Show TOC

HTTP and SSLLocate this document in the navigation structure

Use

All PI runtime components using the HTTP protocol support the encryption of the HTTP data stream by means of the SSL protocol, also known as HTTPS. HTTPS data streams are completely transparent to usage type PI.

To enable an HTTPS connection, two steps are required:

  1. Both parties of an HTTP connection (that is, the HTTPS client and the HTTPS server) must be technically enabled.

  2. The internal PI communications and the messaging communications must be configured in PI to use these HTTP connections.

In addition, for certain adapters you can enforce HTTP security for incoming messages.

Technically Enabling SSL

A general prerequisite for using HTTPS in both SAP NetWeaver Application Server (AS) ABAP and Java is that the SAP Cryptographic Library is installed on the AS. In addition, the certificates (for example an X.509 certificate) used must have been issued by a company-internal Certification Authority (CA), or by an external trusted CA such as Thawte, Verisign, or TC Trustcenter.

Whenever a hardware or software component is to be enabled for SSL, the client and the server part of an HTTP connection have to be enabled differently.

HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network:

  • Server authentication

    The HTTPS server identifies itself with a certificate that is to be verified by the client. To validate the HTTPS server's certificate, the HTTPS client must have a corresponding CA certificate that validates this certificate.

  • Client authentication

    The HTTPS client identifies itself with a certificate that is to be verified by the server. To validate the HTTPS client's certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the client's certificate, the server maps the certificate to an actual system user executing the HTTP request.

Moreover, the technical configuration for HTTPS is different for PI ABAP and Java components. More information:

Caution

Special considerations apply for dual-stack installations. More information: SSL Administration in a Dual-Stack Installation .

Configuring SSL for PI Communication

PI uses HTTP for technical communication and for most of the messaging communication (for example, for the XI protocol). For an overview of all communications, refer to Communication .

As outlined in the previous section, all components using HTTPS connections must be technically enabled first.

Note

In a logical system consisting of several physical application servers, each application server must be individually HTTPS-enabled and must have installed its own certificate.

Configuring SSL for Message Exchange

As described under Service Users for Message Exchange , there are four types of incoming and outgoing connection types: (s1) to (s4) and (r1) to (r4). Connection types (s2), (s3), and (r3) use internal connections between the Integration Server and the Advanced Adapter Engines. All connections (provided they are HTTP connections) can be secured by HTTPS as follows:

  • (s1)

    The HTTP destination from the ABAP application system to the Integration Server must be configured as HTTPS.

  • (s3)

    The external sender must use an HTTPS connection to the Advanced Adapter Engine.

  • (s4), (r1), (r2), and (r4)

    The corresponding Integration Directory channel must be configured as an XI 3.0 protocol using HTTPS.

  • (r3)

    The corresponding Integration Directory channel to the external receiver must be configured as a corresponding adapter protocol using HTTPS.

  • Internal communication between Integration Server and Advanced Adapter Engines: (s2), (s3), and (r3).

    The following exchange profile parameters must be set:

    • com.sap.aii.connect.secure_connections = messaging

    • com.sap.aii.connect.integrationserver.httpsport

    • com.sap.aii.connect.integrationserver.r3.httpsport

    The HTTPS configuration data of the Advanced Adapter Engines is maintained in the System Landscape Directory (SLD). It is automatically updated by a self-registration mechanism of the Advanced Adapter Engine.

    Note

    Note that only server authentication is supported when using SSL for internal communication between the Integration Server and the Advanced Adapter Engine. It is not possible to use client authentication as described in the previous section "Technically Enabling SSL". This means one-way SSL is supported, whereas two-way SSL is not.

    More information about profile parameters: Exchange Profile Parameters .

Configuring SSL for Technical Communication

You can also stipulate that SSL is used for all internal technical communication by setting the following exchange profile parameter:

  • com.sap.aii.connect.secure_connections = all

You also have to correctly set the httpsport parameter for all PI components in the exchange profile. This implicitly sets SSL for messaging as well.

For information on how to secure the technical HTTP connection to the SLD, refer to SAP Note 766215 Information published on SAP site.

Enforcing HTTP Security for Incoming Messages

You can define a security level for incoming messages handled by certain HTTP-based sender adapters. Use the appropriate sender communication channels in the Integration Directory for this purpose.

The supported HTTP-based adapters and protocols are:

  • On the Integration Server:

    • XI protocol

    • WS protocol

    • Plain HTTP adapter

  • In the Advanced Adapter Engine:

    • SOAP adapter

    • RNIF adapters (not for local processing)

    • CIDX adapter (not for local processing)

Possible HTTP security levels are (in ascending order):

  • HTTP without SSL

  • HTTP with SSL (= HTTPS), but without client authentication

  • HTTP with SSL (= HTTPS) and with client authentication

When you define one of these security levels for a sender channel, only those messages that have been sent by using an HTTP connection with at least this security level are accepted by the Integration Server or Advanced Adapter Engine. An exception to this is the WS protocol, which only accepts messages sent with exactly this security level.

If the security level of the HTTP connection is lower than the one defined for the sender channel (or does not match it in case the WS protocol is used), messages are rejected with an HTTP error. More information: SAP Note 891877.