Menu
I'm trying to consume an endpoint from ABAP, by instantiate a if_http_client from cl_http_client=>create_by_url. That process works fine when I don't need to use a signed certificate. Usually I just include the certificate using the STRUST transaction.
But for this specific case I have two certificate files: .crt and the .key. I'm able fetch the endpoint from Postman, because I can insert those files in Settings -> Certificates:
So, how can I have it working from ABAP? How to insert those files in my http request? Should I pass them from ABAP code, or config it in STRUST or some other transation?
669
EDIT: Reworked answer to better address problem as the more details arise. NOTE for readers: This is ABAP as HTTP Client (Not server) with SSL. This is also a non typical problem. Here the SAP system has to connect to another service using a specific Client Certificate to establish an SSL connection. Something that would normally be managed at network level.
When loading The Certificate it must be loaded into STRUST in the client PSE area.
The previous Idea(prior to edit/rework) sending the the Certificate as a header is explained as Option 3.
OPTIONS :
1) SSL Handshake in ABAP . Trying to manage SSL handshake in ABAP is very likely not possible. SSL Handshake is managed by sapcryptolib.
2) Import the Client Certificate in STRUST into the Standard Client PSE. See details below
3) Use xxxx.cer as string and add as Http header (last resort if, option 2 doesnt Work)
==============================================================
2) Option 2 Details (BEST WAY) Import your certificate into Strust, in SSL client Standard area.
Here is an example on standard sap docu of an actual example case. It is Dutsch Payroll interface. Using Private key certificate. *.p12 or *.pfx file . Private Key certificate
https://help.sap.com/docs/ERP_HCM_SPV/491c29ac9232469bb257a2ba14ac290c/999ad0ce8bd24945b547584e776e9a4e.html
Since this type of Cert cant be directly imported into SAP it explains how you can use sapgenpse at operating system level to convert the p12 into a pse file. Strust does not support import of p12 files.
Now the ABAP call uses the client identity created in this step.
cl_http_client=>create_by_url(
EXPORTING
url = 'url'
ssl_id = 'CL_ID' "Ident created in step above
IMPORTING
client = lo_client
).
Or perhaps easier to work with.
Use Sm59 to create and external http addr and select this
Newly created identity.
Then call with http client created via destination.
CALL METHOD cl_http_client=>create_by_destination
EXPORTING
destination = lv_destination "the new sm59 destination
IMPORTING
client = lo_http_client.
OPTION 3 Details: (Not ideal, assume called service supports it.) if and only if, the called service support Certificates as Header Note you xxx.cer is the equivalent to an identity key. manage the string carefully.
DATA: lo_client TYPE REF TO if_http_client.
cl_http_client=>create_by_url(
EXPORTING
url = 'url'
ssl_id = 'ANONYM' "Start SSL handshake as Anonymous SSL
IMPORTING
client = lo_client
).
"and pass the actual identify as HTTP header, " Many service support this approach. But they solutions are always " specific to that service. " Example is the microsoft translation service. " the expect a user subscription key as a header. 'https://api-eur.cognitive.microsofttranslator.com/translate?api-version=3.0'
lo_client->request->set_header_field(
EXPORTING
name = 'Client-Cert' "Check HTTP header name with called Service docu
value = '<cert> in string format'
).
"lo_client->send( .. )
"lo_client->receive( .. )
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
