Chem XML Message eStandards and CIDX Scenario Part III

In my earlier blogs efforts are made to explain about CIDX standards, how to design and configure the object to support CIDX communication.

Blog1

Blog2

I would like to make your experience pleasant and fruitful with CIDX communication through this blog.

This blog covers those intricate details in regard to security, certificates through simple steps, focusing on PI 7.1

You have already selected CIDX adapter with Transport Protocol as “HTTPS” and Message Protocol as “RNIF 1.1” for communication. Selecting the message protocol to RNIF 1.1 means you are configuring the scenario to handle Preamble, Service Header, Service Content, Digital Signatures etc…

We will focus on achieving HTTPS communication which is a combination of HTTP with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server.

Step 1: Since the CIDX adapter is available through adapter engine, you need to set your server through Java stack to receive and send secured messages.

SSL Communications are handled by ICM (Internet Communication Manager) for both the Java and ABAP servers. You need to perform the configuration to use one of it, navigate to RZ10, select the profile <SYSID>_DVEBMGS00_<host> and configure the profile parameter.

ssl/pse_provider              = JAVA

Step 2: Restart the server to notice automatic creation of Keystore views in SAP NetWeaver Administration (NWA).

Navigate to NWA >> Configuration Management >> Certificate and Keys.

Identify the new Keystore View named after ICM_SSL_<instance ID>

Create the private key in the specified keystore view using “Create” and follow the wizard.

Notice that “Generate CSR Request” is enabled and use it generate CSR Request. Basically this step is needed to get your certificate issued by 3rd party Authority, to be identified as secure partner to carry out secure online transactions and conduct the business over internet.

When you purchase the certificate that is considered as CSR Response. Select the private key that you have just created and import it as “Import CSR Response”.

Copy these certificates into Trusted CAs and secure_ssl  keystore Views.

Step 3: Load the public key of your partner with entire certificate chain (Public Key, Intermediate and Root) into keystore Views “ICM_SSL_XXXX”, Trusted CAs.

In the following screenshot, you can view Verisign as Certificate Authority and chain of certificates.

They can be recognized as Verisign as root, Verisign Class 3 Secure Server CA – G3 as intermediate and business.partner.com as public key.

At times your partners provide self signed certificates, however PI supports.

Step 4: Choose how you want to enable your partner log into your server to come up with processing a message request.

a) In some cases, the certificate is issued with CN = <user id>, then provide necessary authorizations to the user.

b) In most cases, the certificate is issued after host name for eg., business.partner.com. In this case to support the certificate log in, you need to perform additional settings.

    i. Create a certificate user say PICERTUSER with adequate authorizations (One of it is ‘XI_AF_RECEIVE’).

    ii. Navigate to NWA >> Configuration Management  >> Security >> Authentication

Go to Login module, ClientCertLoginModule.

Edit to maintain Name as “Rule1.getUserFrom” and Value as “wholeCert”.

       iii. Navigate to NWA >> Configuration Management >> Security >> Identity Management.

Display PICERTUSER, Modify to load the partner certificate(Only Public key).

It basically means when message comes from remote server, certificate is authenticated and then accept to login through PICERTUSER.

Internally the message is checked whether valid or not by comparing the certificate Authority in ICM_SSL_XXX and partner through TrustedCAs. If it exists, it passes and then next part of steps is to select the matching user with the certificate.

    iv. As an additional optional step, you may want to restrict the processing of scenario to this user through Business component >>Assigned Users in Configuration.

Step 5: Follow my previous blog 2 for configuration.

Wait for another blog that focuses on Troubleshooting CIDX communication.

For additional help use SAP resources

  1. Maintaining the User’s Certificate Information

http://help.sap.com/saphelp_nwpi711/helpdata/en/a7/1cd08ffe25e34799cbbe1a7ecdb8ed/frameset.htm

     3. You may use diagtool provided by SAP, more details are available in note#1045019 – Web Diagtool for collecting traces. This is a very good tool that provides you the visibility on how the message is being processed.

SAP Developer Network SAP Weblogs: SAP Process Integration (PI)