HTTP and SSL

All PI runtime components using the HTTP protocol support the encryption of the HTTP data stream by means of the SSL protocol, also known as HTTPS. HTTPS data streams are completely transparent to usage type PI.

To enable an HTTPS connection, two steps are required:

...

       1.      Both parties of an HTTP connection (that is, the HTTPS client and the HTTPS server) must be technically enabled.

       2.      The internal PI communications and the messaging communications must be configured in PI to use these HTTP connections.

In addition, for certain adapters you can enforce HTTP security for incoming messages.

Technically Enabling SSL

Whenever a hardware or software component is to be enabled for SSL, the client and the server part of an HTTP connection have to be enabled differently. Moreover, the technical configuration for HTTPS is different for PI ABAP and J2EE components. For more information, see Transport Layer Security.

HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network

?     Server authentication

Only the HTTP server identifies itself with a certificate that is to be verified by the client.

?     Client authentication

Additionally, the HTTP client identifies itself with a certificate that is to be verified by the server.

A general prerequisite for using HTTPS in both SAP NetWeaver Application Server (AS) ABAP and Java is that the SAP Cryptographic Library is installed on the AS. In addition, certificates (for example an X.509 certificate) must be used that have been issued by a company-internal Certification Authority (CA), or by an external trusted CA such as Thawte, Verisign, or TC Trustcenter.

In both ABAP and Java components, HTTPS server authentication is enabled as follows:

?     Use transaction STRUST to set up an AS-ABAP as HTTPS server. If not already done, you have to import a certificate generated by a trusted CA identifying the AS. In addition, you have to enable the HTTPS port in the ICM (Internet Communication Manager).

?     Use transaction STRUST to set up an AS-ABAP as HTTPS client. If not already done, you have to import the certificate of the CA of the HTTPS server’s certificate. For an actual HTTPS connection, you have to use the HTTPS port of the server in a corresponding HTTP destination and you have to configure this HTTP destination for using SSL with the corresponding client certificate.

?     Use the Visual Administrator to set up an AS-Java as HTTPS server. If not already done, you have to import a certificate generated by a CA identifying the AS into the keystore named service_ssl in the Keystore service. In addition, you have to assign this certificate in the SSL Provider service.

?     Use the Visual Administrator to set up an AS-Java as HTTPS client. If not already done, you have to import the certificate of the CA of the HTTPS server’s certificate into the J2EE engine’s keystore view named TrustedCAs.

In the case of a client authentication, the HTTPS client must also have a certificate generated by a CA for self-identification. For validating the HTTPS client’s certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the client’s certificate, the server maps the certificate to an actual system user executing the HTTP request.

The mapping of the certificate differs for AS-ABAP and AS-Java. For more information, see Configuring the System for Using X.509 Client Certificates or Maintaining the User's Certificate Information, respectively.

Configuring SSL for PI Communication

PI uses HTTP for technical communication and for most of the messaging communication (for example, for the XI protocol). For an overview of all communications, see Communication.

As outlined in the previous section, all components using HTTPS connections must be technically enabled first.

In a logical system consisting of several physical application servers, each application server must be individually HTTPS-enabled and must have installed its own certificate.

Configuring SSL for Message Exchange

As described under Service Users for Message Exchange, there are four types of incoming and outgoing connection types: (s1) to (s4) and (r1) to (r4). Connection types (s2), (s3), and (r3) use internal connections between the Integration Server and the Adapter Engines. All connections (provided they are HTTP connections) can be secured by HTTPS as follows:

?     (s1)

The HTTP destination from the ABAP application system to the Integration Server must be configured as HTTPS.

?     (s3)

The external sender must use a HTTPS connection to the Adapter Engine.

?     (s4), (r1), (r2), and (r4)

The corresponding Integration Directory channel must be configured as an XI 3.0 protocol using HTTPS.

?     (r3)

The corresponding Integration Directory channel to the external receiver must be configured as a corresponding adapter protocol using HTTPS.

?     Internal communication between Integration Server and Adapter Engines: (s2), (s3), and (r3).

The following exchange profile parameters must be set:

0     com.sap.aii.connect.secure_connections = messaging

0     com.sap.aii.connect.integrationserver.httpsport

0     com.sap.aii.connect.integrationserver.r3.httpsport

The HTTPS configuration data of the Adapter Engines is maintained in the System Landscape Directory (SLD). It is automatically updated by a self-registration mechanism of the Adapter Engine.

For more information on profile parameters, see Exchange Profile Parameters.

Configuring SSL for Technical Communication

You can also stipulate that SSL is used for all internal technical communication by setting the following exchange profile parameter:

?     com.sap.aii.connect.secure_connections = all

You also have to correctly set the httpsport parameter for all PI components in the exchange profile. This implicitly sets SSL for messaging as well.

For information on how to secure the technical HTTP connection to the SLD, see SAP Note 766215.

Enforcing HTTP Security for Incoming Messages

You can define a security level for incoming messages handled by certain HTTP-based sender adapters. Use the appropriate sender communication channels in the Integration Directory for this purpose.

The supported HTTP-based adapters are:

?     On the Integration Server:

0     XI protocol

0     Plain HTTP adapter

?     In the Adapter Engine:

0     SOAP adapter

Possible HTTP security levels are (in ascending order):

?     HTTP without SSL

?     HTTP with SSL (= HTTPS), but without client authentication

?     HTTP with SSL (= HTTPS) and with client authentication

When you define one of these security levels for a sender channel, only those messages that have been sent by using an HTTP connection with at least this security level are accepted by the Integration Server or Adapter Engine. If the security level of the HTTP connection is lower than the one defined for the sender channel, messages are rejected with an HTTP error. See also SAP Note 891877.