The local configuration in SOAMANAGER is also called automatic configuration. Rather than configured manully, the logical port is configured by the task automatically in the background.

However, in this mode, the authentication doesn’t support OAuth2. To get rid of basic auth, an option is to use client certificate.

Configuration Steps

let’s take sales order notification outbound as an example.

This is the office help document:

https://help.sap.com/docs/SAP_S4HANA_ON-PREMISE/19d48293097f4a2589433856b034dfa5/ed66f965148548a9bb76c24be640d7fc.html?locale=en-US

1. Generate certificate files and upload it into S4 HANA

Please refer to the configuration steps described here 

2. Activate the AIF

TCODE: /AIF/SETUP,  switch off ‘test mode’

3. Unpack AIF Content

TCODE: /AIF/CONTENT_EXTRACT

4. Ensure that the Web service Point-to-Point is active in Customizing

5. Download WSDL file from SAP Accelerator Hub

https://help.sap.com/docs/link-disclaimer?site=https%3A%2F%2Fapi.sap.com%2Fapi%2FOP_CO_SDSLS_ESR_SALES_ORDER_NOTIF%2Foverview

6. Modify WSDL

Add namespace Prefix definitions

xmlns:wsp=”http://schemas.xmlsoap.org/ws/2004/09/policy”
xmlns:sp=”http://docs.oasis-open.org/wss/oasis-wss-wssecurity-policy-1.2″

Add a new policy before the wsdl:type section

<wsp:Policy wsu:Id=”ClientCertificateBindingPolicy”>
<wsp:ExactlyOne>
<wsp:All>
<!– Mandate mutual authentication using X.509 Certificate –>
<sp:TransportBinding xmlns:sp=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702″>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<wsp:ExactlyOne>
<!– Require Client Certificate –>
<sp:RequireClientCertificate/>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<sp:Basic256Sha256/>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

add the following policy reference inside wsdl:binding section

<wsp:Policy>
<wsp:PolicyReference URI=”#ClientCertificateBindingPolicy”/>
</wsp:Policy>

Update target endpoint

For example, if this is the service endpoint to be consumed:

https://api.example.com:50001/v1/users

 find out below string in the WSDL and replace it

This is how the WSDL looks like after the modification

7. Create Profile

choose Technical Administration —> Profile

create a name, say Client_Cert

select SSL, then choose client certification

activate the profile

8. Create Provider System

choose Technical Administration  -> Provider Systems.

choose ‘create special’ , then ‘create Third Party System’

input a system name and select the profile defined just now

input the username password for the SAP S4HANA system

DO NOT activate the system. Just save it. 

Open the system in change mode

go to tab WSDL Assignment. choose to upload the WSDL modified.

After uploading the WSDL,  you can save and activate the provider system.

Check connection, you should get this view

9. Maintain ‘Logon Data’

click create button

fill in a name which does make sense for future reading

choose User/Password or X.509, select the PSE maintained with .pfx file

activate it.

10. Local Configuration

go to Service Administration  –> Local Integration Scenario Configuration

click save button

Fill up a name which does make sense

Under Service Definitions, add the inbound service SalesOrderBulkRequest_In and assign the profile you created earlier.

Next step, As the service group, choose  SDSLS_A2A_SO_NOTIF

With this service group, you add Sales Order (A2A) and Sales Order – Send Processing Notification (A2A).

For the provider IBC reference, choose the provider system that you created earlier.

select the logon data maintain just now in the next step

confirm and activate the configuration

11. Process Tasks

choose Service Administration ->  Pending Tasks

click process task List

if everything has configured correctly , you should get a view similar to this:

12. Check the Logical Port generated

goto ‘Web Service Configuration’, search for ‘SDSLS_A2A_SO_NOTIF’

there should be logical port generated with a numberic id

in the security tab, it should be similar to this view

in the transport setting tab, you should see the replacing URL modified to WSDL filled in the URL field

Since the logical port is via local configuration or automatically configured, none of the field is editable. This is a big contrast to the manual configuration. 

Conclusion

1. By using OpenSSL, you should be able to generate the .pfx file which uploaded into SAP S4

2. By modifing WSDL, you should be able to generate the client certificate authentication configured in the logical port.

