No configuration is required in the adapter-specific sender channel configuration (inbound) of the Integration Directory.
The authentication/authorization is performed by the J2EE Engine and therefore needs to be configured with the Visual Administrator. This configuration is described in the J2EE Engine Administration Manual and is outlined in the following section.
When a message is to be sent to the Adapter Engine (and ultimately to the Integration Server), the J2EE Engine serves as the SSL Server and presents its server certificate to the client as part of the SSL handshake procedure.
The public certificate of the trusted authority (CA) that signed the public certificate of the SSL server needs to be imported to the list of trusted certificates of the SSL client. This allows the SSL client to accept the certificate of the server in the SSL handshake.
If basic authentication is used, no additional configuration is required on server side.
If client certificate authentication is requested or required by selection of the corresponding option in the SSL service and configuration of the ClientCertLoginModule in the SecurityProvider service (using the J2EE Administration Tool), additional configuration steps are required.
If the server certificate check on the client side is successful, the client sends its public certificate to the server as part of the SSL handshake (when requested). The server needs to map the certificate to a user for authentication and will then check the authorization based on the security roles of the user.
Perform the following steps to allow the J2EE engine to map the client certificate to a user:
1. Import the CA cert of the client certificate to the list of trusted certificates (TrustedCAs keystore view in the keystore service) and import the client cert to an arbitrary keystore view.
2. Map the client certificate to an existing user with role SAP_XI_APPL_SERV_USER by using the Visual Administrator, SecurityProvider service, UserManagement tab page.