I'm trying to consume an endpoint from ABAP, by instanciate a if_http_client
from cl_http_client=>create_by_url
. That process works fine when I don't need to use a signed certificate. Usually I just include the certificate using the STRUST
transaction.
But for this specific case I have two certificate files: .crt
and the .key
. I'm able fetch the endpoint from Postman
, because I can insert those files in Settings -> Certificates
:
So, how can I have it working from ABAP? How to insert those files in my http request? Should I pass them from ABAP code, or config it in STRUST or some other transation?
CodePudding user response:
Does postman let you see the HTTP request it has constructed ?
If not get a tool to work out exactly how it was added to the Request.
Seeing an actual working http request would be VERY useful :)
Once you know what a working request looks like you can try construct it in ABAP.
NOTE: As far as im aware it is NOT possible to import certificate key bundle into STRUST, only Certificates. (if you can then the following alternative is not the best approach. It is a suggestion of how it might work if it all possible with the ABAP http client)
IF it can be made work in ABAP, perhaps something like this:
DATA: lo_client TYPE REF TO if_http_client.
cl_http_client=>create_by_url(
EXPORTING
url = 'url'
ssl_id = 'ANONYM' "Start SSL handshake as Anonymous SSL
"and probably Not 'DEFAULT'
IMPORTING
client = lo_client
).
"https://greenbytes.de/tech/webdav/draft-ietf-httpbis-client-cert-field-latest.html
"Client-Cert:
"Conveys the end-entity certificate used by the client in the TLS handshake with the reverse proxy from the reverse proxy to the origin server.
"Client-Cert-Chain:
"Conveys the certificate chain used for validation of the end-entity certificate used by the client in the TLS handshake from the reverse proxy to the origin server.
lo_client->request->set_header_field(
EXPORTING
name = 'Client-Cert'
value = '<cert> in string format'
).
lo_client->request->set_header_field(
EXPORTING
name = 'Client-Cert-Chain'
value = '<chain> in string format'
).
"lo_client->send( .. )
"lo_client->receive( .. )
If all that fails in abap, I would try and call another server process that can use something like postman or python. Perhaps your network admins have a proxy server you can call that can help with this.
SAP ABAP doesnt excel as http client. # Python devs all laughing at ABAP http client.
Getting certificate chain with Python 3.3 SSL module
CodePudding user response:
SAP Netweaver don't support client side certificates. You can only configure server certificate and target server certificate validation and chain control via STRUST. You need to use SAP PI/PO to use server & client certificates in same time. More concept about Server & Client certificate is here.
Also you can use third party tools for using these technics such as SSL offload.