Reference

https://developers.sap.com/tutorials/ws-local-configuration..html

https://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-members/service-group-configuration-in-soamanager-using-ssl-certificates/ba-p/13572482

​ The local configuration in SOAMANAGER is also called automatic configuration. Rather than configured manully, the logical port is configured by the task automatically in the background.However, in this mode, the authentication doesn’t support OAuth2. To get rid of basic auth, an option is to use client certificate.Configuration Stepslet’s take sales order notification outbound as an example.This is the office help document:https://help.sap.com/docs/SAP_S4HANA_ON-PREMISE/19d48293097f4a2589433856b034dfa5/ed66f965148548a9bb76c24be640d7fc.html?locale=en-US1. Generate certificate files and upload it into S4 HANAPlease refer to the configuration steps described here 2. Activate the AIFTCODE: /AIF/SETUP,  switch off ‘test mode’3. Unpack AIF ContentTCODE: /AIF/CONTENT_EXTRACT4. Ensure that the Web service Point-to-Point is active in Customizing5. Download WSDL file from SAP Accelerator Hubhttps://help.sap.com/docs/link-disclaimer?site=https%3A%2F%2Fapi.sap.com%2Fapi%2FOP_CO_SDSLS_ESR_SALES_ORDER_NOTIF%2Foverview6. Modify WSDLAdd namespace Prefix definitionsxmlns:wsp=”http://schemas.xmlsoap.org/ws/2004/09/policy”
xmlns:sp=”http://docs.oasis-open.org/wss/oasis-wss-wssecurity-policy-1.2″Add a new policy before the wsdl:type section <wsp:Policy wsu:Id=”ClientCertificateBindingPolicy”>
<wsp:ExactlyOne>
<wsp:All>
<!– Mandate mutual authentication using X.509 Certificate –>
<sp:TransportBinding xmlns:sp=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702″>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<wsp:ExactlyOne>
<!– Require Client Certificate –>
<sp:RequireClientCertificate/>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<sp:Basic256Sha256/>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>add the following policy reference inside wsdl:binding section <wsp:Policy>
<wsp:PolicyReference URI=”#ClientCertificateBindingPolicy”/>
</wsp:Policy>Update target endpointFor example, if this is the service endpoint to be consumed:https://api.example.com:50001/v1/users find out below string in the WSDL and replace ithttps://host:port/This is how the WSDL looks like after the modification7. Create Profilechoose Technical Administration —> Profilecreate a name, say Client_Certselect SSL, then choose client certificationactivate the profile8. Create Provider Systemchoose Technical Administration  -> Provider Systems.choose ‘create special’ , then ‘create Third Party System’input a system name and select the profile defined just nowinput the username password for the SAP S4HANA systemDO NOT activate the system. Just save it. Open the system in change modego to tab WSDL Assignment. choose to upload the WSDL modified.After uploading the WSDL,  you can save and activate the provider system.Check connection, you should get this view9. Maintain ‘Logon Data’click create buttonfill in a name which does make sense for future readingchoose User/Password or X.509, select the PSE maintained with .pfx fileactivate it.10. Local Configurationgo to Service Administration  –> Local Integration Scenario Configurationclick save buttonFill up a name which does make senseUnder Service Definitions, add the inbound service SalesOrderBulkRequest_In and assign the profile you created earlier.Next step, As the service group, choose  SDSLS_A2A_SO_NOTIFWith this service group, you add Sales Order (A2A) and Sales Order – Send Processing Notification (A2A).For the provider IBC reference, choose the provider system that you created earlier.select the logon data maintain just now in the next stepconfirm and activate the configuration11. Process Taskschoose Service Administration ->  Pending Tasksclick process task Listif everything has configured correctly , you should get a view similar to this: 12. Check the Logical Port generatedgoto ‘Web Service Configuration’, search for ‘SDSLS_A2A_SO_NOTIF’there should be logical port generated with a numberic idin the security tab, it should be similar to this viewin the transport setting tab, you should see the replacing URL modified to WSDL filled in the URL fieldSince the logical port is via local configuration or automatically configured, none of the field is editable. This is a big contrast to the manual configuration. Conclusion1. By using OpenSSL, you should be able to generate the .pfx file which uploaded into SAP S42. By modifing WSDL, you should be able to generate the client certificate authentication configured in the logical port.Referencehttps://developers.sap.com/tutorials/ws-local-configuration..htmlhttps://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-members/service-group-configuration-in-soamanager-using-ssl-certificates/ba-p/13572482   Read More Technology Blog Posts by Members articles 

#SAP

#SAPTechnologyblog