, refer to Communication .

As outlined in the previous section, all components using HTTPS connections must be technically enabled first.

Configuring SSL for Message Exchange

There are different types of incoming and outgoing connection types. All connections (provided they are HTTP connections) can be secured by HTTPS as follows:

• (s1)

  The HTTP destination from the ABAP application system to the Advanced Adapter Engine must be configured as HTTPS.

• (s3)

  The external sender must use an HTTPS connection to the Advanced Adapter Engine.

• (r1) and (r2)

  The corresponding Integration Directory channel must be configured as an XI 3.0 protocol using HTTPS.

• (r3)

  The corresponding Integration Directory channel to the external receiver must be configured as a corresponding adapter protocol using HTTPS.

Configuring SSL for Technical Communication

You can also stipulate that SSL is used for all internal technical communication.

To do that, logon to SAP NetWeaver Administrator, choose Configuration  Infrastructure  Java System Properties, select the Service tab and the XPI Service: AII Config Service (com.sap.aii.utilxi.cfg.svc).

Set the following profile parameter:

• com.sap.aii.connect.secure_connections = all

Enforcing HTTP Security for Incoming Messages

You can define a security level for incoming messages handled by certain HTTP-based sender adapters. Use the appropriate sender communication channels in the Integration Directory for this purpose.

The supported HTTP-based adapters and protocols are (on the Advanced Adapter Engine):

• SOAP adapter

• RNIF adapters

• CIDX adapter

Possible HTTP security levels are (in ascending order):

• HTTP without SSL

• HTTP with SSL (= HTTPS), but without client authentication

• HTTP with SSL (= HTTPS) and with client authentication

When you define one of these security levels for a sender channel, only those messages that have been sent by using an HTTP connection with at least this security level are accepted by the Advanced Adapter Engine.

If the security level of the HTTP connection is lower than the one defined for the sender channel, messages are rejected with an HTTP error. More information: SAP Note 891877 .