Show TOC

HTTP Tunneling Specific ConfigurationLocate this document in the navigation structure

Use

HTTP tunneling transfers RMI-P4 information between an RMI-P4 client and AS Java over HTTP protocol. It allows a proxy or a firewall to stand between the RMI-P4 client and AS Java after you have applied some specific configuration. To use the HTTP tunneling communication, you have to configure a set of HTTP tunneling specific properties both on the client and AS Java.

Client Side Configuration

The RMI-P4 client can connect to AS Java using HTTP(S) protocol. The client can configure this connection using the environment properties passed to InitialContext constructor by:

  • Adding a prefix to the java.naming.provider.url property:

    P4HTTP:// - for plain HTTP connection

    P4HTTPS:// - for secure HTTPS connection

  • Configuring the TransportLayerQueue property :

    httptunneling - for plain HTTP connection

    httptunneling_ssl - for secure HTTPS connection

When using HTTP(S) tunneling, the client has to specify the HTTP(S) port of the server in the java.naming.provider.url . When using HTTPS, the client has to import a server-side certificate to its default JRE in order to trust the server.

To export a server-side certificate and use it on the client side, follow this procedure:

  1. Open SAP NetWeaver Administrator.

  2. Chose Start of the navigation path Configuration Next navigation step Certificates and Keys End of the navigation path

  3. In Key Storage Views , find and select ICM's certificate.

  4. In the Details of View pane below, select ssl_credentials in the View Entries tab.

  5. Choose Export to File .

  6. In the Export Entry to File dialog box that appears, select export format PKCS8 KeyPair and file type X.509 Certificate file .

  7. Choose Download and save the file locally.

  8. Import the saved certificate in the keystore used by the RMI-P4 client JDK.

For more information, see: Using the AS Java Key Storage

Server Side Configuration

HTTP tunneling is disabled on AS Java by default. To enable it, the administrator has to start the HTTP tunneling application

To start the application temporarily, use the following Telnet command: start_app sap.com/tc~je~p4tunneling~app . After restarting AS Java, HTTP tunneling will be disabled again. This default behavior is defined by the filters and can be changed using the Config Tool. For more information, see Adding Filters

To stop the application manually, use the following Telnet command : stop_app sap.com/tc~je~p4tunneling~app .

Plain HTTP tunneling is not allowed by default. To allow the non-secure tunneling, you have to set the P4 Service property allow_non_ssl_tunneling to true using the following Telnet command: setsp -p ALLOW_NON_SSL_TUNNELING true p4 .

For security reasons, there is a short session timeout for RMI-P4 connections that are not authenticated. In case the client side authentication is done by the user (not programmatically), the administrator should increase this session timeout by changing the value of the P4 service property tunneling_short_session_timeout using the Config Tool. Its default value is 10 seconds.

After the user is authenticated, the timeout for HTTP communication under RMI-P4 communication is automatically increased. You can customize this timeout by changing the value of the tunneling_default_session_timeout using the Config Tool. Its default value is 60 seconds.

More information: Modifying Service, Manager, or Application Properties .

Recommendation

We recommend that you do not change the default values of the above timeouts.